Regional firewall clustering in a networked computing environment

US 9,882,875 B2
Filed: 09/02/2016
Issued: 01/30/2018
Est. Priority Date: 06/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing a firewall cluster in a networked computing environment, comprising the computer-implemented steps of:

defining a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;

receiving a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;

reading a session state table to determine whether there exists a session state match based on the source and destination;

determining, based on the reading, that a session state match is not found;

determining, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster;

when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval;

determining whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and

when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.

Citations

20 Claims

1. A method for managing a firewall cluster in a networked computing environment, comprising the computer-implemented steps of:
- defining a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
  
  receiving a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;
  
  reading a session state table to determine whether there exists a session state match based on the source and destination;
  
  determining, based on the reading, that a session state match is not found;
  
  determining, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster;
  
  when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval;
  
  determining whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
  
  when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the computer-implemented step of determining the cluster delay time interval.
  - 3. The method of claim 1, further comprising the computer-implemented step of opening a communication channel between each firewall pair in the firewall cluster.
  - 4. The method of claim 3, further comprising determining a round-trip time (RTT) value between each firewall pair in the firewall cluster using the respective communication channel.
  - 5. The method of claim 4, wherein the computer-implemented step of determining a round-trip time (RTT) value between a firewall pair in the firewall cluster comprises pinging the second firewall in the firewall pair from the first firewall in the firewall pair.
  - 6. The method of claim 1, further comprising the computer-implemented step of updating the session state table with session state information related to the source and destination.
  - 7. The method of claim 1, where the networked computing environment is a cloud computing environment.
  - 8. The method of claim 1, wherein a solution service provider provides a computer infrastructure operable to perform for one or more consumers.

9. A system for correcting non-compliant source code, comprising:
- a memory medium comprising program instructions;
  
  a bus coupled to the memory medium; and
  
  a processor, for executing the program instructions, which causes the system to;
  
  define a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
  
  receive a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;
  
  read a session state table to determine whether there exists a session state match based on the source and destination;
  
  determine, based on the reading, that a session state match is not found;
  
  determine, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster;
  
  when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval;
  
  determine whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
  
  when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, the memory medium further comprising instructions for causing the system to determine the cluster delay time interval.
  - 11. The system of claim 9, the memory medium further comprising instructions for causing the system to open a communication channel between each firewall pair in the firewall cluster.
  - 12. The system of claim 11, the memory medium further comprising instructions for causing the system to determine a round-trip time (RTT) value between each firewall pair in the firewall cluster using the respective communication channel.
  - 13. The system of claim 12, the memory medium further comprising instructions for causing the system to determine a round-trip time (RTT) value between a firewall pair in the firewall cluster comprises pinging the second firewall in the firewall pair from the first firewall in the firewall pair.
  - 14. The system of claim 9, the memory medium further comprising instructions for causing the system to update the session state table with session state information related to the source and destination.

15. A computer program product for managing a firewall cluster in a networked computing environment, the computer program product comprising a computer readable hardware storage device, and program instructions stored on the computer readable hardware storage device, to:
- define a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
  
  receive a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;
  
  read a session state table to determine whether there exists a session state match based on the source and destination;
  
  determine, based on the reading, that a session state match is not found;
  
  determine, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster;
  
  when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval;
  
  determine whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
  
  when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, the computer readable hardware storage device further comprising instructions to open a communication channel between each firewall pair.
  - 17. The computer program product of claim 16, the computer readable hardware storage device further comprising instructions to determine a round-trip time (RTT) value between each firewall pair using an appropriate communication channel.
  - 18. The computer program product of claim 17, the computer readable hardware storage device further comprising instructions to determine a round-trip time (RTT) value between a firewall pair comprises pinging the second firewall in the firewall pair from the first firewall in the firewall pair.
  - 19. The computer program product of claim 15, the computer readable hardware storage device further comprising instructions to update the session state table with session state information related to the source and destination.
  - 20. The computer program product of claim 15, wherein the networked computing environment is a cloud computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Floyd, III, Robert K., Mandalia, Baiju D., Monaco, Robert P., Viswanathan, Mahesh
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US15/255,494
Publication Number

US 20160373407A1
Time in Patent Office

515 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/0864   Round trip delays

H04L 47/283   in response to processing d...

H04L 47/32   by discarding or delaying d...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/5681   Pre-fetching or pre-deliver...

Regional firewall clustering in a networked computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Regional firewall clustering in a networked computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links