Routing a packet by a device
First Claim
Patent Images
1. A system comprising:
- a device, comprising a memory and a processor, to;
extract information from a layer 2 header of a packet received from a first security zone,the information including a security identifier;
determine, based on the security zone identifier, whether the packet is to be screened,the packet being screened when the packet is intended for a second security zone that is different from the first security zone,the packet not being screened when the packet is intended for the first security zone;
when the packet is intended for the second security zone;
screen the packet for security,process the packet, to obtain a first processed packet, based on a security policy corresponding to the second security zone after screening the packet,determine, based on screening the packet for security, whether to drop the first processed packet or route the first processed packet toward a destination of the packet; and
route the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether to drop or route the first processed packet; and
when the packet is intended for the first security zone;
process the packet to obtain a second processed packet based on a security policy corresponding to the first security zone, androute the second processed packet to the port for routing toward the destination of the packet, without processing the packet based on the security policy corresponding to the second security zone,the port being associated with an address included in the information.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.
-
Citations
17 Claims
-
1. A system comprising:
a device, comprising a memory and a processor, to; extract information from a layer 2 header of a packet received from a first security zone, the information including a security identifier; determine, based on the security zone identifier, whether the packet is to be screened, the packet being screened when the packet is intended for a second security zone that is different from the first security zone, the packet not being screened when the packet is intended for the first security zone; when the packet is intended for the second security zone; screen the packet for security, process the packet, to obtain a first processed packet, based on a security policy corresponding to the second security zone after screening the packet, determine, based on screening the packet for security, whether to drop the first processed packet or route the first processed packet toward a destination of the packet; and route the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether to drop or route the first processed packet; and when the packet is intended for the first security zone; process the packet to obtain a second processed packet based on a security policy corresponding to the first security zone, and route the second processed packet to the port for routing toward the destination of the packet, without processing the packet based on the security policy corresponding to the second security zone, the port being associated with an address included in the information. - View Dependent Claims (2, 3, 4, 5)
-
6. A non-transitory computer-readable medium storing instructions, the instructions comprising:
-
one or more instructions which, when executed by a device, cause the device to extract information from a layer 2 header of a packet received from a first security zone, the information including a security zone identifier; one or more instructions which, when executed by the device, cause the device to determine, based on the security zone identifier, whether the packet is to be screened, the packet being not screened when the packet is intended for the first security zone, and the packet being screened when the packet is intended for a second security zone that is different from the first security zone; one or more instructions which, when executed by the device, cause the device to screen the packet for security when the packet is intended for the second security zone; one or more instructions which, when executed by the device, cause the device to process the packet, to obtain a first processed packet, based on a policy corresponding to the second security zone after screening the packet when the packet is intended for the second security zone; one or more instructions which, when executed by the device, cause the device to determine, based screening the packet for security, whether the first processed packet is to be dropped or routed toward a destination of the packet when the packet is intended for the second security zone; one or more instructions which, when executed by the device, cause the device to route the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether the first processed packet is to be dropped or routed; one or more instructions which, when executed by the device, cause the device to process the packet, to obtain a second processed packet, based on a policy corresponding to the first security zone when the packet is intended for the first security zone; and one or more instructions which, when executed by the device, cause the device to route the second processed packet to the port for routing toward the destination of the packet based on processing the packet based on the policy corresponding to the first security zone when the packet is intended for the first security zone, the port being associated with an address included in the information. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method comprising:
-
extracting, by a device, information from a layer 2 header of a packet, the information including a security zone identifier; determining, by the device and using the security zone identifer, whether the packet is to be screened, the packet not being screened when the packet is intended for a first security zone, and the packet being screened when the packet is intended for a second security zone, the second security zone being different from the first security zone, the packet being received from the first security zone; when the packet is intended for the second security zone; screening the packet for security, processing, by the device and after screening the packet, the packet to obtain a first processed packet, the packet being processed based on a policy corresponding to the second security zone, determining, by the device, whether the first processed packet is to be dropped or routed toward a destination of the packet based on screening the packet for security, and selectively routing, by the device, the first processed packet to a port of the device for routing toward the destination of the packet based on determining whether the first processed packet is to be dropped or routed toward the destination of the packet; and when the packet is intended for the first security zone; processing, by the device, the packet to obtain a second processed packet, the packet being processed based on a policy corresponding to the first security zone and without processing the packet based on the policy corresponding to the second security zone, and routing, by the device the second processed packet to the port of the device for routing toward the destination of the packet after processing the packet based on the policy corresponding to the first security zone, the port being associated with an address included in the information. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
Specification