Systems and methods for bridging a WAN accelerator with a security gateway

US 8,908,700 B2
Filed: 09/07/2007
Issued: 12/09/2014
Est. Priority Date: 09/07/2007
Status: Active Grant

First Claim

Patent Images

1. A method of an intermediary for interfacing a network optimization engine accelerating network communications at a first network layer of a network stack with a security gateway applying policies at a second network layer above the first network layer, the method comprising the steps of:

(a) receiving, by a network optimization engine operating at a first network layer of a network stack of an intermediary device, a network packet from a source, the network packet comprising a media access control address identifying a destination for the network packet;

(b) determining, by the network optimization engine, whether a source media access control address of the network packet identifies that an adapter type of the source is one of a physical network interface card or a local stack, the source media access control address identifying a first network interface card;

(c) modifying, by the network optimization engine in response to the determination, the destination media access control address of the network packet to identify a network interface of the intermediary device;

(d) receiving, by a security gateway operating at a second network layer of the network stack of the intermediary device, the network packet communicated by the network optimization engine, the second network layer comprising a layer of the network stack of the intermediary device above the first network layer;

(e) applying, by the security gateway, one or more policies to the network packet;

(f) receiving, by the network optimization engine, the network packet communicated by the security gateway via the network stack of the intermediary device;

(g) modifying, by the network optimization engine, the destination media access control address of the network packet to identify the media access control address of the destination; and

(h) transmitting, by the intermediary device, the network packet to the destination via a second network interface card of the intermediary device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The solution described herein provides systems and methods for the interoperability of network processing programs that process network packets at different levels of the network stack. This solution bridges the communications of a network packet between a first network processing program operating at a first level of a network stack in an intermediary and a second network processing program operating at a second level of the network stack of the intermediary. The first network processing program may modify an incoming network packet so that the packet may traverse the network stack to an upper level of the stack to the second network processing program. After processing the network packet at the upper layers of the stack or by the second network processing program, the first network processing program modifies the network pack in order to transmit the packet to the intended destination while traversing the intermediary.

203 Citations

22 Claims

1. A method of an intermediary for interfacing a network optimization engine accelerating network communications at a first network layer of a network stack with a security gateway applying policies at a second network layer above the first network layer, the method comprising the steps of:
- (a) receiving, by a network optimization engine operating at a first network layer of a network stack of an intermediary device, a network packet from a source, the network packet comprising a media access control address identifying a destination for the network packet;
  
  (b) determining, by the network optimization engine, whether a source media access control address of the network packet identifies that an adapter type of the source is one of a physical network interface card or a local stack, the source media access control address identifying a first network interface card;
  
  (c) modifying, by the network optimization engine in response to the determination, the destination media access control address of the network packet to identify a network interface of the intermediary device;
  
  (d) receiving, by a security gateway operating at a second network layer of the network stack of the intermediary device, the network packet communicated by the network optimization engine, the second network layer comprising a layer of the network stack of the intermediary device above the first network layer;
  
  (e) applying, by the security gateway, one or more policies to the network packet;
  
  (f) receiving, by the network optimization engine, the network packet communicated by the security gateway via the network stack of the intermediary device;
  
  (g) modifying, by the network optimization engine, the destination media access control address of the network packet to identify the media access control address of the destination; and
  
  (h) transmitting, by the intermediary device, the network packet to the destination via a second network interface card of the intermediary device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step (b) further comprises storing the media access control address of the destination from the received network packet to a storage element.
  - 3. The method of claim 1, wherein step (b) further comprises storing a media access control address of the source from the received network packet to a storage element.
  - 4. The method of claim 1, wherein step (g) further comprises modifying, by the network optimization engine, a source media access control address of the network packet to replace a media access control address of the intermediary device with the media access control address of the source from the received network packet.
  - 5. The method of claim 1, wherein step (g) further comprises retrieving, by the network optimization engine, the media access control address of the destination from a storage element.
  - 6. The method of claim 1, determining by the network optimization engine that the first network interface card communicates network packets on a Local Area Network, and in response to the determination, not applying a WAN network optimization.
  - 7. The method of claim 1, determining by the network optimization engine that the second network interface card communicates network packets on a Wide Area Network, and in response to the determination, applying a WAN network optimization to transmission of the network packet.
  - 8. The method of claim 1, wherein the intermediary comprises an appliance deployed between the source and the destination.
  - 9. The method of claim 1, wherein the intermediary comprises an agent of the source.
  - 10. The method of claim 1, wherein the first network layer comprises one of a layer 2 or a data link layer of a TCP/IP network stack.
  - 11. The method of claim 1, wherein the second network layer comprises a network layer above one of a layer 2 or a data link layer of a TCP/IP network stack.

12. An intermediary device for accelerating and applying security policies between a source and a destination, the intermediary device comprisingan interface between a network optimization engine that accelerates network communications at a first network layer of a network stack with a security gateway applying policies at a second network layer above the first network layer, the intermediary device comprising:
- a first network interface card on an intermediary device receiving a network packet from a source, the network packet comprising a media access control address of the destination;
  
  a network optimization engine of the intermediary device operating at a first network layer of a network stack of the intermediary device obtaining the network packet received by the first network interface card, determining that a source media control access address of the network packet identifies whether an adapter type of the source is one of a physical network interface card or a local stack, the source media access control address identifying a first network interface card, modifying a destination media access control address of the network packet to identify a network interface of the intermediary device, and communicating the network packet via the network stack of the intermediary device;
  
  a security gateway of the intermediary device operating at a second network layer of the network stack of the intermediary device above the first network layer receiving the network packet communicated via the network stack, the security gateway applying one or more policies to the network packet and communicating the network packet via the network stack of the intermediary device;
  
  wherein the network optimization engine receives the network packet communicated by the security gateway, in response to the determination modifies the destination media access control address of the network packet to identify the media access control address of the destination, and transmits the network packet to the destination via a second network interface card of the intermediary device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The intermediary device of claim 12, wherein the network optimization engine stores the media access control address of the destination received by the first network interface card to a storage element.
  - 14. The intermediary device of claim 12, wherein the network optimization engine stores the media access control address of the source received by the first network interface card to a storage element.
  - 15. The intermediary device of claim 12, wherein the network optimization engine modifies the network packet communicated from the security gateway to replace a media access control address of the intermediary device with the media access control address of the source.
  - 16. The intermediary device of claim 12, wherein the network optimization engine retrieves the media access control address of the destination from a storage element.
  - 17. The intermediary device of claim 12, wherein the network optimization engine determines that the first network interface card communicates network packets on a Local Area Network, and in response to the determination, does not apply a WAN network optimization.
  - 18. The intermediary device of claim 12, wherein the network optimization engine determines that the second network interface card communicates network packets on a Wide Area Network, and in response to the determination, applies a WAN network optimization to transmission of the network packet.
  - 19. The intermediary device of claim 12, wherein the intermediary is an appliance.
  - 20. The intermediary device of claim 12, wherein the intermediary is a client agent.
  - 21. The intermediary device of claim 12, wherein the network optimization engine operates at one of a layer 2 or a data link layer of a TCP/IP network stack.
  - 22. (Original The intermediary device of claim 12, wherein the security gateway operates at one of a layer 2 or a data link layer of a TCP/IP network stack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Samuels, Allen, Dittia, Zubin, Chadda, Sanjay, DeCasper, Dan, Ankam, Shiva
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
HAMPTON, TARELL A

Application Number

US11/851,934
Publication Number

US 20090067440A1
Time in Patent Office

2,650 Days
Field of Search

370/401
US Class Current

370/401
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/10   for controlling access to d...

H04L 67/561   Adding application-function...

H04L 67/568   Storing data temporarily at...

Systems and methods for bridging a WAN accelerator with a security gateway

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for bridging a WAN accelerator with a security gateway

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links