Distributed multi-processing security gateway

US 9,344,456 B2
Filed: 12/15/2014
Issued: 05/17/2016
Est. Priority Date: 08/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method for network security by a plurality of multi-core processors comprising:

determining a first multi-core processor of the plurality of multi-core processors using a first data packet received from a host side session;

assigning the first data packet to the first multi-core processor for processing, the processing including;

substituting a host network address in the first data packet with a proxy network address, the proxy network address being used to establish a server side session with a server;

determining a second multi-core processor of the plurality of multi-core processors using the proxy network address received in a second data packet from the server side session; and

assigning the second data packet to the second multi-core processor for processing, the processing including;

substituting the proxy network address in the second data packet with the host network address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

133 Citations

18 Claims

1. A method for network security by a plurality of multi-core processors comprising:
- determining a first multi-core processor of the plurality of multi-core processors using a first data packet received from a host side session;
  
  assigning the first data packet to the first multi-core processor for processing, the processing including;
  
  substituting a host network address in the first data packet with a proxy network address, the proxy network address being used to establish a server side session with a server;
  
  determining a second multi-core processor of the plurality of multi-core processors using the proxy network address received in a second data packet from the server side session; and
  
  assigning the second data packet to the second multi-core processor for processing, the processing including;
  
  substituting the proxy network address in the second data packet with the host network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - calculating the proxy network address using at least one of a network address of a host, a network address of the distributed networking system, and a plurality of network addresses from a memory module, the memory module being associated with the host side session.
  - 3. The method of claim 1 further comprising:
    - calculating the proxy network address such that the first multi-core processor and the second multi-core processor are the same.
  - 4. The method of claim 1 further comprising:
    - providing the processed first data packet to the server side session; and
      
      providing the processed second data packet to the host side session.
  - 5. The method of claim 1 wherein determining the first multi-core processor uses one or more network addresses of the first data packet, the one or more network addresses of the first data packet being at least one of Internet Protocol (IP) addresses and transport layer addresses.
  - 6. The method of claim 1 wherein determining the second multi-core processor uses one or more network addresses of the second data packet, the one or more network addresses of the second data packet being at least one of Internet Protocol (IP) addresses and transport layer addresses.
  - 7. The method of claim 1 wherein the processing of the first data packet further includes processing according to a security policy, the security policy including one or more of content filtering, virus detection, infestation prevention, spyware and/or phishing blocking, network intrusion and/or denial of service prevention, lawful interception, data traffic monitoring, and data traffic interception.
  - 8. The method of claim 1 wherein the processing of the second data packet further includes processing according to a security policy, the security policy including one or more of content filtering, virus detection, infestation prevention, spyware and/or phishing blocking, network intrusion and/or denial of service prevention, lawful interception, data traffic monitoring, and data traffic interception.
  - 9. The method of claim 1 wherein the proxy network address includes one or more of an IP address, a TCP port number, and a UDP port number.

10. A system for distributed networking comprising:
- a plurality of multi-core processors; and
  
  one or more memories, each of the one or more memories coupled to at least one of the plurality of multi-core processors, the one or more memories each storing a respective program of one or more programs, the one or more programs executable by the plurality of multi-core processors to individually or collectively perform a method, the method comprising;
  
  determining a first multi-core processor of the plurality of multi-core processors using a first data packet received from a host side session;
  
  assigning the first data packet to the first multi-core processor for processing, the processing including;
  
  substituting a host network address in the first data packet with a proxy network address, the proxy network address being used to establish a server side session with a server;
  
  determining a second multi-core processor of the plurality of multi-core processors using the proxy network address received in a second data packet from the server side session; and
  
  assigning the second data packet to the second multi-core processor for processing, the processing including;
  
  substituting the proxy network address in the second data packet with the host network address.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the method further comprises:
    - calculating the proxy network address using at least one of a network address of a host, a network address of the distributed networking system, and a plurality of network addresses from a memory module, the memory module being associated with the host side session.
  - 12. The system of claim 10, wherein the method further comprises:
    - calculating the proxy network address such that the first multi-core processor and the second multi-core processor are the same.
  - 13. The system of claim 10, wherein the method further comprises:
    - providing the processed first data packet to the server side session; and
      
      providing the processed second data packet to the host side session.
  - 14. The system of claim 10 wherein determining the first multi-core processor uses one or more network addresses of the first data packet, the one or more network addresses of the first data packet being at least one of Internet Protocol (IP) addresses and transport layer addresses.
  - 15. The system of claim 10 wherein determining the second multi-core processor uses one or more network addresses of the second data packet, the one or more network addresses of the second data packet being at least one of Internet Protocol (IP) addresses and transport layer addresses.
  - 16. The system of claim 10 wherein the processing of the first data packet further includes processing according to a security policy, the security policy including one or more of content filtering, virus detection, infestation prevention, spyware and/or phishing blocking, network intrusion and/or denial of service prevention, lawful interception, data traffic monitoring, and data traffic interception.
  - 17. The system of claim 10 wherein the processing of the second data packet further includes processing according to a security policy, the security policy including one or more of content filtering, virus detection, infestation prevention, spyware and/or phishing blocking, network intrusion and/or denial of service prevention, lawful interception, data traffic monitoring, and data traffic interception.
  - 18. The method of claim 10 wherein the proxy network address includes one or more of an IP address, a TCP port number, and a UDP port number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Szeto, Ronald Wai Lun
Primary Examiner(s)
Mehedi, Morshed

Application Number

US14/570,372
Publication Number

US 20160065619A1
Time in Patent Office

519 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/2557   Translation policies or rules

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

H04L 65/1069   Session establishment or de...

Distributed multi-processing security gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

133 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed multi-processing security gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links