Cluster architecture for network security processing
First Claim
1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, comprising:
- maintaining flow assignment data for a cluster comprising a plurality of cluster computing devices configured to process network flows, wherein the flow assignment data comprise assignments of network flows to respective cluster computing devices;
identifying a network flow for processing by the cluster;
selecting one of the plurality of cluster computing devices to assign to the identified network flow in response to determining that the selected cluster computing device is assigned to a network flow that is related to the identified network flow; and
assigning the identified network flow to the selected cluster computing device.
8 Assignments
0 Petitions
Accused Products
Abstract
A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.
49 Citations
40 Claims
-
1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, comprising:
-
maintaining flow assignment data for a cluster comprising a plurality of cluster computing devices configured to process network flows, wherein the flow assignment data comprise assignments of network flows to respective cluster computing devices; identifying a network flow for processing by the cluster; selecting one of the plurality of cluster computing devices to assign to the identified network flow in response to determining that the selected cluster computing device is assigned to a network flow that is related to the identified network flow; and assigning the identified network flow to the selected cluster computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a cluster comprising a plurality cluster computing devices, wherein one of the cluster computing devices is configured to operate as a cluster master and wherein each of the plurality of cluster computing devices comprises a respective external network interface to process network flows independently of the cluster master; an external network interface communicatively coupling the cluster to an external network; and a flow assignment module implemented on the cluster master computing device and configured to assign network flows to the cluster computing devices, wherein the cluster master is configured to aggregate flow session data received from two or more of the cluster computing devices, wherein the flow session data corresponds to network flows assigned to the respective two or more cluster computing devices and comprises security data for resuming the respective network flows on a different cluster computing device, and wherein the cluster master is configured to provide aggregated flow session data pertaining to a particular network flow to a selected one of the cluster computing devices in response to assigning the particular network flow to the selected cluster computing device from another one of the cluster computing devices. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method, comprising:
-
maintaining flow assignments for a cluster comprising a plurality of cluster computing devices configured to process network flows, wherein the flow assignments map network flows to respective cluster computing devices; receiving network traffic on a network interface, the network traffic corresponding to a particular network flow, wherein the particular network flow is not assigned to a cluster computing device in the flow assignment data; assigning the particular network flow to a selected one of the plurality of cluster computing devices by; determining security information pertaining to the unassigned network flow, identifying a network flow in the flow assignment data having security information that is related to the determined security information pertaining to the unassigned network flow, and selecting the cluster computing device assigned to the identified network flow in the flow assignment data to assign to the unassigned network flow. - View Dependent Claims (31, 32, 33, 34, 35)
-
-
36. A cluster computing device, comprising:
-
a communication interface communicatively coupled to an external network interface and a cluster network interface; and a traffic processing module operable on a processor of the cluster computing device and configured to receive a network flow assignment from a cluster master via the cluster network interface, the network flow assignment identifying one or more network flows assigned to the cluster computing device, wherein the traffic processing module is configured to receive network traffic associated with a plurality of different network flows on the external network interface, and wherein upon receiving the network traffic, the traffic processing module is configured to identify network traffic associated with the one or more network flows assigned to the cluster computing device and to process the identified network traffic according to a security policy, wherein the cluster computing device is configured to transmit flow session data to the cluster master on the cluster network interface, the flow session data pertaining to a network connection established between the cluster computing device and a client computing device through the external network interface. - View Dependent Claims (37, 38, 39, 40)
-
Specification