HIGH AVAILABILITY FOR NETWORK SECURITY DEVICES
First Claim
1. A method comprising:
- receiving, with a backup network device of a high-availability cluster, a state update message from a primary network device of the high-availability cluster, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the network session;
receiving, with the backup network device, an indication that the primary device has switched over or failed over to the backup network device;
after receiving the indication, receiving, with the backup network device, a plurality of packets of the network session, each of the plurality of packets comprising a respective payload including application-layer data;
detecting a beginning of a new transaction from the application-layer data of one of the plurality of packets; and
processing the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction.
1 Assignment
0 Petitions
Accused Products
Abstract
In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction.
248 Citations
23 Claims
-
1. A method comprising:
-
receiving, with a backup network device of a high-availability cluster, a state update message from a primary network device of the high-availability cluster, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the network session; receiving, with the backup network device, an indication that the primary device has switched over or failed over to the backup network device; after receiving the indication, receiving, with the backup network device, a plurality of packets of the network session, each of the plurality of packets comprising a respective payload including application-layer data; detecting a beginning of a new transaction from the application-layer data of one of the plurality of packets; and processing the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A backup network device of a high-availability cluster configured to operate in a cluster mode, the backup network device comprising:
-
one or more network interfaces to receive a state update message from a primary network device of a high-availability cluster of the backup network device, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup network device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data; a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets; and a control unit to process the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer-readable storage medium encoded with instructions for causing a programmable processor of a backup network device of a high availability cluster to:
-
receive a state update message from a primary network device of the high-availability cluster, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the session; receive an indication that the primary device has switched over or failed over to the backup network device; receive, after receiving the indication, a plurality of packets of the network session, each of the plurality of packets comprising a respective payload including application-layer data; detect a beginning of a new transaction from the application-layer data of one of the plurality of packets; and process the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of the application-layer data that precede the beginning of the new transaction. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
receiving, with a primary network device in a high availability environment, a plurality of packets of a network session, each of the plurality of packets comprising a respective payload including application-layer data; detecting a beginning of a new transaction from the application-layer data of one of the plurality of packets; calculating a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction; constructing a state update message that includes the calculated sequence number; and forwarding the state synchronization message to a backup network device for the primary network device in the high availability environment. - View Dependent Claims (17, 18)
-
-
19. A primary network device of a high availability cluster configured to operate in a cluster mode, the primary network device comprising:
-
one or more network interfaces to receive a plurality of packets of a network session, each of the plurality of packets comprising a respective payload including application-layer data, and forward state synchronization messages to a backup network device for the primary network device in the high availability cluster; a protocol decoder module to detect a beginning of a new transaction from the application-layer data of one of the second plurality of packets and a flow management module to calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction, and construct a state update message that includes the calculated sequence number. - View Dependent Claims (20)
-
-
21. A computer-readable storage medium encoded with instructions for causing a programmable processor of a primary network device of a high availability cluster to:
-
receive a plurality of packets of a network session, each of the plurality of packets comprising a respective payload including application-layer data; detect a beginning of a new transaction from the application layer of one of the plurality of packets; calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction; construct a state update message that includes the calculated sequence number; and forward the state synchronization message to a backup network device for the primary network device in the high availability environment.
-
-
22. A high-availability cluster system comprising:
-
a primary network device; and a backup network device, wherein the primary network device comprises; one or more network interfaces to receive a first plurality of packets of a network session, each of the first plurality of packets comprising a respective payload including application-layer data, and forward state synchronization messages to the backup network device; and a flow management module to detect a beginning of a new transaction from the application layer of one of the first plurality of packets, calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the current transaction, and construct a state update message that includes the calculated sequence number; and wherein the backup network device comprises; one or more network interfaces to receive the state update message from the primary network device, receive an indication that the primary device has switched over or failed over to the backup network device, and to receive a second plurality of packets of the network session, each of the second plurality of packets comprising a respective payload including application-layer data; a protocol decoder module to detect a beginning of a new transaction from the application-layer data of one of the second plurality of packets; and a control unit to process the application-layer data of the second plurality of packets of the network session that include and follow the beginning of the next transaction, without performing stateful processing of the application-layer data of the second plurality of packets that precede the beginning of the next transaction. - View Dependent Claims (23)
-
Specification