Distributed multi-processing security gateway

US 9,124,550 B1
Filed: 03/17/2015
Issued: 09/01/2015
Est. Priority Date: 08/08/2006
Status: Active Grant

First Claim

Patent Images

1. A network gateway system comprising:

a plurality of processors; and

a memory communicatively coupled to the processors, the memory storing instructions, the instruction being executable by at least one of the processors to perform a method comprising;

receiving a session request for a session between a host and a server, the session request including a first network address and a second network address;

selecting a proxy network address for the host using at least one of the first network address and a network gateway network address;

associating a first processor with a first processor identity, the first processorprocessing a first data packet received from a host side session,modifying the first data packet by substituting the first network address in the first data packet with the selected proxy network address, andproviding the modified first data packet to a server side session; and

associating a second processor with a second processor identity, the second processor processing a second data packet received from the server side session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.

123 Citations

20 Claims

1. A network gateway system comprising:
- a plurality of processors; and
  
  a memory communicatively coupled to the processors, the memory storing instructions, the instruction being executable by at least one of the processors to perform a method comprising;
  
  receiving a session request for a session between a host and a server, the session request including a first network address and a second network address;
  
  selecting a proxy network address for the host using at least one of the first network address and a network gateway network address;
  
  associating a first processor with a first processor identity, the first processorprocessing a first data packet received from a host side session,modifying the first data packet by substituting the first network address in the first data packet with the selected proxy network address, andproviding the modified first data packet to a server side session; and
  
  associating a second processor with a second processor identity, the second processor processing a second data packet received from the server side session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein the associated first processor identity is based at least in part on the first network address and the second network address.
  - 3. The system of claim 1 wherein the associated second processor identity is based at least in part on the proxy network address and the second network address.
  - 4. The system of claim 1 wherein the associating the first processor with the first processor identity to process the first data packet includesprocessing the first data packet according to a security policy by the first processor.
  - 5. The system of claim 4 wherein the security policy includes at least one of intrusion detection, virus detection, traffic quota violation, and lawful data interception.
  - 6. The system of claim 1 wherein the associating the second processor with the second processor identity to process the second data packet includesprocessing the second data packet according to a security policy by the second processor.
  - 7. The system of claim 6 wherein the security policy includes at least one of virus detection, traffic quota violation, lawful data interception, and phishing.
  - 8. The system of claim 1 wherein the selected proxy network address includes an IP address.
  - 9. The system of claim 8 wherein the selected proxy network address further includes at least one of a TCP and a UDP port.
  - 10. The system of claim 1 wherein the associated first processor identity is based at least in part on a computed sum of an IP address for the second network address and an IP address for the first network address, and wherein the associated second processor identity is based at least in part on a computed sum of an IP address for the proxy network address and an IP address for the second network address.

11. A method for providing a network gateway comprising:
- receiving by the network gateway a session request for a session between a host and a server, the network gateway including a plurality of processors, the session request including a first network address and a second network address;
  
  selecting by the network gateway a proxy network address for the host using at least one of the first network address and a network gateway network address;
  
  associating a first processor with a first processor identity, the first processorprocessing a first data packet received from a host side session,modifying the first data packet by substituting the first network address in the first data packet with the selected proxy network address, andproviding the modified first data packet to a server side session; and
  
  associating a second processor with a second processor identity, the second processor processing a second data packet received from the server side session.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11 wherein the associated first processor identity by the network gateway is based at least in part on the first network address and the second network address.
  - 13. The method of claim 11 wherein the associated second processor identity by the network gateway is based at least in part on the proxy network address and the second network address.
  - 14. The method of claim 11 wherein associating the first processor with the first processor identity to process the first data packet includesprocessing the first data packet according to a security policy by the first processor.
  - 15. The method of claim 14 wherein the security policy includes at least one of intrusion detection, virus detection, traffic quota violation, and lawful data interception.
  - 16. The method of claim 11 wherein the associating the second processor with the second processor identity to process the second data packet includesprocessing the second data packet according to a security policy by the second processor.
  - 17. The method of claim 16 wherein the security policy includes at least one of virus detection, traffic quota violation, lawful data interception, and phishing.
  - 18. The method of claim 11 wherein the selected proxy network address includes at least one of an IP address, a TCP port, and a UDP port.
  - 19. The method of claim 11 wherein the associated first processor identity by the network gateway is based at least in part on a computed sum of an IP address for the second network address and an IP address for the first network address, and wherein the associated second processor identity by the network gateway is based at least in part on a computed sum of an IP address for the proxy network address and an IP address for the second network address.

20. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for providing a network gateway, the method comprising:
- receiving a session request for a session between a host and a server, the network gateway including a plurality of processors, the session request including a first network address and a second network address;
  
  selecting a proxy network address for the host using at least one of the first network address and a network gateway network address;
  
  associating a first processor with a first processor identity, the first processorprocessing a first data packet received from a host side session,modifying the first data packet by substituting the first network address in the first data packet with the selected proxy network address, andproviding the modified first data packet to a server side session; and
  
  associating a second processor with a second processor identity, the second processor processing a second data packet received from the server side session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Szeto, Ronald Wai Lun
Primary Examiner(s)
Mehedi, Morshed

Application Number

US14/660,714
Time in Patent Office

168 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

H04L 67/56   Provisioning of proxy servi...

Distributed multi-processing security gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

123 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed multi-processing security gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links