Regional firewall clustering in a networked computing environment
First Claim
1. A method for managing a firewall cluster in a networked computing environment, comprising the computer-implemented steps of:
- defining a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
receiving a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;
reading a session state table to determine whether there exists a session state match based on the source and destination;
determining, based on the reading, that a session state match is not found;
determining, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster;
when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval;
determining whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.
2 Assignments
0 Petitions
Accused Products
Abstract
An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.
-
Citations
20 Claims
-
1. A method for managing a firewall cluster in a networked computing environment, comprising the computer-implemented steps of:
-
defining a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster; receiving a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state; reading a session state table to determine whether there exists a session state match based on the source and destination; determining, based on the reading, that a session state match is not found; determining, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster; when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval; determining whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for correcting non-compliant source code, comprising:
-
a memory medium comprising program instructions; a bus coupled to the memory medium; and a processor, for executing the program instructions, which causes the system to; define a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster; receive a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state; read a session state table to determine whether there exists a session state match based on the source and destination; determine, based on the reading, that a session state match is not found; determine, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster; when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval; determine whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer program product for managing a firewall cluster in a networked computing environment, the computer program product comprising a computer readable hardware storage device, and program instructions stored on the computer readable hardware storage device, to:
-
define a cluster delay time interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster; receive a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state; read a session state table to determine whether there exists a session state match based on the source and destination; determine, based on the reading, that a session state match is not found; determine, in response to the determination that the session state match is not found, whether the packet is allowed by a regional policy of the firewall cluster; when the packet is allowed by the regional policy, buffering the packet for the duration of the cluster delay interval; determine whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification