Scalable security services for multicast in a router having integrated zone-based firewall
First Claim
1. A network router comprising:
- a plurality of interfaces configured to send and receive multicast packets;
a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the multicast packets;
a routing engine comprising a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one multicast protocol to establish a multicast group for communicating the multicast packets from a multicast source to a plurality of multicast receivers;
a forwarding engine configured by the routing engine to select next hops for the multicast packets in accordance with the routing information, the forwarding engine comprising a switch fabric to forward the multicast packets to the interfaces based on the selected next hops, wherein the forwarding engine includes a flow control module that, upon receiving multicast packets from the network, directs one or more of the multicast packets to the firewall for application of the stateful firewall services; and
a user interface by which a user specifies one or more zones to be recognized by the firewall when applying the stateful firewall services to the multicast packets, wherein the user interface supports a syntax that;
(i) allows the user to define subsets of the plurality of interfaces associated with the zones, and(ii) allows the user to define a single multicast policy to be applied to multicast sessions associated with a multicast group, wherein the multicast policy specifies actions to be applied to multicast sessions for the specified zones,wherein the syntax allows the user to define the single multicast policy to specify one or more common stateful firewall services of the stateful firewall services to be applied by the firewall to copies of the multicast packets destined for one or more of the zones, and to specify one or more exceptions specifying one or more of the zones and one or more additional services of the stateful firewall services to be applied by the firewall to copies of the multicast packets for the one or more zones; and
a services component executing on the firewall, wherein the services component is configured to determine, based on the single multicast policy, which of the common stateful firewall services are to be applied by the firewall pre-replication to copies of the multicast packets destined for two or more particular interfaces in the one or more of the zones,wherein the services component is configured to determine, based on the single multicast policy, which of the additional services of the stateful firewall services are to be applied by the firewall post-replication to copies of the multicast packets destined for one or more particular interfaces associated with the one or more zones,wherein the firewall is configured to apply the stateful firewall services to the multicast packets as determined by the services component.
1 Assignment
0 Petitions
Accused Products
Abstract
A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones.
31 Citations
22 Claims
-
1. A network router comprising:
-
a plurality of interfaces configured to send and receive multicast packets; a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the multicast packets; a routing engine comprising a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one multicast protocol to establish a multicast group for communicating the multicast packets from a multicast source to a plurality of multicast receivers; a forwarding engine configured by the routing engine to select next hops for the multicast packets in accordance with the routing information, the forwarding engine comprising a switch fabric to forward the multicast packets to the interfaces based on the selected next hops, wherein the forwarding engine includes a flow control module that, upon receiving multicast packets from the network, directs one or more of the multicast packets to the firewall for application of the stateful firewall services; and a user interface by which a user specifies one or more zones to be recognized by the firewall when applying the stateful firewall services to the multicast packets, wherein the user interface supports a syntax that; (i) allows the user to define subsets of the plurality of interfaces associated with the zones, and (ii) allows the user to define a single multicast policy to be applied to multicast sessions associated with a multicast group, wherein the multicast policy specifies actions to be applied to multicast sessions for the specified zones, wherein the syntax allows the user to define the single multicast policy to specify one or more common stateful firewall services of the stateful firewall services to be applied by the firewall to copies of the multicast packets destined for one or more of the zones, and to specify one or more exceptions specifying one or more of the zones and one or more additional services of the stateful firewall services to be applied by the firewall to copies of the multicast packets for the one or more zones; and a services component executing on the firewall, wherein the services component is configured to determine, based on the single multicast policy, which of the common stateful firewall services are to be applied by the firewall pre-replication to copies of the multicast packets destined for two or more particular interfaces in the one or more of the zones, wherein the services component is configured to determine, based on the single multicast policy, which of the additional services of the stateful firewall services are to be applied by the firewall post-replication to copies of the multicast packets destined for one or more particular interfaces associated with the one or more zones, wherein the firewall is configured to apply the stateful firewall services to the multicast packets as determined by the services component. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising:
-
executing, with a routing engine of a router, at least one multicast protocol to establish a multicast group for communicating multicast packets from a multicast source to a plurality of multicast receivers; presenting, with the router, a user interface by which a user specifies one or more zones to be recognized by a firewall integrated within the router, wherein the user interface supports a syntax that; (i) allows the user to define subsets of the plurality of interfaces associated with the zones, wherein the plurality of interfaces is configured to send and receive multicast packets, and (ii) allows the user to define a single multicast policy to be applied to multicast sessions associated with a multicast group, wherein the multicast policy specifies actions to be applied to multicast sessions for the specified zones, wherein the syntax allows the user to define the single multicast policy to specify one or more common stateful firewall services to be applied by the firewall to copies of the multicast packets destined for one or more of the zones, and to specify one or more exceptions specifying one or more of the zones one or more additional stateful firewall services to be applied by the firewall to copies of the multicast packets for the one or more zones, determining, by a services component executing on the firewall and based on the single multicast policy, which of the common stateful firewall services are to be applied by the firewall pre-replication to copies of the multicast s packets destined for two or more s particular interfaces in the one or more of the zones, determining, by the services component executing on the firewall and based on the single multicast policy, which of the additional services of the stateful firewall services are to be applied by the firewall post-replication to copies of the multicast packets destined for one or more particular interfaces associated with the one or more zones, receiving, from a network, multicast packets at a plurality of interfaces of the router; directing, with a flow control module of a forwarding engine of the router, one or more of the received multicast packets to the firewall for application of stateful firewall services; applying the one or more common stateful firewall services and the one or more additional stateful firewall services to the multicast packets with the firewall of the router as determined by the services component; after applying the stateful firewall services, forwarding at least some of the multicast packets from the firewall to the forwarding engine; selecting next hops for the multicast packets within the network with the forwarding engine; and forwarding the multicast packets to the interfaces in accordance with the selected next hops. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium comprising program instructions to cause a processor to:
-
execute, with a routing engine of a router, at least one multicast protocol to establish a multicast group for communicating multicast packets from a multicast source to a plurality of multicast receivers; present, with the router, a user interface by which a user specifies one or more zones to be recognized by a firewall integrated within the router, wherein the user interface supports a syntax that; (i) allows the user to define subsets of the plurality of interfaces associated with the zones, wherein the plurality of interfaces is configured to send and receive multicast packets, and (ii) allows the user to define a single multicast policy to be applied to multicast sessions associated with a multicast group, wherein the syntax allows the user to define the single multicast policy to specify; (a) one or more common stateful firewall services to be applied by the firewall to copies of the multicast packets destined for one or more of the zones, and (b) one or more exceptions specifying one or more of the zones and one or more additional stateful firewall services to be applied by the firewall to copies of the multicast packets for the one or more zones, determine, based on the single multicast policy, which of the common stateful firewall services are to be applied by the firewall pre-replication to copies of the multicast packets destined for two or more particular interfaces in the one or more of the zones; and determine, based on the single multicast policy, which of the additional services of the stateful firewall services are to be applied by the firewall post-replication to copies of the multicast packets destined for one or more particular interfaces associated with the one or more zones.
-
Specification