HIGH AVAILABILITY FOR NETWORK SECURITY DEVICES

US 20110173490A1
Filed: 01/08/2010
Published: 07/14/2011
Est. Priority Date: 01/08/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a backup network device of a high-availability cluster, a state update message from a primary network device of the high-availability cluster, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the network session;

receiving, with the backup network device, an indication that the primary device has switched over or failed over to the backup network device;

after receiving the indication, receiving, with the backup network device, a plurality of packets of the network session, each of the plurality of packets comprising a respective payload including application-layer data;

detecting a beginning of a new transaction from the application-layer data of one of the plurality of packets; and

processing the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction.

248 Citations

23 Claims

1. A method comprising:
- receiving, with a backup network device of a high-availability cluster, a state update message from a primary network device of the high-availability cluster, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the network session;
  
  receiving, with the backup network device, an indication that the primary device has switched over or failed over to the backup network device;
  
  after receiving the indication, receiving, with the backup network device, a plurality of packets of the network session, each of the plurality of packets comprising a respective payload including application-layer data;
  
  detecting a beginning of a new transaction from the application-layer data of one of the plurality of packets; and
  
  processing the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein detecting the beginning of a new transaction comprises determining that the application-layer data comprises a delimiter value that immediately precedes the beginning of the new transaction.
  - 3. The method of claim 2, wherein the delimiter value comprises at least one of a new line character, a line feed character, and a carriage return character.
  - 4. The method of claim 1, further comprising receiving, with the backup network device, a state update message that indicates a sequence number of a next transaction of the network session prior to the indication that the primary device has switched over or failed over, and wherein detecting the beginning of a new transaction comprises:
    - determining a sequence number of one of the plurality of packets;
      
      comparing the sequence number of the one of the plurality of packets to the sequence number of the next transaction from the state update message; and
      
      determining that the one of the plurality of packets includes the beginning of a new transaction when the sequence number of the one of the plurality of packets matches the sequence number of the next transaction from the state update message.
  - 5. The method of claim 1, wherein processing the packets comprises inspecting the application-layer data of the network session to determine whether any portion of the application-layer data corresponds to a network attack.

6. A backup network device of a high-availability cluster configured to operate in a cluster mode, the backup network device comprising:
- one or more network interfaces to receive a state update message from a primary network device of a high-availability cluster of the backup network device, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup network device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data;
  
  a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets; and
  
  a control unit to process the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The backup network device of claim 6, wherein to detect the beginning of a new transaction, the protocol decoder determines whether the application-layer data includes a delimiter value that immediately precedes the beginning of the new transaction.
  - 8. The backup network device of claim 7, wherein the delimiter value comprises at least one of a new line character, a line feed character, and a carriage return character.
  - 9. The backup network device of claim 6,wherein the one or more network interfaces receive a state update message that indicates a sequence number of a next transaction of the network session prior to the indication that the primary device has switched over or failed over, andwherein to detect the beginning of a new transaction, the protocol decoder determines a sequence number of one of the plurality of packets, compares the sequence number of the one of the plurality of packets to the sequence number of the next transaction from the state update message, and determines that the one of the plurality of packets includes a new transaction when the sequence number of the one of the plurality of packets matches the sequence number of the next transaction from the state update message.
  - 10. The backup network device of claim 6, further comprising an attack detection module to process the packets, wherein the attack detection module inspects the application-layer data of the network session to determine whether any portion of the application-layer data corresponds to a network attack.

11. A computer-readable storage medium encoded with instructions for causing a programmable processor of a backup network device of a high availability cluster to:
- receive a state update message from a primary network device of the high-availability cluster, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the session;
  
  receive an indication that the primary device has switched over or failed over to the backup network device;
  
  receive, after receiving the indication, a plurality of packets of the network session, each of the plurality of packets comprising a respective payload including application-layer data;
  
  detect a beginning of a new transaction from the application-layer data of one of the plurality of packets; and
  
  process the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-readable storage medium of claim 11, wherein the instructions to detect the beginning of a new transaction comprise instructions to determine that the application-layer data comprises a delimiter value that immediately precedes the beginning of the new transaction.
  - 13. The computer-readable storage medium of claim 12, wherein the delimiter value comprises at least one of a new line character, a line feed character, and a carriage return character.
  - 14. The computer-readable storage medium of claim 11, further comprising instructions to receive a state update message that indicates a sequence number of a next transaction of the network session prior to the indication that the primary device has switched over or failed over, and wherein the instructions to detect the beginning of a new transaction comprise instructions to:
    - determine a sequence number of one of the plurality of packets;
      
      compare the sequence number of the one of the plurality of packets to the sequence number of the next transaction from the state update message; and
      
      determine that the one of the plurality of packets includes a new transaction when the sequence number of the one of the plurality of packets matches the sequence number of the next transaction from the state update message.
  - 15. The computer-readable storage medium of claim 11, wherein the instructions to process the packets comprise instructions to inspect the application-layer data of the network session to determine whether any portion of the application-layer data corresponds to a network attack.

16. A method comprising:
- receiving, with a primary network device in a high availability environment, a plurality of packets of a network session, each of the plurality of packets comprising a respective payload including application-layer data;
  
  detecting a beginning of a new transaction from the application-layer data of one of the plurality of packets;
  
  calculating a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction;
  
  constructing a state update message that includes the calculated sequence number; and
  
  forwarding the state synchronization message to a backup network device for the primary network device in the high availability environment.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, wherein determining that the one of the plurality of packets corresponds to the first packet of the current transaction comprises:
    - calculating, prior to receiving the first packet of the new transaction, a sequence number for the first packet of the new transaction;
      
      comparing the sequence number of the one of the plurality of packets to the calculated sequence number for the first packet of the new transaction; and
      
      determining that the sequence number of the one of the plurality of packets matches the calculated sequence number for the first packet of the new transaction.
  - 18. The method of claim 16, further comprising:
    - inspecting, with the primary network device, the application-layer data of the network session to determine whether any portion of the application-layer data represents a network attack; and
      
      switching over or failing over from the primary network device to the backup network device.

19. A primary network device of a high availability cluster configured to operate in a cluster mode, the primary network device comprising:
- one or more network interfaces to receive a plurality of packets of a network session, each of the plurality of packets comprising a respective payload including application-layer data, and forward state synchronization messages to a backup network device for the primary network device in the high availability cluster;
  
  a protocol decoder module to detect a beginning of a new transaction from the application-layer data of one of the second plurality of packets anda flow management module to calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction, and construct a state update message that includes the calculated sequence number.
- View Dependent Claims (20)
- - 20. The primary network device of claim 19, wherein the primary network device comprises a primary intrusion detection and prevention (IDP) device.

21. A computer-readable storage medium encoded with instructions for causing a programmable processor of a primary network device of a high availability cluster to:
- receive a plurality of packets of a network session, each of the plurality of packets comprising a respective payload including application-layer data;
  
  detect a beginning of a new transaction from the application layer of one of the plurality of packets;
  
  calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction;
  
  construct a state update message that includes the calculated sequence number; and
  
  forward the state synchronization message to a backup network device for the primary network device in the high availability environment.

22. A high-availability cluster system comprising:
- a primary network device; and
  
  a backup network device,wherein the primary network device comprises;
  
  one or more network interfaces to receive a first plurality of packets of a network session, each of the first plurality of packets comprising a respective payload including application-layer data, and forward state synchronization messages to the backup network device; and
  
  a flow management module to detect a beginning of a new transaction from the application layer of one of the first plurality of packets, calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the current transaction, and construct a state update message that includes the calculated sequence number; and
  
  wherein the backup network device comprises;
  
  one or more network interfaces to receive the state update message from the primary network device, receive an indication that the primary device has switched over or failed over to the backup network device, and to receive a second plurality of packets of the network session, each of the second plurality of packets comprising a respective payload including application-layer data;
  
  a protocol decoder module to detect a beginning of a new transaction from the application-layer data of one of the second plurality of packets; and
  
  a control unit to process the application-layer data of the second plurality of packets of the network session that include and follow the beginning of the next transaction, without performing stateful processing of the application-layer data of the second plurality of packets that precede the beginning of the next transaction.
- View Dependent Claims (23)
- - 23. The high-availability cluster system of claim 22, wherein the first network device comprises a first intrusion detection and prevention (IDP) device, and wherein the second network device comprises a second IDP device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Ranjan, Rajiv, Narayanaswamy, Krishna

Granted Patent

US 8,291,258 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/4.11
CPC Class Codes

H04L 63/1408 by monitoring network traff...

HIGH AVAILABILITY FOR NETWORK SECURITY DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

248 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

HIGH AVAILABILITY FOR NETWORK SECURITY DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

248 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links