Internet security system

US 9,185,075 B2
Filed: 06/06/2006
Issued: 11/10/2015
Est. Priority Date: 03/30/2001
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a device comprising;

a firewall to;

receive a plurality of sets of firewall policies,each set of firewall policies, of the plurality of sets of firewall policies, being associated with a different virtual private network of a plurality of virtual private networks; and

a controller to;

receive a data packet;

obtain, from the data packet, layer information that includes layer 2 information, layer 3 information, layer 4 information, and layer 7 information;

search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual private network of the plurality of virtual private networks,the data packet being destined for the particular virtual private network,the data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks;

when the data structure does not store the information regarding the configuration data of the particular virtual private network;

search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual private network,

the other data structure being searched using the layer information that includes the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;

drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual private network;

identify policies included in the configuration data of the particular virtual private network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual private network;

determine that the policies include a set of firewall policies, of the plurality of sets of firewall policies, associated with the particular virtual private network;

cause the firewall to apply, to the data packet, the set of firewall policies associated with the particular virtual private network based on determining that the policies, associated with the particular virtual private network, include the set of firewall policies; and

cause the data packet to be routed toward the particular virtual private network after the set of firewall policies has been applied to the data packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.

54 Citations

View as Search Results

30 Claims

1. A system comprising:
- a device comprising;
  
  a firewall to;
  
  receive a plurality of sets of firewall policies,each set of firewall policies, of the plurality of sets of firewall policies, being associated with a different virtual private network of a plurality of virtual private networks; and
  
  a controller to;
  
  receive a data packet;
  
  obtain, from the data packet, layer information that includes layer 2 information, layer 3 information, layer 4 information, and layer 7 information;
  
  search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual private network of the plurality of virtual private networks,the data packet being destined for the particular virtual private network,the data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks;
  
  when the data structure does not store the information regarding the configuration data of the particular virtual private network;
  
  search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual private network,
  
  the other data structure being searched using the layer information that includes the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;
  
  drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual private network;
  
  identify policies included in the configuration data of the particular virtual private network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual private network;
  
  determine that the policies include a set of firewall policies, of the plurality of sets of firewall policies, associated with the particular virtual private network;
  
  cause the firewall to apply, to the data packet, the set of firewall policies associated with the particular virtual private network based on determining that the policies, associated with the particular virtual private network, include the set of firewall policies; and
  
  cause the data packet to be routed toward the particular virtual private network after the set of firewall policies has been applied to the data packet.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, where the device further comprises an element to receive a set of authentication policies,where the controller is further to cause the element to apply, to the data packet, one or more authentication policies, from the set of authentication policies, corresponding to the particular virtual private network, when the policies associated with the particular virtual private network include the one or more authentication policies, andwhere the one or more authentication policies include one or more of:
    - network address translation, a policy associated with mobile Internet protocol, or user authentication.
  - 3. The system of claim 1, where the set of firewall policies include one or more of incoming policies or outgoing policies for the particular virtual private network.

4. A method performed by a device, the method comprising:
- associating, by the device, a set of firewall configuration settings with each of a plurality of virtual local area networks;
  
  receiving, by the device, a data packet;
  
  obtaining, by the device, layer information from the data packet,the layer information including layer 2 information, layer 3 information, layer 4 information, and layer 7 information;
  
  searching, by the device and using the 2 layer information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual local area network of the plurality of virtual local area networks,the data packet being destined for the particular virtual local area network,the data structure storing information regarding configuration data of one or more virtual local area networks of the plurality of virtual local area networks;
  
  when the data structure does not store the information regarding the configuration data of the particular virtual local area network;
  
  searching, by the device, another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual local area network of the plurality of virtual local area networks,the other data structure being searched using the layer information including the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;
  
  dropping, by the device, the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual local area network;
  
  identifying, by the device, information included in the configuration data of the particular virtual local area network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual local area network;
  
  determining, by the device, that the configuration data of the particular virtual local area network includes the set of firewall configuration settings associated with the particular virtual local area network;
  
  processing, by the device, the data packet based on the set of firewall configuration settings, associated with the particular virtual local area network, after determining that the configuration data of the particular virtual local area network includes the set of firewall configuration settings associated with the particular virtual local area network; and
  
  outputting, by the device, the data packet toward the particular virtual local area network after processing the data packet based on the set of firewall configuration settings.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The method of claim 4, further comprising:
    - applying a traffic policy to the data packet,the traffic policy being applied to all data packets processed by the device.
  - 6. The method of claim 4, further comprising:
    - applying authentication policies that include one or more of;
      
      network address translation,a policy associated with mobile Internet protocol,a policy associated with virtual Internet protocol, oruser authentication.
  - 7. The method of claim 4, where the set of firewall configuration settings, associated with the particular virtual local area network, include incoming policies and outgoing policies for a virtual local area network destination associated with the particular virtual local area network.
  - 8. The method of claim 4, further comprising:
    - determining available resources for outputting the data packet to the particular virtual local area network,the resources being definable by a user; and
      
      where outputting the data packet comprises;
      
      outputting the data packet toward the particular virtual local area network based on the determined available resources.
  - 9. The method of claim 4, where outputting the data packet comprises:
    - reading a set of entries in a routing table; and
      
      outputting the data packet to a virtual local area network destination, associated with the particular virtual local area network, using a routing protocol for the virtual local area network destination,the set of entries, in the routing table, being associated with the virtual local area network destination.

10. A system, comprising:
- a device to;
  
  obtain, from a data packet, layer information that includes;
  
  layer 2 information,layer 3 information,layer 4 information, andlayer 7 information;
  
  search, using the layer information, a first data structure or a second data structure to determine whether the first data structure or the second data structure stores information regarding configuration data of a particular virtual private network of a plurality of virtual private networks,the data packet being destined for the particular virtual private network,the first data structure or the second data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks,when searching the first data structure or the second data structure, the device is to;
  
  search the first data structure using the layer 2 information without using the layer 7 information, andsearch the second data structure using the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information when the first data structure does not store the information regarding the configuration data of the particular virtual private network;
  
  drop the data packet when the first data structure and the second data structure do not store the information regarding the configuration data of the particular virtual private network; and
  
  when the first data structure or the second data structure stores the information regarding the configuration data of the particular virtual private network;
  
  identify policies included in the configuration data of the particular virtual private network;
  
  determine that the policies include one or more firewall policies corresponding to the particular virtual private network;
  
  cause the one or more firewall policies to be applied to the data packet;
  
  dynamically allocate security system resources based on causing the one or more firewall policies to be applied to the data packet,the security system resources including firewall services associated with the one or more firewall policies; and
  
  route the data packet to the particular virtual private network after the one or more firewall policies have been applied to the data packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 11. The system of claim 10, where the device is further to:
    - partition the security system resources into a plurality of separate security domains,each of the plurality of separate security domains is to enforce one or more policies relating to a corresponding subsystem of subsystems associated with the plurality of separate security domains, anddynamically allocate the security system resources to a subsystem, of the subsystems associated with the plurality of separate security domains, when a corresponding one of the plurality of separate security domains is to enforce the one or more policies relating to the subsystem.
  - 12. The system of claim 11, further comprising a second device to provide a particular service domain,the particular service domain is to enforce one or more policies for each of the plurality of separate security domains.
  - 13. The system of claim 12, where the second device includes a user interface for presenting, adding, and modifying policies associated with each subsystem, of the subsystems associated with the plurality of separate security domains, and the one or more policies associated with the particular service domain.
  - 14. The system of claim 12, where the particular service domain includes a global address book.
  - 15. The system of claim 11, where the one or more policies for each subsystem, of the subsystems associated with the plurality of separate security domains, include one or more:
    - policies for incoming data packets, policies for outgoing packets, policies for virtual tunneling, authentication policies, traffic regulating policies, or firewall policies.
  - 16. The system of claim 15, where the policies for virtual tunneling include a policy associated with one or more tunneling protocols.
  - 17. The system of claim 11, where one or more of the plurality of separate security domains include a unique address book.
  - 18. The system of claim 11, where a particular security domain, of the plurality of separate security domains, is associated with the particular virtual private network, andwhere the subsystem, corresponding to the particular security domain, includes a computer network.
  - 19. The system of claim 11, where a particular security domain, of the plurality of separate security domains, is associated with the particular virtual private network, andwhere the subsystem, corresponding to the particular security domain, includes a device connected to a computer network.
  - 20. The system of claim 11, where each security domain, of the plurality of separate security domains, is associated with a user interface for presenting and modifying a set of policies relating to a corresponding subsystem.
  - 21. The system of claim 10, where the security system resources further include authentication services.
  - 22. The system of claim 10, where the security system resources further include virtual private network (VPN) services.
  - 23. The system of claim 10, where the security system resources further include traffic management services.
  - 24. The system of claim 10, where the security system resources further include encryption services.
  - 25. The system of claim 10, where the security system resources further include one or more of:
    - administrative tools, logging, counting, alarming, notification facilities, or resources for setting up additional subsystems.

26. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- a plurality of instructions which, when executed by a device, cause the device to;
  
  associate a set of firewall configuration settings with each of a plurality of virtual local area networks;
  
  receive a data packet;
  
  obtain layer information from the data packet,the layer information including layer 2 information, layer 3 information, layer 4 information, and layer 7 information;
  
  search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual local area network of the plurality of virtual local area networks,the data packet being destined for the particular virtual local area network,the data structure storing information regarding configuration data of one or more of the plurality of virtual local area networks;
  
  when the data structure does not store the information regarding the configuration data of the particular virtual local area network;
  
  search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual local area network of the plurality of local area networks,the other data structure being searched using the layer information including the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;
  
  drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual local area network;
  
  identify information included in the configuration data of the particular virtual local area network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual local area network;
  
  determine that the configuration data of the particular virtual local area network includes the set of firewall configuration settings associated with the particular virtual local area network;
  
  process the data packet based on the set of firewall configuration settings associated with the particular virtual local area network; and
  
  output the data packet toward the particular virtual local area network after processing the data packet based on the set of firewall configuration settings.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The non-transitory computer-readable medium of claim 26, the instructions further comprising:
    - one or more instructions to apply a traffic policy to the data packet,the traffic policy being applied to all data packets processed by the device.
  - 28. The non-transitory computer-readable medium of claim 26, the instructions further comprising:
    - one or more instructions to apply authentication policies that relate to one or more of;
      
      network address translation,a policy associated with mobile Internet protocol,a policy associated with virtual Internet protocol, oruser authentication.
  - 29. The non-transitory computer-readable medium of claim 26, where the set of firewall configuration settings, associated with the particular virtual local area network, include incoming policies and outgoing policies for a virtual local area network destination associated with the particular virtual local area network.
  - 30. The non-transitory computer-readable medium of claim 26, the instructions further comprising:
    - one or more instructions to determine available resources for outputting the data packet toward the particular virtual local area network,the resources being definable by a user, andwhere one or more instructions, of the plurality of instructions, to output the data packet comprise;
      
      one or more instructions to output the data packet toward the particular virtual local area network based on the determined available resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Ke, Yan, Mao, Yuming, Xu, Wilson, Leu, Brian Yean-Shiang
Primary Examiner(s)
Hamza, Faruk
Assistant Examiner(s)
DECKER, CASSANDRA L

Application Number

US11/422,477
Publication Number

US 20060209836A1
Time in Patent Office

3,444 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4645   Details on frame tagging ro...

H04L 12/467   Arrangements for supporting...

H04L 49/25   Routing or path finding in ...

H04L 49/351   for local area network [LAN...

H04L 49/354   for supporting virtual loca...

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

Internet security system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Internet security system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links