System and method for distributed multi-processing security gateway

US 9,032,502 B1
Filed: 10/02/2013
Issued: 05/12/2015
Est. Priority Date: 08/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing a network gateway, comprising:

receiving by the network gateway a session request for a session between a host and a server, the session request comprising a host network address and a server network address;

establishing by the network gateway a host side session between the network gateway and the host, the network gateway comprising a plurality of processors;

selecting by the network gateway a proxy network address for the host based on network information, the network information comprising the host network address and a network gateway network address,wherein the proxy network address is selected such that a calculated first processor identity by the network gateway is the same as a calculated second processor identity by the network gateway;

establishing by the network gateway a server side session between the network gateway and the server using the selected proxy network address;

in response to receiving a first data packet from the host side session, calculating by the network gateway the first processor identity, comprising;

assigning a first processor with the first processor identity to process the first data packet,modifying the first data packet by substituting the host network address in the first data packet with the selected proxy network address, andsending the modified first data packet to the server side session; and

in response to receiving a second data packet from the server side session, calculating by the network gateway the second processor identity, comprising;

assigning a second processor with the second processor identity to process the second data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.

102 Citations

View as Search Results

22 Claims

1. A method for providing a network gateway, comprising:
- receiving by the network gateway a session request for a session between a host and a server, the session request comprising a host network address and a server network address;
  
  establishing by the network gateway a host side session between the network gateway and the host, the network gateway comprising a plurality of processors;
  
  selecting by the network gateway a proxy network address for the host based on network information, the network information comprising the host network address and a network gateway network address,wherein the proxy network address is selected such that a calculated first processor identity by the network gateway is the same as a calculated second processor identity by the network gateway;
  
  establishing by the network gateway a server side session between the network gateway and the server using the selected proxy network address;
  
  in response to receiving a first data packet from the host side session, calculating by the network gateway the first processor identity, comprising;
  
  assigning a first processor with the first processor identity to process the first data packet,modifying the first data packet by substituting the host network address in the first data packet with the selected proxy network address, andsending the modified first data packet to the server side session; and
  
  in response to receiving a second data packet from the server side session, calculating by the network gateway the second processor identity, comprising;
  
  assigning a second processor with the second processor identity to process the second data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the calculated first processor identity by the network gateway is based at least in part on the server network address and the host network address.
  - 3. The method of claim 1, wherein the calculated second processor identity by the network gateway is based at least in part on the proxy network address and the server network address.
  - 4. The method of claim 1, wherein the assigning the first processor with the first processor identity to process the first data packet comprises:
    - processing the first data packet according to a security policy by the first processor.
  - 5. The method of claim 4, wherein the security policy comprises one or more of the following:
    - intrusion detection;
      
      virus detection;
      
      traffic quota violation; and
      
      lawful data interception.
  - 6. The method of claim 1, wherein the assigning the second processor with the second processor identity to process the second data packet comprises:
    - processing the second data packet according to a security policy by the second processor.
  - 7. The method of claim 6, wherein the security policy comprises one or more of the following:
    - virus detection;
      
      traffic quota violation;
      
      lawful data interception; and
      
      phishing.
  - 8. The method of claim 1, wherein the selected proxy network address comprises an IP address.
  - 9. The method of claim 8, wherein the selected proxy network address further comprises a TCP or UDP port.
  - 10. The method of claim 1, wherein the calculated first processor identity by the network gateway is based at least in part on a computed sum of an IP address for the server network address and an IP address for the host network address.
  - 11. The method of claim 1, wherein the calculated second processor identity by the network gateway is based at least in part on a computed sum of an IP address for the proxy network address and an IP address for the server network address.

12. A computer program product comprising a non-transitory computer readable medium having a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- receive a session request for a session between a host and a server, the session request comprising a host network address and a server network address;
  
  establish a host side session between a network gateway and the host, the network gateway comprising a plurality of processors;
  
  select a proxy network address for the host based on network information, the network information comprising the host network address and a network gateway network address, wherein the proxy network address is selected such that a calculated first processor identity by the network gateway is the same as a calculated second processor identity by the network gateway;
  
  establish a server side session between the network gateway and the server using the selected proxy network address;
  
  in response to receiving a first data packet from the host side session, calculate the first processor identity, comprising;
  
  assign a first processor with the first processor identity to process the first data packet,modify the first data packet by substituting the host network address in the first data packet with the selected network address, andsend the modified first data packet to the server side session; and
  
  in response to receiving a second data packet from the server side session, calculate the second processor identity, comprising;
  
  assign a second processor with the second processor identity to process the second data packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer program product of claim 12, wherein the calculate the first processor identity is based at least in part on the server network address and the host network address.
  - 14. The computer program product of claim 12, where in the calculate the second processor identity is based at least in part on the proxy network address and the server network address.
  - 15. The computer program product of claim 12, wherein the assign the first processor with the first processor identity to process the first data packet comprises:
    - process the first data packet according to a security policy by the first processor.
  - 16. The computer program product of claim 15, wherein the security policy comprises one or more of the following:
    - intrusion detection;
      
      virus detection;
      
      traffic quota violation; and
      
      lawful data interception.
  - 17. The computer program product of claim 12, wherein the assign the second processor with the second processor identity to process the second data packet comprises:
    - process the second data packet according to a security policy by the second processor.
  - 18. The computer program product of claim 17, wherein the security policy comprises one or more of the following:
    - virus detection;
      
      traffic quota violation;
      
      lawful data interception; and
      
      phishing.
  - 19. The computer program product of claim 12, wherein the selected proxy network address comprises an IP address.
  - 20. The computer program product of claim 19, wherein the selected proxy network address further comprises a TCP or UDP port.
  - 21. The computer program product of claim 12, wherein the calculated first processor identity is based at least in part on a computed sum of an IP address for the server network address and an IP address for the host network address.
  - 22. The computer program product of claim 12, wherein the calculated second processor identity is based at least in part on a computed sum of an IP address for the proxy network address and an IP address for the server network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Szeto, Ronald Wai Lun
Primary Examiner(s)
Mehedi, Morshed

Application Number

US14/044,673
Time in Patent Office

587 Days
Field of Search

726/12
US Class Current

726/12
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

H04L 67/56   Provisioning of proxy servi...

System and method for distributed multi-processing security gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

102 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for distributed multi-processing security gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links