Secure path selection within computer networks
First Claim
1. A method comprising:
- issuing, with a first router included within a network and in accordance with an inspection protocol, a communication to a network security device coupled to the first router requesting security information that describes at least one security service provided by the network security device, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service;
in response to the communication and in accordance with the inspection protocol, receiving, with the first router, a response communication that includes the security information from the network security device;
generating, with the first router and in accordance with a routing protocol, a message that includes the security information;
forwarding, with the first router and in accordance with the routing protocol, the message to at least a second router that is different from the first router;
receiving, with a second router included within the network, the message including the security information;
based on both topology information describing the network and the received security information, performing path selection with the second router to determine a path through the network that includes the first router so that the first router coupled to the network security device is positioned along the path between the second router and the destination, wherein the path includes a plurality of next hops from the second router to a destination, and wherein the network security device is not in the forwarding path for network traffic forwarded along the path; and
forwarding, with the second router, at least a portion of the network traffic along the determined path to the first router along the path;
redirecting, with the first router, at least the portion of the network traffic to the network security device to apply the at least one security service;
receiving, with the first router and from the network security device, at least the portion of the network traffic remaining after applying the at least one security service; and
forwarding, with the first router, at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.
1 Assignment
0 Petitions
Accused Products
Abstract
In general, techniques are described by which a path through a network may be selected based on security information. For example, a network device may include one or more interfaces and a control unit. The interfaces may receive security information that describes a security service provided by a network security device. The network security device may couple to another network device. The control unit then determines, based on the security information, a path through the network that includes the other network device. The interfaces may forward at least a portion of the network traffic along the determined path to the other network device such that the network security device coupled to the other network device applies the security service to the portion of the network traffic forwarded via the path. As a result, the network device secures traffic by perform security path selection to forward traffic to network security devices.
-
Citations
33 Claims
-
1. A method comprising:
-
issuing, with a first router included within a network and in accordance with an inspection protocol, a communication to a network security device coupled to the first router requesting security information that describes at least one security service provided by the network security device, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service; in response to the communication and in accordance with the inspection protocol, receiving, with the first router, a response communication that includes the security information from the network security device; generating, with the first router and in accordance with a routing protocol, a message that includes the security information; forwarding, with the first router and in accordance with the routing protocol, the message to at least a second router that is different from the first router; receiving, with a second router included within the network, the message including the security information; based on both topology information describing the network and the received security information, performing path selection with the second router to determine a path through the network that includes the first router so that the first router coupled to the network security device is positioned along the path between the second router and the destination, wherein the path includes a plurality of next hops from the second router to a destination, and wherein the network security device is not in the forwarding path for network traffic forwarded along the path; and forwarding, with the second router, at least a portion of the network traffic along the determined path to the first router along the path; redirecting, with the first router, at least the portion of the network traffic to the network security device to apply the at least one security service; receiving, with the first router and from the network security device, at least the portion of the network traffic remaining after applying the at least one security service; and forwarding, with the first router, at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A router included within a network comprising:
-
one or more interfaces that receive, in accordance with a routing protocol, a message including security information that describes at least one security service provided by a network security device positioned within the network and that is retrieved by another router different from the router via a communication sent to the network security device requesting the security information and a response communication received from the network security device including the security information both in accordance with an inspection protocol, wherein the network security device is coupled to the other router, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service; and a control unit that, based on both topology information describing the network and the received security information, performs path selection to determine a path through the network that includes the other router so that the other router coupled to the network security device is positioned along the path between the router and the destination, wherein the path includes a plurality of next hops from the router to a destination, wherein the network security device is not in the forwarding path for network traffic forwarded along the path, and wherein the one or more interfaces forward at least a portion of the network traffic along the determined path to the other router such that the other router
1) redirects at least the portion of the network traffic to the network security device coupled to the other router, receives from the network security device at least the portion of the network traffic remaining after applying the at least one security service, and
3) forwards at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A network system comprising:
-
a plurality of network security devices; and a plurality of routers that couple to one or more of the network security devices, wherein a first one of the plurality of routers includes; a control unit that generates, in accordance with an inspection protocol, a communication to one of the plurality of network security devices coupled to the first one of the plurality of routers requesting security information that describes at least one security service provided by the one of the plurality of network security devices, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service; and one or more interfaces that issue the communication to the one of the plurality of network security device, receive, in response to the communication and in accordance with the inspection protocol, a response communication that includes the security information from the network security device, wherein the control unit of the first one of the plurality of routers generates, in accordance with a routing protocol, a message including the security information; wherein the one or more interfaces of the first one of the plurality of routers forwards the message including the security information to at least a second one of the plurality of routers, wherein the second one of the plurality of routers includes; one or more interfaces that receives the message including the security information; and a control unit that, based on both topology information describing the network and the received security information, performs path selection to determine a path through the network that includes the first one of the plurality of routers so that the first one of the plurality of routers coupled to the one of the network security devices is positioned along the path between the second one of the plurality of routers and the destination, wherein the network security device is not in the forwarding path for network traffic forwarded along the path, and wherein the one or more interfaces of the second one of the plurality of routers forward at least a portion of the network traffic along the determined path to the first one of the plurality of routers, wherein the one or more interfaces of the first one of the plurality of routers redirects at least the portion of the network traffic to the network security device to apply the at least one security service, receives at least the portion of the network traffic remaining after applying the at least one security service, and forwards at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A non-transitory computer-readable medium comprising instructions for causing a programmable processor to:
-
receive, with a first router included within a network and in accordance with a routing protocol, a message including security information that describes at least one security service provided by a network security device positioned within the network and that is retrieved by second router different from the first router via a communication sent to the network security device requesting the security information and a response communication received from the network security device including the security information both in accordance with an inspection protocol, wherein the network security device couples to a second router, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service; performing, based on both topology information describing the network and the received security information, path selection to determine a path through the network that includes the second router so that the second router coupled to the network security device is positioned along the path between the first router and the destination, wherein the path includes a plurality of next hops from the first network router to a destination, and wherein the first router selects the path through the network so that the second router coupled to the network security device is positioned along the path between the first router and the destination, wherein the network security device is not in the forwarding path for network traffic forwarded along the path; and forward, with the first router, at least a portion of the network traffic along the determined path to the second router such that the second router
1) redirects at least the portion of the network traffic to the network security device coupled to the other router, receives from the network security device at least the portion of the network traffic remaining after applying the at least one security service, and
3) forwards at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.
-
Specification