Internet security system
First Claim
1. A system comprising:
- a device comprising;
a firewall to;
receive a plurality of sets of firewall policies,each set of firewall policies, of the plurality of sets of firewall policies, being associated with a different virtual private network of a plurality of virtual private networks; and
a controller to;
receive a data packet;
obtain, from the data packet, layer information that includes layer 2 information, layer 3 information, layer 4 information, and layer 7 information;
search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual private network of the plurality of virtual private networks,the data packet being destined for the particular virtual private network,the data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks;
when the data structure does not store the information regarding the configuration data of the particular virtual private network;
search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual private network,
the other data structure being searched using the layer information that includes the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;
drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual private network;
identify policies included in the configuration data of the particular virtual private network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual private network;
determine that the policies include a set of firewall policies, of the plurality of sets of firewall policies, associated with the particular virtual private network;
cause the firewall to apply, to the data packet, the set of firewall policies associated with the particular virtual private network based on determining that the policies, associated with the particular virtual private network, include the set of firewall policies; and
cause the data packet to be routed toward the particular virtual private network after the set of firewall policies has been applied to the data packet.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.
54 Citations
30 Claims
-
1. A system comprising:
a device comprising; a firewall to; receive a plurality of sets of firewall policies, each set of firewall policies, of the plurality of sets of firewall policies, being associated with a different virtual private network of a plurality of virtual private networks; and a controller to; receive a data packet; obtain, from the data packet, layer information that includes layer 2 information, layer 3 information, layer 4 information, and layer 7 information; search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual private network of the plurality of virtual private networks, the data packet being destined for the particular virtual private network, the data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks; when the data structure does not store the information regarding the configuration data of the particular virtual private network; search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual private network,
the other data structure being searched using the layer information that includes the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information;drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual private network; identify policies included in the configuration data of the particular virtual private network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual private network; determine that the policies include a set of firewall policies, of the plurality of sets of firewall policies, associated with the particular virtual private network; cause the firewall to apply, to the data packet, the set of firewall policies associated with the particular virtual private network based on determining that the policies, associated with the particular virtual private network, include the set of firewall policies; and cause the data packet to be routed toward the particular virtual private network after the set of firewall policies has been applied to the data packet. - View Dependent Claims (2, 3)
-
4. A method performed by a device, the method comprising:
-
associating, by the device, a set of firewall configuration settings with each of a plurality of virtual local area networks; receiving, by the device, a data packet; obtaining, by the device, layer information from the data packet, the layer information including layer 2 information, layer 3 information, layer 4 information, and layer 7 information; searching, by the device and using the 2 layer information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual local area network of the plurality of virtual local area networks, the data packet being destined for the particular virtual local area network, the data structure storing information regarding configuration data of one or more virtual local area networks of the plurality of virtual local area networks; when the data structure does not store the information regarding the configuration data of the particular virtual local area network; searching, by the device, another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual local area network of the plurality of virtual local area networks, the other data structure being searched using the layer information including the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information; dropping, by the device, the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual local area network; identifying, by the device, information included in the configuration data of the particular virtual local area network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual local area network; determining, by the device, that the configuration data of the particular virtual local area network includes the set of firewall configuration settings associated with the particular virtual local area network; processing, by the device, the data packet based on the set of firewall configuration settings, associated with the particular virtual local area network, after determining that the configuration data of the particular virtual local area network includes the set of firewall configuration settings associated with the particular virtual local area network; and outputting, by the device, the data packet toward the particular virtual local area network after processing the data packet based on the set of firewall configuration settings. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. A system, comprising:
a device to; obtain, from a data packet, layer information that includes; layer 2 information, layer 3 information, layer 4 information, and layer 7 information; search, using the layer information, a first data structure or a second data structure to determine whether the first data structure or the second data structure stores information regarding configuration data of a particular virtual private network of a plurality of virtual private networks, the data packet being destined for the particular virtual private network, the first data structure or the second data structure storing information regarding configuration data of one or more virtual private networks of the plurality of virtual private networks, when searching the first data structure or the second data structure, the device is to; search the first data structure using the layer 2 information without using the layer 7 information, and search the second data structure using the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information when the first data structure does not store the information regarding the configuration data of the particular virtual private network; drop the data packet when the first data structure and the second data structure do not store the information regarding the configuration data of the particular virtual private network; and when the first data structure or the second data structure stores the information regarding the configuration data of the particular virtual private network; identify policies included in the configuration data of the particular virtual private network; determine that the policies include one or more firewall policies corresponding to the particular virtual private network; cause the one or more firewall policies to be applied to the data packet; dynamically allocate security system resources based on causing the one or more firewall policies to be applied to the data packet, the security system resources including firewall services associated with the one or more firewall policies; and route the data packet to the particular virtual private network after the one or more firewall policies have been applied to the data packet. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
26. A non-transitory computer-readable medium storing instructions, the instructions comprising:
a plurality of instructions which, when executed by a device, cause the device to; associate a set of firewall configuration settings with each of a plurality of virtual local area networks; receive a data packet; obtain layer information from the data packet, the layer information including layer 2 information, layer 3 information, layer 4 information, and layer 7 information; search, using the layer 2 information without using the layer 7 information, a data structure to determine whether the data structure stores information regarding configuration data of a particular virtual local area network of the plurality of virtual local area networks, the data packet being destined for the particular virtual local area network, the data structure storing information regarding configuration data of one or more of the plurality of virtual local area networks; when the data structure does not store the information regarding the configuration data of the particular virtual local area network; search another data structure to determine whether the other data structure stores the information regarding the configuration data of the particular virtual local area network of the plurality of local area networks, the other data structure being searched using the layer information including the layer 2 information, the layer 3 information, the layer 4 information, and the layer 7 information; drop the data packet when the data structure and the other data structure do not store the information regarding the configuration data of the particular virtual local area network; identify information included in the configuration data of the particular virtual local area network when the data structure or the other data structure stores the information regarding the configuration data of the particular virtual local area network; determine that the configuration data of the particular virtual local area network includes the set of firewall configuration settings associated with the particular virtual local area network; process the data packet based on the set of firewall configuration settings associated with the particular virtual local area network; and output the data packet toward the particular virtual local area network after processing the data packet based on the set of firewall configuration settings. - View Dependent Claims (27, 28, 29, 30)
Specification