Secure path selection within computer networks

US 9,762,537 B1
Filed: 10/14/2008
Issued: 09/12/2017
Est. Priority Date: 10/14/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

issuing, with a first router included within a network and in accordance with an inspection protocol, a communication to a network security device coupled to the first router requesting security information that describes at least one security service provided by the network security device, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service;

in response to the communication and in accordance with the inspection protocol, receiving, with the first router, a response communication that includes the security information from the network security device;

generating, with the first router and in accordance with a routing protocol, a message that includes the security information;

forwarding, with the first router and in accordance with the routing protocol, the message to at least a second router that is different from the first router;

receiving, with a second router included within the network, the message including the security information;

based on both topology information describing the network and the received security information, performing path selection with the second router to determine a path through the network that includes the first router so that the first router coupled to the network security device is positioned along the path between the second router and the destination, wherein the path includes a plurality of next hops from the second router to a destination, and wherein the network security device is not in the forwarding path for network traffic forwarded along the path; and

forwarding, with the second router, at least a portion of the network traffic along the determined path to the first router along the path;

redirecting, with the first router, at least the portion of the network traffic to the network security device to apply the at least one security service;

receiving, with the first router and from the network security device, at least the portion of the network traffic remaining after applying the at least one security service; and

forwarding, with the first router, at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described by which a path through a network may be selected based on security information. For example, a network device may include one or more interfaces and a control unit. The interfaces may receive security information that describes a security service provided by a network security device. The network security device may couple to another network device. The control unit then determines, based on the security information, a path through the network that includes the other network device. The interfaces may forward at least a portion of the network traffic along the determined path to the other network device such that the network security device coupled to the other network device applies the security service to the portion of the network traffic forwarded via the path. As a result, the network device secures traffic by perform security path selection to forward traffic to network security devices.

Citations

33 Claims

1. A method comprising:
- issuing, with a first router included within a network and in accordance with an inspection protocol, a communication to a network security device coupled to the first router requesting security information that describes at least one security service provided by the network security device, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service;
  
  in response to the communication and in accordance with the inspection protocol, receiving, with the first router, a response communication that includes the security information from the network security device;
  
  generating, with the first router and in accordance with a routing protocol, a message that includes the security information;
  
  forwarding, with the first router and in accordance with the routing protocol, the message to at least a second router that is different from the first router;
  
  receiving, with a second router included within the network, the message including the security information;
  
  based on both topology information describing the network and the received security information, performing path selection with the second router to determine a path through the network that includes the first router so that the first router coupled to the network security device is positioned along the path between the second router and the destination, wherein the path includes a plurality of next hops from the second router to a destination, and wherein the network security device is not in the forwarding path for network traffic forwarded along the path; and
  
  forwarding, with the second router, at least a portion of the network traffic along the determined path to the first router along the path;
  
  redirecting, with the first router, at least the portion of the network traffic to the network security device to apply the at least one security service;
  
  receiving, with the first router and from the network security device, at least the portion of the network traffic remaining after applying the at least one security service; and
  
  forwarding, with the first router, at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein receiving the security information comprises receiving, in accordance with a link state protocol, a link state advertisement (LSA) from the second router that includes the security information.
  - 3. The method of claim 1, further comprising:
    - determining adjacent security information for an adjacent network security device that couples to the second router; and
      
      forwarding the adjacent security information to the first router.
  - 4. The method of claim 3,wherein determining the adjacent security information comprises inspecting the adjacent network security device in accordance with the inspection protocol to determine the adjacent security information, andwherein forwarding the adjacent security information comprises forwarding the adjacent security information via a link state advertisement (LSA) in accordance with a link state protocol.
  - 5. The method of claim 3, wherein the adjacent network security device that couples to the second router comprises a security card included within the second router.
  - 6. The method of claim 1,wherein the network security device comprises one of a plurality of network security devices,wherein performing the path selection comprises:
    - receiving at least one policy associating the portion of the traffic with the security service provided by the one of the network security devices;
      
      maintaining a table comprising a plurality of entries, wherein each entry stores the security information for a different one of the plurality of network security devices;
      
      selecting at least one of the plurality of entries that stores the security information describing the service identified by the policy; and
      
      determining, in accordance with an interior gateway protocol, the path through the network such that the path flows through the one of the plurality of network security devices associated with the selected entry.
  - 7. The method of claim 6,wherein the security information includes a utilization property indicating an availability of a corresponding one of the plurality of network security devices,wherein selecting the at least one of the plurality of entries comprises:
    - selecting two of the plurality of entries corresponding to two different ones of the plurality of network security devices that each provides the same security service identified by the policy;
      
      determining an availability for each of the two different one of the plurality of network security devices based on the utilization property included within the security information of the two entries; and
      
      selecting one of the two different ones of the plurality of routers based on the determined availabilities to increase utilization of the plurality of network security devices.
  - 8. The method of claim 1, wherein performing path selection to determine the path comprises determining the path in accordance with a link state protocol.
  - 9. The method of claim 1, wherein performing path selection to determine the path comprises establishing the path in accordance with a Multi-Protocol Label Switching (MPLS) signaling protocol.
  - 10. The method of claim 1,wherein the network security device comprises a security card,wherein the first router includes the security card, andwherein the first router internally couples to the security card.

11. A router included within a network comprising:
- one or more interfaces that receive, in accordance with a routing protocol, a message including security information that describes at least one security service provided by a network security device positioned within the network and that is retrieved by another router different from the router via a communication sent to the network security device requesting the security information and a response communication received from the network security device including the security information both in accordance with an inspection protocol, wherein the network security device is coupled to the other router, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service; and
  
  a control unit that, based on both topology information describing the network and the received security information, performs path selection to determine a path through the network that includes the other router so that the other router coupled to the network security device is positioned along the path between the router and the destination, wherein the path includes a plurality of next hops from the router to a destination, wherein the network security device is not in the forwarding path for network traffic forwarded along the path, andwherein the one or more interfaces forward at least a portion of the network traffic along the determined path to the other router such that the other router
  
  1) redirects at least the portion of the network traffic to the network security device coupled to the other router, receives from the network security device at least the portion of the network traffic remaining after applying the at least one security service, and
  
  3) forwards at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The router of claim 11, wherein the one or more interfaces receive a link state advertisement (LSA) that includes the security information in accordance with a link state protocol from the other router.
  - 13. The router of claim 11,wherein the control unit includes a security module that determines adjacent security information for an adjacent network security device that couples to the router, andwherein the one or more interfaces forward the adjacent security information to the second router.
  - 14. The router of claim 13,wherein the security module includes an inspection protocol module that implements an inspection protocol to inspect the adjacent network security device in accordance with the inspection protocol to determine the adjacent security information, andwherein the one or more interfaces forward the adjacent security information via a link state advertisement (LSA) in accordance with a link state protocol.
  - 15. The router of claim 14,wherein the adjacent network security device comprises a security card,wherein the router includes the security card to apply one or more additional security services to the network traffic, andwherein the one or more additional security services include one or more of an anti-virus (AV) security service, a firewall (FW) security service and an intrusion detection/prevention (IDP) security service.
  - 16. The router of claim 11,wherein the network security device comprises one of a plurality of network security devices,wherein the control unit comprises:
    - a user interface module that presents a user interface with which an administrator may interact to input at least one policy associating the portion of the traffic with the security service provided by the one of the network security devices;
      
      a security module that maintains a table comprising a plurality of entries, wherein each entry stores the security information for a different one of the plurality of network security devices, and selects at least one of the plurality of entries that stores the security information describing the service identified by the policy; and
      
      an interior gateway protocol (IGP) module that determines, in accordance with an interior gateway protocol, the path through the network such that the path flows through the one of the plurality of network security devices associated with the selected entry.
  - 17. The router of claim 16,wherein the security information includes a utilization property indicating an availability of a corresponding one of the plurality of network security devices,wherein the security module further selects, based on the security information, two of the plurality of entries corresponding to two different ones of the plurality of network security devices that each provides the same security service identified by the policy and determines an availability for each of the two different one of the plurality of network security devices based on the utilization property included within the security information of the two entries, and selects one of the two different ones of the plurality of routers based on the determined availabilities to increase utilization of the plurality of network security devices.
  - 18. The router of claim 11, wherein the control unit includes an interior gateway protocol module that implements a link state Open Shortest Path First (OSPF) protocol to determine the path in accordance with the OSPF protocol.
  - 19. The router of claim 11, wherein the control unit includes a Multi-Protocol Label Switching (MPLS) module that implements an MPLS signaling protocol and establishes the path in accordance with the MPLS signaling protocol.
  - 20. The router of claim 11,wherein the network security device comprises one of a firewall (FW) device or an intrusion detection/prevention (IDP) device that applies the security service,wherein the security service comprises one of a FW security service, an IDP security service or an anti-virus (AV) security service.
  - 21. The router of claim 11,wherein the network security device comprises a security card,wherein the other router includes the security card, andwherein the other router internally couples to the security card.

22. A network system comprising:
- a plurality of network security devices; and
  
  a plurality of routers that couple to one or more of the network security devices,wherein a first one of the plurality of routers includes;
  
  a control unit that generates, in accordance with an inspection protocol, a communication to one of the plurality of network security devices coupled to the first one of the plurality of routers requesting security information that describes at least one security service provided by the one of the plurality of network security devices, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service; and
  
  one or more interfaces that issue the communication to the one of the plurality of network security device, receive, in response to the communication and in accordance with the inspection protocol, a response communication that includes the security information from the network security device,wherein the control unit of the first one of the plurality of routers generates, in accordance with a routing protocol, a message including the security information;
  
  wherein the one or more interfaces of the first one of the plurality of routers forwards the message including the security information to at least a second one of the plurality of routers,wherein the second one of the plurality of routers includes;
  
  one or more interfaces that receives the message including the security information; and
  
  a control unit that, based on both topology information describing the network and the received security information, performs path selection to determine a path through the network that includes the first one of the plurality of routers so that the first one of the plurality of routers coupled to the one of the network security devices is positioned along the path between the second one of the plurality of routers and the destination, wherein the network security device is not in the forwarding path for network traffic forwarded along the path, andwherein the one or more interfaces of the second one of the plurality of routers forward at least a portion of the network traffic along the determined path to the first one of the plurality of routers,wherein the one or more interfaces of the first one of the plurality of routers redirects at least the portion of the network traffic to the network security device to apply the at least one security service, receives at least the portion of the network traffic remaining after applying the at least one security service, and forwards at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The network system of claim 22, wherein the one or more interfaces of the second one of the plurality of routers receive one or more link state advertisements (LSAs) that include the security information in accordance with a link state protocol from each of the other routers.
  - 24. The network system of claim 22,wherein the control unit of the second one of the plurality of routers includes a security module that determines adjacent security information for at least one of the plurality of network security device adjacent to and that couples to the second one of the plurality of routers, andwherein the one or more interfaces of the second one of the plurality of routers forward the adjacent security information to each of the other routers.
  - 25. The network system of claim 24,wherein the security module includes an inspection protocol module that implements an inspection protocol to inspect the adjacent network security device in accordance with the inspection protocol to determine the adjacent security information, andwherein the one or more interfaces of the second one of the plurality of routers forward the adjacent security information via an opaque link state advertisement (LSA) in accordance with a link state protocol.
  - 26. The network system of claim 25,wherein the adjacent network security device comprises a security card,wherein the second one of the plurality of routers includes the security card to apply one or more additional security services to the network traffic, andwherein the one or more security services include one or more of an anti-virus (AV) security service, a firewall (FW) security service and an intrusion detection/prevention (IDP) security service.
  - 27. The network system of claim 22, wherein the control unit of the second one of the plurality of routers comprises:
    - a user interface module that present a user interface with which an administrator may interact to input at least one policy associating the portion of the traffic with at least one of the security services provided by one of the network security devices;
      
      a security module that maintains a table comprising a plurality of entries, wherein each entry stores the security information for a different one of the plurality of network security devices, and selects one of the plurality of entries that stores the security information describing the service identified by the policy; and
      
      an interior gateway protocol (IGP) module that determines, in accordance with an interior gateway protocol, the path through the network such that the path flows through the one or more of the plurality of network security devices associated with the selected entry.
  - 28. The network system of claim 27,wherein the security information includes a utilization property indicating an availability of a corresponding one of the plurality of network security devices,wherein the security module further selects, based on the security information, two of the plurality of entries corresponding to two different ones of the plurality of network security devices that each provides the same security service identified by the policy and determines an availability for each of the two different one of the plurality of network security devices based on the utilization property included within the security information of the two entries, and selects one of the two different ones of the plurality of routers based on the determined availabilities to increase utilization of the plurality of network security devices.
  - 29. The network system of claim 22, wherein the control unit of the second one of the plurality of routers includes an interior gateway protocol module that implements a link state Open Shortest Path First (OSPF) protocol to determine the path in accordance with the OSPF protocol.
  - 30. The network system of claim 22, wherein the control unit of the second one of the plurality of routers includes a Multi-Protocol Label Switching (MPLS) protocol module that implements an MPLS signaling protocol and establishes the path in accordance with the MPLS signaling protocol.
  - 31. The network system of claim 22,wherein each of the plurality of network security devices comprises one of a firewall (FW) device or an intrusion detection/prevention (IDP) device that applies the security service,wherein the security service comprises one of a FW security service, an IDP security service or an anti-virus (AV) security service.
  - 32. The network system of claim 22,wherein one or more of the network security devices each comprises a security card,wherein one or more of the plurality of routers includes a corresponding one of the one or more security cards, andwherein one or more of the plurality of routers that include the corresponding one of the one or more security cards internally couples to the respective one of the one or more security cards.

33. A non-transitory computer-readable medium comprising instructions for causing a programmable processor to:
- receive, with a first router included within a network and in accordance with a routing protocol, a message including security information that describes at least one security service provided by a network security device positioned within the network and that is retrieved by second router different from the first router via a communication sent to the network security device requesting the security information and a response communication received from the network security device including the security information both in accordance with an inspection protocol, wherein the network security device couples to a second router, wherein the at least one security service comprises at least one of a firewall service, an anti-virus service, and an intrusion detection and prevention service;
  
  performing, based on both topology information describing the network and the received security information, path selection to determine a path through the network that includes the second router so that the second router coupled to the network security device is positioned along the path between the first router and the destination, wherein the path includes a plurality of next hops from the first network router to a destination, and wherein the first router selects the path through the network so that the second router coupled to the network security device is positioned along the path between the first router and the destination, wherein the network security device is not in the forwarding path for network traffic forwarded along the path; and
  
  forward, with the first router, at least a portion of the network traffic along the determined path to the second router such that the second router
  
  1) redirects at least the portion of the network traffic to the network security device coupled to the other router, receives from the network security device at least the portion of the network traffic remaining after applying the at least one security service, and
  
  3) forwards at least the portion of the network traffic remaining after applying the at least one security service along the path to the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Eyada, Hatem
Primary Examiner(s)
Kyle, Tamara T

Application Number

US12/251,018
Time in Patent Office

3,255 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 45/02   Topology update or discovery

H04L 45/03   by updating link state prot...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

Secure path selection within computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Secure path selection within computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links