Network security device

US 9,385,994 B2
Filed: 01/31/2014
Issued: 07/05/2016
Est. Priority Date: 03/30/2001
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a network device to;

determine whether a data packet is a first data packet in a session associated with the data packet;

determine whether information regarding the session, associated with the data packet, is stored in a data structure after determining whether the data packet is the first data packet in the session,the data structure storing information regarding sessions;

selectively transmit the data packet to one or more first components, of the network device, or to one or more second components of the network device,the one or more second components being different than the one or more first components,the data packet being transmitted to the one or more first components when the information regarding the session, associated with the data packet, is not stored in the data structure, orthe data packet being transmitted to the one or more second components, without being transmitted to the one or more first components, when the information regarding the session,associated with the data packet, is stored in the data structure; and

selectively process the data packet by one of;

the one or more first components, orthe one or more second components.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

40 Citations

View as Search Results

20 Claims

1. A system comprising:
- a network device to;
  
  determine whether a data packet is a first data packet in a session associated with the data packet;
  
  determine whether information regarding the session, associated with the data packet, is stored in a data structure after determining whether the data packet is the first data packet in the session,the data structure storing information regarding sessions;
  
  selectively transmit the data packet to one or more first components, of the network device, or to one or more second components of the network device,the one or more second components being different than the one or more first components,the data packet being transmitted to the one or more first components when the information regarding the session, associated with the data packet, is not stored in the data structure, orthe data packet being transmitted to the one or more second components, without being transmitted to the one or more first components, when the information regarding the session,associated with the data packet, is stored in the data structure; and
  
  selectively process the data packet by one of;
  
  the one or more first components, orthe one or more second components.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, where, when determining whether the data packet is the first data packet in the session, the network device is to:
    - extract information from the data packet, anddetermine whether the data packet is the first data packet based on the information extracted from the data packet.
  - 3. The system of claim 1, where, when selectively processing the data packet, the network device is to:
    - monitor, using the one or more second components, irregularities of a packet flow associated with the data packet.
  - 4. The system of claim 1, where, when selectively processing the data packet, the network device is to:
    - examine the data packet using the one or more first components,when examining the data packet, the one or more first components are to perform at least one of;
      
      a firewall check on the data packet, oran access policy check on the data packet.
  - 5. The system of claim 4, where the network device is to perform the access policy check,where, when performing the access policy check, the network device is to:
    - determine whether a policy associated with the session exists,determine whether the policy authorizes packets, associated with the session, to be transmitted to a destination of the packets, andcause the data packet to be transmitted to a destination of the data packet when the policy authorizes the packets to be transmitted.
  - 6. The system of claim 4, where the network device is to perform the firewall check,where, when performing the firewall check, the network device is to:
    - determine whether the data packet is associated with an attack, andwhen the data packet is associated with the attack;
      
      drop the data packet, andlog information regarding the attack.
  - 7. The system of claim 4, where the network device is further to:
    - determine, using the one or more first components, a load on each processing board of a plurality of processing boards of the network device, andforward, using the one or more first components, the data packet to a particular processing board of the plurality of processing boards after examining the data packet,the load on the particular processing board being a lowest load out of the load of each processing board of the plurality of processing boards, andthe particular processing board including the one or more second components.
  - 8. The system of claim 4, where, when examining the data packet, the one or more first components are to:
    - perform the firewall check,perform a dynamic port database check after performing the firewall check, andperform the access policy check after performing the dynamic port database check.

9. A method comprising:
- determining, by a network device, whether a data packet is a first data packet in a session associated with the data packet;
  
  determining, by the network device, whether information regarding the session, associated with the data packet, is stored in a data structure based on determining whether the data packet is the first data packet in the session,the data structure storing information regarding sessions;
  
  selectively transmitting, by the network device, the data packet to one or more first components of the network device, or to one or more second components of the network device,the one or more second components being different than the one or more first components,the data packet being transmitted to the one or more first components when the information regarding the session, associated with the data packet, is not stored in the data structure, orthe data packet being transmitted to the one or more second components, without being transmitted to the one or more first components, when the information regarding the session, associated with the data packet, is stored in the data structure; and
  
  selectively processing, by the network device, the data packet by one of;
  
  the one or more first components, orthe one or more second components.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, where selectively processing the data packet includes:
    - examining the data packet using the one or more first components,where examining the data packet includes performing at least one of;
      
      a firewall check,a dynamic port database check, oran access policy check.
  - 11. The method of claim 10, where examining the data packet includes:
    - performing the firewall check,performing the dynamic port database check after performing the firewall check, andperforming the access policy check after performing the dynamic port database check.
  - 12. The method of claim 10, where examining the data packet includes performing the firewall check, andwhere performing the firewall check includes:
    - determining whether the data packet is associated with an attack, andwhen the data packet is associated with the attack;
      
      dropping the data packet, andlogging information regarding the data packet and information regarding the attack.
  - 13. The method of claim 10, where examining the data packet includes performing the access policy check, andwhere performing the access policy check includes:
    - determining whether a policy associated with the session exists,determining whether the policy authorizes packets, associated with the session, to be transmitted to a destination of the packets, andcausing the data packet to be transmitted to a destination of the data packet when the policy authorizes the packets to be transmitted.
  - 14. The method of claim 9, further comprising:
    - examining, using the one or more first components, the data packet;
      
      determining, using the one or more first components, a load on each processing board of a plurality of processing boards of the network device; and
      
      forwarding, using the one or more first components, the data packet to a particular processing board of the plurality of processing boards after examining the data packet,the load on the particular processing board being a lowest out load of the load of each processing board of the plurality of processing boards.
  - 15. The method of claim 9, where selectively processing the data packet includes:
    - monitoring, using the one or more second components, irregularities of a packet flow associated with the data packet.

16. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a device, cause the device to determine whether a data packet is a first data packet in a session associated with the data packet;
  
  one or more instructions which, when executed by the device, cause the device to determine whether information regarding the session, associated with the data packet, is stored in a data structure after determining whether the data packet is the first data packet in the session,the data structure storing information regarding sessions;
  
  one or more instructions which, when executed by the device, cause the device to selectively transmit the data packet to one or more first components, of the device, or to one or more second components of the device,the one or more second components being different than the one or more first components,the data packet being transmitted to the one or more first components when the information regarding the session, associated with the data packet, is not stored in the data structure, orthe data packet being transmitted to the one or more second components, without being transmitted to the one or more first components, when the information regarding the session, associated with the data packet, is stored in the data structure; and
  
  one or more instructions which, when executed by the device, cause the device to selectively process the data packet by one of;
  
  the one or more first components, orthe one or more second components.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16, where the one or more instructions to selectively process the data packet include:
    - one or more instructions to perform, using the one or more first components, at least one of;
      
      a firewall check, oran access policy check.
  - 18. The non-transitory computer-readable medium of claim 17, where the one or more instructions to perform the at least one of a firewall check or an access policy check include:
    - one or more instructions to perform the firewall check,one or more instructions to perform a dynamic port database check after performing the firewall check, andone or more instructions to perform the access policy check after performing the dynamic port database check.
  - 19. The non-transitory computer-readable medium of claim 16, where the one or more instructions to selectively process the data packet include:
    - one or more instructions to monitor, using the one or more second components, irregularities of a packet flow associated with the data packet.
  - 20. The non-transitory computer-readable medium of claim 16,where the one or more instructions to determine whether the data packet is the first data packet in the session include:
    - one or more instructions to extract information from the data packet, andone or more instructions to determine whether the data packet is the first data packet based on the information extracted from the data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Ke, Yan, Mao, Yuming, Tong, Jian, Huang, Guangsong
Primary Examiner(s)
Pham, Brenda H

Application Number

US14/169,710
Publication Number

US 20140215598A1
Time in Patent Office

886 Days
Field of Search

370/389, 370353-357, 370/396, 370/473, 370/471
US Class Current

1/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/1416   Event detection, e.g. attac...

Network security device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network security device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links