WO2000060793A2 - Firewall including local bus - Google Patents
Firewall including local bus Download PDFInfo
- Publication number
- WO2000060793A2 WO2000060793A2 PCT/US2000/008708 US0008708W WO0060793A2 WO 2000060793 A2 WO2000060793 A2 WO 2000060793A2 US 0008708 W US0008708 W US 0008708W WO 0060793 A2 WO0060793 A2 WO 0060793A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- memory
- rule
- packet
- packets
- gateway
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/901—Buffering arrangements using storage descriptor, e.g. read or write pointers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9057—Arrangements for supporting packet reassembly or resequencing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Definitions
- a packet switch communication system includes a network of one or more routers connecting a plurality of users.
- a packet is the fundamental unit of transfer in the packet switch communication system.
- a user can be an individual user terminal or another network.
- a router is a switching device which receives packets containing data or control information on one port, and based on destination information contained within the packet, routes the packet out another port to the destination (or intermediary destination). Conventional routers perform this switching function by evaluating header information contained within the packet in order to determine the proper output port for a particular packet.
- the network can be an intranet, that is, a network connecting one or more private servers such as a local area network (LAN).
- the network can be a public network, such as the Internet, in which data packets are passed over untrusted communication links.
- the network configuration can include a combination of public and private networks. For example, two or more LAN's can be coupled together with individual terminals using a public network such as the Internet.
- public and private networks are linked, data security issues arise. More specifically, conventional packet switched communication systems that include links between public and private networks typically include security measures for assuring data integrity. In order to assure individual packet security, packet switched communication systems can include encryption/decryption services.
- a firewall is a device that can be coupled in-line between a public network and private network for screening packets received from the public network.
- a conventional packet switch communication system 100 can include two private networks 102 coupled by a public network 104 for facilitating the communication between a plurality of user terminals 106.
- Each private network can include one or more servers and a plurality of individual terminals.
- Each private network 102 can be an intranet such as a LAN.
- Public network 104 can be the Internet, or other public network having untrusted links for linking packets between private networks 102a and 102b.
- a firewall 110 At each gateway between a private network 102 and public network 104 is a firewall 110.
- the architecture for a conventional firewall is shown in Figure lb.
- Firewall 110 includes a public network link 120, private network link 122 and memory controller 124 coupled by a bus (e.g., PCI bus) 125.
- bus e.g., PCI bus
- Memory controller 124 is coupled to a memory (RAM) 126 and firewall engine 128 by a memory bus 129. Firewall engine 128 performs packet screening prior to routing packets through to private network 102.
- a central processor (CPU) 132 is coupled to memory controller 124 by a CPU bus 134. CPU 132 oversees the memory transfer operations on all buses shown.
- Memory controller 124 is a bridge connecting CPU Bus 134, memory bus 129 and PCI bus 125.
- Packets are received at public network link 120. Each packet is transferred on bus 125 to, and routed through, memory controller 124 and on to RAM 126 via memory bus 129.
- firewall engine 128 When firewall engine 128 is available, packets are fetched using memory bus 129 and processed by the firewall engine 128. After processing by the firewall engine 128, the packet is returned to RAM 126 using memory bus 129. Finally, the packet is retrieved by the memory controller 124 using memory bus 129, and routed to private network link 122.
- This type of firewall is inefficient in a number of ways. A majority of the traffic in the firewall utilizes memory bus 129. However, at any time, memory bus 129 can allow only one transaction. Thus, memory bus 129 becomes a bottleneck for the whole system and limits system performance.
- firewall engine 128 The encryption and decryption services as well as authentication services performed by firewall engine 128 typically are performed in series. That is, a packet is typically required to be decrypted prior to authentication. Serial processes typically slow performance.
- a conventional software firewall can sift through packets when connected through a T-l or fractional T-l link. But at T-3, Ethernet, or fast Ethernet speeds software-based firewalls running on an average desktop PC can get bogged down.
- the invention provides a gateway for screening packets transferred over a network.
- the gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway.
- the memory temporarily stores packets received from a network.
- the memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus.
- the gateway includes a firewall engine coupled to the memory bus.
- the firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface.
- a local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.
- An expandable external rule memory is coupled to the local bus and includes one or more rule sets accessible by the firewall engine using the local bus.
- the firewall engine is operable to retrieve rules from a rule set and screen packets in accordance with the retrieved rules.
- the firewall engine can be implemented in a hardware ASIC.
- the ASIC includes an authentication engine operable to authenticate a retrieved packet contemporaneously with the screening of the retrieved packet by the firewall engine.
- the gateway includes a decryption/encryption engine for decrypting and encrypting retrieved packets.
- the ASIC can include an internal rule memory for storing one or more rule sets used by the firewall engine for screening packets.
- the internal rule memory includes oft accessed rule sets while the external rule memory is configured to store lesser accessed rule sets.
- the internal rule memory includes a first portion of a rule set, and a second portion of the rule set is stored in the external rule memory.
- the memory can be a dual-port memory configured to support simultaneous access from each of the memory bus and the local bus.
- the gateway can include a direct memory access controller configured for controlling memory accesses by the firewall engine to the memory when using the local bus.
- the invention provides a rule set for use in a gateway.
- the gateway is operable to screen packets transferred over a network and includes a plurality of network interfaces, a memory, a memory controller and a firewall engine. Each network interface receives and forwards messages from a network through the gateway.
- the memory is configured to temporarily store packets received from a network.
- the memory controller is coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory using a memory bus.
- the firewall engine is coupled to the memory bus and operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface.
- the rule set includes a first and second portion of rules. The first portion of rules are stored in an internal rule memory directly accessible by the firewall engine. The second portion of rules are an expandable and stored in an external memory coupled by a bus to the firewall engine and are accessible by the firewall engine to screen packets in accordance with the retrieved rules.
- the rule set can include a counter rule.
- the counter rule includes a matching criteria, a count, a count threshold and an action. The count is incremented after each detected occurrence of a match between a packet and the matching criteria associated with the counter rule. When the count exceeds the count threshold the action is invoked.
- the first portion of rules can include a pointer to a location in the second portion of rules.
- the pointer can be in the form of a rule that includes both a pointer code and also an address in the external memory designating a next rule to evaluate when screening a current packet.
- the next rule to evaluate is included in the second portion of rules.
- the invention provides a gateway for screening packets received from a network and includes a plurality of network interfaces each for transmitting and receiving packets to and from a network.
- the gateway includes an integrated packet processor including a separate firewall engine, authentication engine, and a direct memory access controller; a dual-port memory for storing packets.
- a memory bus is provided for coupling the network interfaces, the packet processor and the dual-port memory.
- a local bus couples the packet processor and the dual-port memory.
- the packet processor invokes the direct memory access controller to retrieve a packet directly from the dual-port memory using the local bus.
- a memory controller is included for controlling the transfer of packets from the network interfaces to the dual-port memory.
- a processing unit extracts information from a packet and provides the information to the packet processor for processing. Aspects of the invention can include one or more of the following features.
- the integrated packet processor can include a separate encryption/decryption engine for encrypting and decrypting packets received by the gateway.
- the invention can include one or more of the following advantages.
- a local bus is provided for local access to memory from the firewall ASIC.
- the solution is implemented in hardware, easily handling dense traffic that would have choked a conventional firewall.
- a combination firewall and NPN (virtual private network) solution includes a separate stand-alone firewall engine, encryption/decryption engine and authentication engine. Each engine operates independently and exchanges data with the others. One engine can start processing data without waiting for other engines to finish all their processes. Parallel processing and pipelining are provided and deeply implemented into each engine and each module further enhancing the whole hardware solution. The high processing speed of hardware increases the throughput rate by a factor often.
- Figure la is a block diagram of a conventional packet switch communication system.
- Figure lb is a block diagram of conventional firewall device.
- Figure 2 is a schematic block diagram of communication system including local bus and ASIC in accordance with the invention.
- Figure 3 is a flow diagram for the flow of packets through the communication system of Figure 2.
- Figure 4 is a schematic block diagram of the ASIC of Figure 2.
- Figure 5 illustrates a rule structure for use by the firewall engine.
- Figure 6a is a flow diagram for a firewall screening process.
- Figure 6b is an illustration of a pipeline for use in rule searching.
- Figure 7 is a flow diagram for an encryption process.
- Figure 8 is a flow diagram for an authentication process.
- a communication system 200 includes a public network link 120, private network link 122 and memory controller 124 coupled by a bus 125.
- Communication system 200 can be a gateway between two distinct networks, or distinct portions of a network.
- the gateway can bridge between trusted and untrusted portions of a network or provide a bridge between a public and private network.
- Each network link 120 and 122 can be an Ethernet link that includes an Ethernet media access controller (MAC) and Ethernet physical layer (PHI) for allowing the communication system to receive/send packets from/to networks.
- a memory bus 129 couples a memory controller 124 to a dual-port memory 203 and an application specific integrated circuit (ASIC) 204.
- Local bus 202 also links ASIC 204 to dual-port memory 203.
- Dual -port memory 203 can be a random access memory (RAM) with two separate ports. Any memory location can be accessed from the two ports in the same time.
- RAM random access memory
- Off-chip rule memory 206 Associated with ASIC 204 is an off-chip rule memory 206 for storing a portion of the software rules for screening packets.
- Local bus 202 couples rule memory 206 to ASIC 204.
- Off-chip rule memory 206 can be a static RAM and is used to store policy data. The structure and contents of the off-chip-memory is discussed in greater detail below.
- a central processor (CPU) 132 is coupled to memory controller 124 by CPU bus
- Packets are received at public network link 120 (302). Each packet is transferred on bus 125 to, and routed through, memory controller 124 and on to dual-port memory 203 via memory bus 129 (304).
- ASIC 204 is available, the packet is fetched by ASIC 204 using local bus 202 (306). After processing by ASIC 204 (308), the packet is returned to RAM 126 using local bus 202 (310).
- the processing by ASIC 204 can include authentication, encryption, decryption, virtual private network (VPN) and firewall services.
- the packet is retrieved by memory controller 124 using memory bus 129 (312), and routed to private network link 122 (314).
- ASIC 204 integrates a firewall engine, VPN engine and local bus direct memory access
- ASIC 204 includes a firewall engine 400, an encryption/decryption engine 402, an authentication engine 404, an authentication data buffer 406, a host interface 408, a local bus DMA engine 410, a local bus interface 412 and on-chip rule memory 414.
- Host interface 408 provides a link between ASIC 204 and memory bus 129.
- Packets are received on host interface 408 and processed by ASIC 204.
- Firewall engine 400 enforces an access control policy between two networks.
- Firewall engine utilizes rules stored in on-chip rule memory 414 and off-chip rule memory
- a VPN module is provided that includes encryption/decryption engine 402 and authentication engine 404.
- Encryption/decryption engine 402 performs encryption or decryption with one or more encryption/decryption algorithms.
- a data encryption standard (DES) or Triple-DES algorithm can be applied to transmitted data. Encryption assures confidentiality of data, protecting the data from passive attacks, such as interception, release of message contents and traffic analysis.
- Authentication engine 404 assures that a communication (packet) is authentic.
- MD5 and SHA1 algorithms are invoked to verify authentication of packets.
- Authentication buffer 406 is a temporary buffer for storing partial results generated by authentication engine 404.
- the localized storage of partial results allows the authentication process to proceed without requiring the availability of the local bus or memory bus.
- the partial results can be temporarily stored in authentication buffer 406 until the appropriate bus is free for transfers back to dual-port memory 203.
- Local bus DMA engine 410 facilitates access to dual-port memory 203 using local bus 202. As such, CPU 132 is freed to perform other tasks including the transfer of other packets into dual-port memory 203 using memory bus 129.
- rule memories There are two rule memories in the communication system, on-chip rule memory 414 inside ASIC 204, and off-chip rule memory 206, that is external to ASIC 204. From a functionality point of view, there is no difference between these two memories.
- the external memory enlarges the whole rule memory space.
- Rule searching can be implemented in a linear order with the internal rule memory first. Of course, the searching process is faster when performed in the on-chip rule memory.
- the structure for the rules is described in greater detail below.
- a rule is a control policy for filtering incoming and outgoing packets. Rules specify actions to be applied as against a certain packet. When a packet is received for inspection (rule search), the packet's IP header (six 32-bit words), TCP header (six 32-bit words) or UDP header (two 32-bit words) may require inspecting.
- IP header for 32-bit words
- TCP header for 32-bit words
- UDP header two 32-bit words
- a compact and efficient rule structure is provided to handle all the needs of firewall engine 400.
- a minimal set of information is stored in a rule including the source/destination IP addresses, UDP/TCP source/destination addresses and transport layer protocol. This makes the rule set compact, however sufficient for screening services.
- Rules can include a source/destination IP address 502, 503, a UDP/TCP source/destination port 504, 505, counter 506, source/destination IP address mask 508, transport layer protocol 510, general mask (GMASK) 511, searching control field 512 and a response action field 514.
- each rule includes six 32-bit words. Reserved bits are set to have a logical zero value.
- Searching control field 512 is used to control where to continue a search and when to search in the off-chip rule memory 206.
- searching control field 512 is four bits in length including bits B31-B28.
- the rule set can contain two types of rules. In one implementation, the two rule types are distinguished by bit B31 of the first word in a rule. A logical zero value indicates a type "0" rule, referred to as a normal rule. A logical one value indicates a type " 1 " rule. Type-1 rules are an address pointing to a starting location in the external rule memory at which point searching is to continue for a given packet.
- On-chip memory 414 includes spaces for many rules for handling the packet traffic in to and out from different interfaces
- the final rule contained in the on-chip memory 414 for the rule set is a type-1 rule. Note that this final rule is not to be confused with the last rule of a rule set described below. The final rule merely is a pointer to a next location at which searching is to continue.
- firewall engine 400 When firewall engine 400 reaches a rule that is identified as a type-1 rule (bit B31 is set to a logical one value), searching for the rule set continues in off-chip memory. The engine uses the address provided in bits B0-B13 of the sixth word of the type-1 rule and continues searching in off-chip rule memory 206 at the address indicated. Bit B30 is a last rule indicator. If bit B30 is set to a logical one value, then the rule is the last rule in a rule set. Rule match processes end after attempting to match this rule. Bit B29 is a rule set indicator. When bit B29 is set to a logical one value, the rule match process will not stop when the packet matches the rule.
- bit B29 When bit B29 is set to a logical zero value, the rule match process stops when the packet matches the rule. Note that this bit applies only when bit B2 is set. When bit B2 is set to a logical zero value, regardless of the value of this bit B29, the rule match process always stops when a match is found. The value and use of bit B2 is discussed in greater detail below. In the implementation described, bit B28 is reserved.
- the source/destination IP address 502, 503 defines a source and a destination address that is used as a matching criterion. To match a rule, a packet must have come from the defined source IP address and its destination must be the defined destination IP address.
- the UDP/TCP source/destination port 504, 505 specifies what client or server process the packet originates from on the source machine.
- Firewall engine 400 can be configured to permit or deny a packet based on these port numbers.
- the rule does not include the actual TCP/UDP port, but rather a range for the port.
- a port opcode (PTOP) can be included for further distinguishing if a match condition requires the actual TCP/UDP port falls inside or outside the range. This is very powerful and allows for a group of ports to match a single rule.
- the range is defined using a high and low port value.
- bit B26 is used to designate a source port opcode match criterion.
- the packet source port When the B26 bit is set to a logical zero, the packet source port must be greater than or equal to the source port low and less than or equal to the source port high in order to achieve a match. When the B26 bit is set to a logical one value, the packet source port must be less than the source port low or greater than the source port high. Similarly, the B27 bit is used to designate a destination port opcode match criterion. When bit B27 is set to a logical zero value, the packet destination port must be greater than or equal to the destination port low and less than or equal to the destination port high in order to achieve a match.
- Counter 506 is a high performance hardware counter. Counter 506 records a number of times that a particular rule has matched and is updated after each match is determined. In one implementation, at a defined counter threshold, counter 506 can trigger firewall engine 400 to take certain actions. In one implementation, the defined threshold for the counter is predefined. When the counter reaches the threshold value, a register bit is set. Software can monitor the register and trigger certain actions, such as deny, log and alarm. When a rule is created, an initial value can be written into the counter field. The difference between the initial value and the hardware predefined threshold determines the actual threshold. Generally speaking, the hardware ASIC provides a counting mechanism to allow for the software exercise of actions responsive to the count.
- Source/destination IP address mask 508 allows for the masking of less significant bits of an IP address during IP address checking. This allows a destination to receive packets from a group of sources or allow a source to broadcast packets to a group of destinations.
- two masks are provided: an Internet protocol source address (IPSA) mask and an Internet protocol destination address (IPDA) mask.
- the IPSA mask can be five bits in length and be encoded as follows: 00000, no bits are masked (all 32-bits are to be compared); 00001, bit "0" of the source IP address is masked (bit "0" is a DON't CARE when matching the rule); 00010, bit 1 and bit 0 are masked; 01010, the least 10 bits are masked; and 11111, only bit 31 (the MSB) is not masked.
- the IPDA mask is configured similar to the IPSA mask and has the same coding, except that the mask applies to the destination IP address.
- Transport layer protocol 510 specifies which protocol above the IP layer (TCP, UDP, etc.) the policy rule is to be enforced against.
- transport layer protocol field 510 is an 8-bit field. For a rule match to arise, the transport layer protocol field 510 must match the packet IP header protocol field. However, if the B6 bit is set to a logical one, the transport layer protocol field is disregarded (a DON'T CARE as described above).
- GMASK field 512 indicates to firewall engine 400 whether to ignore or check the packet's source IP address, destination IP address, protocol or packet acknowledgment or reset bits. Other masks can also be included. In one implementation, the GMASK includes four bits designated B4-B7.
- the packet source IP address is disregarded when matching the rule (source IP address comparison result will not be considered when determining whether or not the packet matches the rule).
- the packet destination IP address is disregarded when matching the rule (destination IP address comparison result will not be considered when determining whether or not the packet matches the rule).
- the packet protocol field is disregarded when matching the rule (packet protocol field comparison result will not be considered when determining whether or not the packet matches the rule).
- both the packet acknowledge (ACK) bit and reset bit are disregarded when matching the rule.
- Response action field 514 can be used to designate an action when a rule match is detected. Examples of actions include permit/deny, alarm and logging. In one implementation, response action field 514 is four bits in length including bits B0 to B3. In one implementation, the B0 bit is used to indicate a permit or deny action. A logical one indicates that the packet should be permitted if a match to this rule occurs. A logical zero indicates that the packet should be denied. The Bl bit is used as an alarm indication.
- a logical one indicates that an alarm should be sent if the packet matches the particular rule. If the bit is not set, then no alarm is provided. Alarms are used to indicate a possible security attack or an improper usage. Rules may be included with alarm settings to provide a measure of network security. When a match occurs, an alarm bit can be set in a status register (described below) to indicate to the CPU that the alarm condition has been satisfied. Depending on the number or kinds of alarms, the CPU can implement various control mechanisms to safeguard the communications network.
- the B2 bit can be used to indicate a counter rule.
- a logical one indicates that the rule is a counter rule.
- the least 24 bits of the second word of the rule are a counter (otherwise, the least 24 bits are reserved for a non-counter rule).
- the counter increments whenever a packet matches the rule.
- a counter rule can include two types: a counter-only rule and accumulate (ACL) rule with counter enabled. When matching a counter only rule, the count is incremented but searching continues at a next rule in the rule set. When matching a ACL rule with counter enabled, the counter is incremented and searching terminates at the rule.
- the B3 bit is a log indication. A logical one indicates that the packet information should be logged if a match arises.
- firewall engine 400 a process 600 executed by firewall engine 400 is shown for screening packets using both the on-chip and off-chip rule memories.
- the firewall engine process begins at step 602.
- a packet is received at an interface (public network interface 122) and transferred to dual-ported memory 203 using a DMA process executed by memory controller 124 (604).
- CPU 134 reads packet header information from packet memory, then writes the packet information into special registers on ASIC 204 (606). These registers are mapped onto the system memory space, so CPU 134 has direct access to them.
- the registers include: a source IP register, for storing the packet source IP address; a destination IP register, for storing the packet destination IP address; a port register, for storing the TCP/UDP source and destination ports; a protocol register for storing the transport layer protocol; and an acknowledge (ACK) register for storing the ACK bit from the packet.
- CPU 134 also specifies which rule set to search by writing to a rule set specifier register (608).
- a rule set specifier register (608).
- a plurality of rule sets are stored in rule memory, each having a starting address.
- two rule sets are available and two registers are used to store the starting addresses of each rule set. Depending on the value written to the rule set specifier, the searching begins at the appointed rule set.
- CPU 134 issues a command to firewall engine 400 by writing to a control register to initiate the ASIC rule search (610).
- Firewall engine 400 compares the contents of the special registers to each rule in sequence (611) until a match is found (612). The search stops when a match is found (613). If the match is to a counter rule (614), then the count is incremented (615) and the search continues (back at step 612). If the counter threshold is exceeded or if the search locates a match (non-counter match), the search results are written to a status register (616).
- the status register includes ten bits including: a search done bit indicating a search is finished; a match bit indicating a match has been found; a busy bit indicating (when set) that the firewall engine is performing a search; and error bit indicating an error occurred during the search; a permit/deny bit to signal the firewall to permit or deny the inspected packet; an alarm bit to signal the firewall if an alarm needs to be raised; a log bit to signal the firewall if the packet needs to be logged; a NPN bit to signal the system if the packet needs NPN processing; a counter rule address bit to store the matched counter rule address; and a counter full bit for indicating the counter has reached a threshold.
- CPU 134 polls the status register to check whether the engine is busy or has finished the search (618). When the CPU 134 determines the search is complete, CPU 134 executes certain actions against the current packet based on the information in the status register, such as permit or deny the packet, signal a alarm and log the packet (620).
- the search may find no match and if so, the packet can be discarded. If the packet is permitted, other operations like encryption/decryption or authentication can be performed on the packet as required. When all of the required operations are completed, the packet can be transmitted through a network interface (private network interface 120).
- a pipeline is a common design methodology that is deeply implemented in the ASIC design. Basically, a lengthy process is chopped into many independent sub-processes in a sequence. A new process can be started without waiting for a previously invoked process to finish.
- a rule search is completed in 3 clock cycles using a pipeline process.
- rule information is fetched from rule memory.
- an IP address comparison is performed.
- a TCP/UDP port comparison is performed.
- Each of these 3 steps are independent sub-processes of a rule search.
- a pipeline is then applied to the rule search process.
- Figure 6b illustrates the pipeline design.
- an encryption/decryption process 700 is shown.
- a packet is received at a network interface and DMA'd to packet memory (dual-port RAM 203) (702). If the packet is permitted after the firewall inspection (704) and encryption or decryption is needed (706), then the process continues at step 708.
- CPU 134 writes information needed by the encryption decryption engine 402 into special registers on ASIC 204.
- the special registers include: one or more key registers, for storing the keys used by encryption/decryption engine 402; initial vector (IN) registers, for storing the initial vectors used by encryption/decryption engine 402; a DMA source address register, for storing the starting address in the dual-port memory where the packet resides; a DMA destination address register, for storing the starting address in the dual-port memory where CPU 134 can find the encryption/decryption results; and a DMA count register, for indicating how many words of the packet need to be encrypted or decrypted.
- CPU 134 issues a command to start the encryption or decryption operation (710). In one implementation, this is accomplished by writing to the DMA count register.
- Encryption/decryption engine 402 determines which operation to invoke (encryption or decryption) (712). Keys for the appropriate process are retrieved from the key registers (714). Encryption/decryption engine 402 uses the keys to encrypt decrypt the packet that is stored at the address indicated by the DMA source address (716). In one implementation, encryption/decryption engine 402 uses DMA block transfers to retrieve portions of the packet from dual-port memory 203. As each block is encrypted/decrypted, the results are transferred back to the dual-port memory 203 (718). Again, DMA block data transfers can be used to write blocks of data back to dual-port memory 203 starting at the address indicated by the DMA destination register. The encryption decryption engine also writes a busy signal into a DES status register to indicate to the system that the encryption/decryption engine is operating on a packet.
- the engine When encryption/decryption engine 402 completes a job (720), the engine indicates the success or failure by writing a bit in DES status register (722).
- the DES status register includes a DES done bit, for indicating that the engine has finished encryption or decryption; and a DES error bit, indicating that an error has occurred in the encryption/decryption process.
- CPU 134 polls the DES status register to check if the encryption/decryption engine has completed the job. When the DES status register indicates the job is complete, CPU 134 can access the results starting at the address indicated by the DMA destination address register. At this point, the encrypted/decrypted data is available for further processing by CPU 134, which in turn builds a new packet for transfer through a network interface (726). Thereafter the process ends (728).
- a process 800 for authenticating packets begins after a packet is received at a network interface and DMA'ed to dual -port memory 203 (802). If the packet is permitted (804) after the firewall inspection (803) and authentication is needed (806), the following operations are performed. Else the packet is dropped and the process ends (830).
- An authentication algorithm is selected (808).
- two authentication algorithms (MD5 and SHA1) are included in authentication engine 404. Both the MD5 and SHA1 algorithms operate in a similar manner and can share some registers on ASIC 204. Only one is required for authentication of a packet.
- a MD5 authentication process is described below.
- the SHA1 process is similar for the purposes of this disclosure.
- ASIC 204 includes a plurality of MD5 registers for supporting the authentication process including: MD5 state registers, for storing the initial values used by the MD5 authentication algorithm; a packet base register, for storing the starting address of the message to be processed; a packet length register, for storing the length of the message to be processed; a MD5 control register, for signaling the availability of a packet for processing; and a MD5 status register.
- CPU 134 issues a command to start the MD5 process (811) by writing to the MD5 control register (812).
- the authentication engine 404 begins the process by writing a busy signal to the MD5 status register to let CPU 134 know the authentication engine is processing a request (authenticating a packet).
- Authentication engine 404 processes the packet (813) and places the digest result into the MD5 state registers (814).
- authentication engine 404 signals the completion by setting one or more bits in the MD5 status register (816). In one implementation, two bits are used: a MD5 done bit, indicating authentication engine 404 has finished the authentication process; and a MD5 error bit, indicating that an error occurred.
- CPU 134 polls the MD5 status register to determine if the authentication job is complete (817). When the MD5 done bit is set, CPU 134 reads out the digest results from the MD5 state registers (818). Thereafter, the process ends (830).
- parallel processing can be performed in ASIC 204.
- the MD5 or SHA1 authentication process can be intervened with the encryption/decryption process.
- ASIC 204 initiates an encryption (DES or Triple-DES) process on a packet. After a couple clock cycles, ASIC 204 can start the authentication process (MD5 or SHA1) without interrupting the encryption process. The two processes proceed in the same time period and finish in almost the same time. This can reduce the overall process time in half.
- a packet after a packet is transferred into the dual-port memory 203, it can be fetched by ASIC 204 using local bus 202.
- the encryption/decryption engine 402 can be invoked, and after several clock cycles, authentication, using authentication engine 404, can start for the same packet.
- the two engines work in an intervening manner without sacrificing each engine's performance.
- the other possible combinations for parallel processing include: DES Encryption + MD5 authentication, MD5 authentication + DES decryption, Triple DES Encryption + MD5 authentication, MD5 authentication + Triple DES decryption, DES Encryption + SHA1 authentication, SHA1 authentication + DES decryption, Triple DES Encryption + SHA1 authentication and SHA1 authentication + Triple DES Decryption.
- Packet flow through each engine can be in blocks or on a word by word basis.
- the packet data is grouped in a block and transferred in blocks using the local bus and memory bus.
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU40630/00A AU4063000A (en) | 1999-04-01 | 2000-03-31 | Firewall including local bus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/283,730 US6701432B1 (en) | 1999-04-01 | 1999-04-01 | Firewall including local bus |
US09/283,730 | 1999-04-01 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2000060793A2 true WO2000060793A2 (en) | 2000-10-12 |
WO2000060793A3 WO2000060793A3 (en) | 2001-01-11 |
Family
ID=23087312
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/008708 WO2000060793A2 (en) | 1999-04-01 | 2000-03-31 | Firewall including local bus |
Country Status (3)
Country | Link |
---|---|
US (5) | US6701432B1 (en) |
AU (1) | AU4063000A (en) |
WO (1) | WO2000060793A2 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1336915A1 (en) * | 2002-02-19 | 2003-08-20 | Broadcom Corporation | Method and apparatus for flexible frame processing and classification engine |
EP1351110A1 (en) * | 2002-03-18 | 2003-10-08 | Broadcom Corporation | Fast flexible range checking |
US6996573B2 (en) | 2001-01-18 | 2006-02-07 | Stonesoft Oy | Screening of data packets in a gateway |
EP1662700A1 (en) * | 2003-08-26 | 2006-05-31 | ZTE Corporation | Network communication security processor and data processing method |
US7701942B2 (en) | 2001-06-14 | 2010-04-20 | Nec Corporation | Network monitor system, data amount counting method and program for use in the system |
CN107491953A (en) * | 2004-05-25 | 2017-12-19 | 沐溪支付技术股份公司 | System for supporting Web applications in POS terminal |
US10552603B2 (en) | 2000-05-17 | 2020-02-04 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
Families Citing this family (205)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8079086B1 (en) | 1997-11-06 | 2011-12-13 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US7634529B2 (en) | 1996-11-29 | 2009-12-15 | Ellis Iii Frampton E | Personal and server computers having microchips with multiple processing units and internal firewalls |
US7926097B2 (en) | 1996-11-29 | 2011-04-12 | Ellis Iii Frampton E | Computer or microchip protected from the internet by internal hardware |
US6725250B1 (en) | 1996-11-29 | 2004-04-20 | Ellis, Iii Frampton E. | Global network computers |
US7805756B2 (en) * | 1996-11-29 | 2010-09-28 | Frampton E Ellis | Microchips with inner firewalls, faraday cages, and/or photovoltaic cells |
US8312529B2 (en) | 1996-11-29 | 2012-11-13 | Ellis Frampton E | Global network computers |
US20050180095A1 (en) * | 1996-11-29 | 2005-08-18 | Ellis Frampton E. | Global network computers |
US7506020B2 (en) | 1996-11-29 | 2009-03-17 | Frampton E Ellis | Global network computers |
US6167428A (en) * | 1996-11-29 | 2000-12-26 | Ellis; Frampton E. | Personal computer microprocessor firewalls for internet distributed processing |
US8225003B2 (en) * | 1996-11-29 | 2012-07-17 | Ellis Iii Frampton E | Computers and microchips with a portion protected by an internal hardware firewall |
US7107612B1 (en) | 1999-04-01 | 2006-09-12 | Juniper Networks, Inc. | Method, apparatus and computer program product for a network firewall |
US6701432B1 (en) * | 1999-04-01 | 2004-03-02 | Netscreen Technologies, Inc. | Firewall including local bus |
US20020133620A1 (en) * | 1999-05-24 | 2002-09-19 | Krause Michael R. | Access control in a network system |
US7996670B1 (en) * | 1999-07-08 | 2011-08-09 | Broadcom Corporation | Classification engine in a cryptography acceleration chip |
DE19952527C2 (en) * | 1999-10-30 | 2002-01-17 | Ibrixx Ag Fuer Etransaction Ma | Process and transaction interface for secure data exchange between distinguishable networks |
US6629163B1 (en) | 1999-12-29 | 2003-09-30 | Implicit Networks, Inc. | Method and system for demultiplexing a first sequence of packet components to identify specific components wherein subsequent components are processed without re-identifying components |
US7055171B1 (en) * | 2000-05-31 | 2006-05-30 | Hewlett-Packard Development Company, L.P. | Highly secure computer system architecture for a heterogeneous client environment |
US9444785B2 (en) | 2000-06-23 | 2016-09-13 | Cloudshield Technologies, Inc. | Transparent provisioning of network access to an application |
US7032031B2 (en) | 2000-06-23 | 2006-04-18 | Cloudshield Technologies, Inc. | Edge adapter apparatus and method |
US8204082B2 (en) | 2000-06-23 | 2012-06-19 | Cloudshield Technologies, Inc. | Transparent provisioning of services over a network |
US7003555B1 (en) * | 2000-06-23 | 2006-02-21 | Cloudshield Technologies, Inc. | Apparatus and method for domain name resolution |
US7114008B2 (en) * | 2000-06-23 | 2006-09-26 | Cloudshield Technologies, Inc. | Edge adapter architecture apparatus and method |
US6829654B1 (en) | 2000-06-23 | 2004-12-07 | Cloudshield Technologies, Inc. | Apparatus and method for virtual edge placement of web sites |
KR100358518B1 (en) * | 2000-07-03 | 2002-10-30 | 주식회사 지모컴 | Firewall system combined with embeded hardware and general-purpose computer |
US7013482B1 (en) * | 2000-07-07 | 2006-03-14 | 802 Systems Llc | Methods for packet filtering including packet invalidation if packet validity determination not timely made |
US7185192B1 (en) * | 2000-07-07 | 2007-02-27 | Emc Corporation | Methods and apparatus for controlling access to a resource |
WO2002015018A1 (en) * | 2000-08-11 | 2002-02-21 | 3Ware, Inc. | Architecture for providing block-level storage access over a computer network |
US8037530B1 (en) * | 2000-08-28 | 2011-10-11 | Verizon Corporate Services Group Inc. | Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor |
US7120931B1 (en) * | 2000-08-31 | 2006-10-10 | Cisco Technology, Inc. | System and method for generating filters based on analyzed flow data |
US7660902B2 (en) * | 2000-11-20 | 2010-02-09 | Rsa Security, Inc. | Dynamic file access control and management |
US7100202B2 (en) * | 2001-03-02 | 2006-08-29 | Tekelec | Voice firewall |
FI20010511A0 (en) * | 2001-03-14 | 2001-03-14 | Stonesoft Oy | Processing of data packets |
US7085267B2 (en) * | 2001-04-27 | 2006-08-01 | International Business Machines Corporation | Methods, systems and computer program products for translating internet protocol (IP) addresses located in a payload of a packet |
US7042899B1 (en) | 2001-05-08 | 2006-05-09 | Lsi Logic Corporation | Application specific integrated circuit having a programmable logic core and a method of operation thereof |
US7453899B1 (en) * | 2001-05-08 | 2008-11-18 | Lsi Corporation | Field programmable network application specific integrated circuit and a method of operation thereof |
JP3874628B2 (en) * | 2001-05-17 | 2007-01-31 | 富士通株式会社 | Packet transfer device, semiconductor device |
US6947983B2 (en) * | 2001-06-22 | 2005-09-20 | International Business Machines Corporation | Method and system for exploiting likelihood in filter rule enforcement |
US7069330B1 (en) * | 2001-07-05 | 2006-06-27 | Mcafee, Inc. | Control of interaction between client computer applications and network resources |
US7209962B2 (en) * | 2001-07-30 | 2007-04-24 | International Business Machines Corporation | System and method for IP packet filtering based on non-IP packet traffic attributes |
US6986160B1 (en) * | 2001-08-31 | 2006-01-10 | Mcafee, Inc. | Security scanning system and method utilizing generic IP addresses |
US7822970B2 (en) * | 2001-10-24 | 2010-10-26 | Microsoft Corporation | Method and apparatus for regulating access to a computer via a computer network |
DE60139883D1 (en) * | 2001-11-29 | 2009-10-22 | Stonesoft Oy | Custom firewall |
US8185943B1 (en) * | 2001-12-20 | 2012-05-22 | Mcafee, Inc. | Network adapter firewall system and method |
US7761605B1 (en) | 2001-12-20 | 2010-07-20 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
TW533351B (en) * | 2001-12-31 | 2003-05-21 | Icp Electronics Inc | Network monitoring device and the computer system having the same |
US20030200463A1 (en) * | 2002-04-23 | 2003-10-23 | Mccabe Alan Jason | Inter-autonomous system weighstation |
US8019889B1 (en) * | 2002-05-31 | 2011-09-13 | Cisco Technology, Inc. | Method and apparatus for making end-host network address translation (NAT) global address and port ranges aware |
US7203844B1 (en) * | 2002-06-20 | 2007-04-10 | Oxford William V | Method and system for a recursive security protocol for digital copyright control |
US8438392B2 (en) | 2002-06-20 | 2013-05-07 | Krimmeni Technologies, Inc. | Method and system for control of code execution on a general purpose computing device and control of code execution in a recursive security protocol |
US7146638B2 (en) * | 2002-06-27 | 2006-12-05 | International Business Machines Corporation | Firewall protocol providing additional information |
JP3564117B2 (en) | 2002-07-01 | 2004-09-08 | 株式会社バッファロー | Wireless LAN device |
US7467406B2 (en) * | 2002-08-23 | 2008-12-16 | Nxp B.V. | Embedded data set processing |
US7716725B2 (en) | 2002-09-20 | 2010-05-11 | Fortinet, Inc. | Firewall interface configuration and processes to enable bi-directional VoIP traversal communications |
US20040064657A1 (en) * | 2002-09-27 | 2004-04-01 | Muraleedhara Navada | Memory structure including information storage elements and associated validity storage elements |
US7769873B1 (en) * | 2002-10-25 | 2010-08-03 | Juniper Networks, Inc. | Dynamically inserting filters into forwarding paths of a network device |
US8005918B2 (en) * | 2002-11-12 | 2011-08-23 | Rateze Remote Mgmt. L.L.C. | Data storage devices having IP capable partitions |
US7170890B2 (en) * | 2002-12-16 | 2007-01-30 | Zetera Corporation | Electrical devices with improved communication |
JP2006506847A (en) * | 2002-11-12 | 2006-02-23 | ゼテーラ・コーポレイシヨン | Communication protocol, system and method |
US7742473B2 (en) | 2002-11-12 | 2010-06-22 | Mark Adams | Accelerator module |
US7649880B2 (en) * | 2002-11-12 | 2010-01-19 | Mark Adams | Systems and methods for deriving storage area commands |
US7367046B1 (en) * | 2002-12-04 | 2008-04-29 | Cisco Technology, Inc. | Method and apparatus for assigning network addresses to network devices |
US20040123120A1 (en) * | 2002-12-18 | 2004-06-24 | Broadcom Corporation | Cryptography accelerator input interface data handling |
US7568110B2 (en) | 2002-12-18 | 2009-07-28 | Broadcom Corporation | Cryptography accelerator interface decoupling from cryptography processing cores |
US7434043B2 (en) * | 2002-12-18 | 2008-10-07 | Broadcom Corporation | Cryptography accelerator data routing unit |
US20040123123A1 (en) * | 2002-12-18 | 2004-06-24 | Buer Mark L. | Methods and apparatus for accessing security association information in a cryptography accelerator |
US20040128545A1 (en) * | 2002-12-31 | 2004-07-01 | International Business Machines Corporation | Host controlled dynamic firewall system |
US7382769B1 (en) | 2003-02-07 | 2008-06-03 | Juniper Networks, Inc. | Automatic filtering to prevent network attacks |
JP4520703B2 (en) * | 2003-03-31 | 2010-08-11 | 富士通株式会社 | Unauthorized access countermeasure system and unauthorized access countermeasure processing program |
US7900240B2 (en) * | 2003-05-28 | 2011-03-01 | Citrix Systems, Inc. | Multilayer access control security system |
US7760729B2 (en) | 2003-05-28 | 2010-07-20 | Citrix Systems, Inc. | Policy based network address translation |
JP2006526424A (en) * | 2003-06-04 | 2006-11-24 | イニオン リミテッド | Biodegradable implant and method for producing the same |
US8078758B1 (en) | 2003-06-05 | 2011-12-13 | Juniper Networks, Inc. | Automatic configuration of source address filters within a network device |
US7260840B2 (en) * | 2003-06-06 | 2007-08-21 | Microsoft Corporation | Multi-layer based method for implementing network firewalls |
US7225395B2 (en) * | 2003-08-18 | 2007-05-29 | Lsi Corporation | Methods and systems for end-to-end data protection in a memory controller |
US20050071656A1 (en) * | 2003-09-25 | 2005-03-31 | Klein Dean A. | Secure processor-based system and method |
US7594018B2 (en) * | 2003-10-10 | 2009-09-22 | Citrix Systems, Inc. | Methods and apparatus for providing access to persistent application sessions |
US7002943B2 (en) * | 2003-12-08 | 2006-02-21 | Airtight Networks, Inc. | Method and system for monitoring a selected region of an airspace associated with local area networks of computing devices |
US7543142B2 (en) * | 2003-12-19 | 2009-06-02 | Intel Corporation | Method and apparatus for performing an authentication after cipher operation in a network processor |
US7512945B2 (en) * | 2003-12-29 | 2009-03-31 | Intel Corporation | Method and apparatus for scheduling the processing of commands for execution by cryptographic algorithm cores in a programmable network processor |
US7440434B2 (en) * | 2004-02-11 | 2008-10-21 | Airtight Networks, Inc. | Method and system for detecting wireless access devices operably coupled to computer local area networks and related methods |
US7536723B1 (en) | 2004-02-11 | 2009-05-19 | Airtight Networks, Inc. | Automated method and system for monitoring local area computer networks for unauthorized wireless access |
US7216365B2 (en) * | 2004-02-11 | 2007-05-08 | Airtight Networks, Inc. | Automated sniffer apparatus and method for wireless local area network security |
US7774834B1 (en) * | 2004-02-18 | 2010-08-10 | Citrix Systems, Inc. | Rule generalization for web application entry point modeling |
US7890996B1 (en) | 2004-02-18 | 2011-02-15 | Teros, Inc. | Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways |
US7773596B1 (en) | 2004-02-19 | 2010-08-10 | Juniper Networks, Inc. | Distribution of traffic flow criteria |
US7401234B2 (en) * | 2004-03-01 | 2008-07-15 | Freescale Semiconductor, Inc. | Autonomous memory checker for runtime security assurance and method therefore |
US20060165073A1 (en) * | 2004-04-06 | 2006-07-27 | Airtight Networks, Inc., (F/K/A Wibhu Technologies, Inc.) | Method and a system for regulating, disrupting and preventing access to the wireless medium |
US7496094B2 (en) * | 2004-04-06 | 2009-02-24 | Airtight Networks, Inc. | Method and system for allowing and preventing wireless devices to transmit wireless signals |
EP1747655B1 (en) | 2004-05-20 | 2017-12-06 | QinetiQ Limited | Firewall system |
US7636841B2 (en) * | 2004-07-26 | 2009-12-22 | Intercall, Inc. | Systems and methods for secure data exchange in a distributed collaborative application |
JP4634456B2 (en) * | 2004-09-09 | 2011-02-16 | アバイア インコーポレーテッド | Method and system for security of network traffic |
US20060059558A1 (en) * | 2004-09-15 | 2006-03-16 | John Selep | Proactive containment of network security attacks |
US8613048B2 (en) | 2004-09-30 | 2013-12-17 | Citrix Systems, Inc. | Method and apparatus for providing authorized remote access to application sessions |
US7711835B2 (en) | 2004-09-30 | 2010-05-04 | Citrix Systems, Inc. | Method and apparatus for reducing disclosure of proprietary data in a networked environment |
US7748032B2 (en) * | 2004-09-30 | 2010-06-29 | Citrix Systems, Inc. | Method and apparatus for associating tickets in a ticket hierarchy |
US7826602B1 (en) * | 2004-10-22 | 2010-11-02 | Juniper Networks, Inc. | Enabling incoming VoIP calls behind a network firewall |
US8200827B1 (en) | 2004-10-25 | 2012-06-12 | Juniper Networks, Inc. | Routing VoIP calls through multiple security zones |
US8367105B2 (en) * | 2004-11-10 | 2013-02-05 | Teva Pharmaceutical Industries, Ltd. | Compressed solid dosage form manufacturing process well-suited for use with drugs of low aqueous solubility and compressed solid dosage forms made thereby |
JP4550557B2 (en) * | 2004-11-24 | 2010-09-22 | 株式会社日立製作所 | Filter definition management method, filter definition management device, and storage area network |
US20060136717A1 (en) | 2004-12-20 | 2006-06-22 | Mark Buer | System and method for authentication via a proximate device |
US8295484B2 (en) * | 2004-12-21 | 2012-10-23 | Broadcom Corporation | System and method for securing data from a remote input device |
US7924712B2 (en) * | 2004-12-21 | 2011-04-12 | Utstarcom, Inc. | Processing platform selection method for data packet filter installation |
US8024568B2 (en) | 2005-01-28 | 2011-09-20 | Citrix Systems, Inc. | Method and system for verification of an endpoint security scan |
US10015140B2 (en) | 2005-02-03 | 2018-07-03 | International Business Machines Corporation | Identifying additional firewall rules that may be needed |
US20060206921A1 (en) * | 2005-03-12 | 2006-09-14 | Shuangbao Wang | Intrusion-free computer architecture for information and data security |
US7702850B2 (en) * | 2005-03-14 | 2010-04-20 | Thomas Earl Ludwig | Topology independent storage arrays and methods |
US8301820B2 (en) * | 2005-03-31 | 2012-10-30 | Stmicroelectronics Belgium N.V. | Direct memory access for advanced high speed bus |
US20070097976A1 (en) * | 2005-05-20 | 2007-05-03 | Wood George D | Suspect traffic redirection |
US7620981B2 (en) | 2005-05-26 | 2009-11-17 | Charles William Frank | Virtual devices and virtual bus tunnels, modules and methods |
JP4161981B2 (en) * | 2005-05-31 | 2008-10-08 | ブラザー工業株式会社 | Communication device and program |
US8819092B2 (en) * | 2005-08-16 | 2014-08-26 | Rateze Remote Mgmt. L.L.C. | Disaggregated resources and access methods |
US7743214B2 (en) | 2005-08-16 | 2010-06-22 | Mark Adams | Generating storage system commands |
US7646867B2 (en) * | 2005-09-09 | 2010-01-12 | Netapp, Inc. | System and/or method for encrypting data |
CA2620828A1 (en) * | 2005-09-19 | 2007-03-29 | Schweitzer Engineering Laboratories, Inc. | Method and apparatus for routing data streams among intelligent electronic devices |
US9270532B2 (en) | 2005-10-06 | 2016-02-23 | Rateze Remote Mgmt. L.L.C. | Resource command messages and methods |
EP1955221A4 (en) * | 2005-12-01 | 2009-03-11 | Firestar Software Inc | System and method for exchanging information among exchange applications |
US7710933B1 (en) | 2005-12-08 | 2010-05-04 | Airtight Networks, Inc. | Method and system for classification of wireless devices in local area computer networks |
US20070266433A1 (en) * | 2006-03-03 | 2007-11-15 | Hezi Moore | System and Method for Securing Information in a Virtual Computing Environment |
US20070233861A1 (en) * | 2006-03-31 | 2007-10-04 | Lucent Technologies Inc. | Method and apparatus for implementing SMS SPAM filtering |
US7924881B2 (en) * | 2006-04-10 | 2011-04-12 | Rateze Remote Mgmt. L.L.C. | Datagram identifier management |
US8151323B2 (en) | 2006-04-12 | 2012-04-03 | Citrix Systems, Inc. | Systems and methods for providing levels of access and action control via an SSL VPN appliance |
US8024787B2 (en) * | 2006-05-02 | 2011-09-20 | Cisco Technology, Inc. | Packet firewalls of particular use in packet switching devices |
CN101079873B (en) * | 2006-05-25 | 2010-04-21 | 深圳市恒扬科技有限公司 | A firewall device based on ACP framework |
US8009566B2 (en) | 2006-06-26 | 2011-08-30 | Palo Alto Networks, Inc. | Packet classification in a network security device |
US7755872B2 (en) * | 2006-09-14 | 2010-07-13 | Schweitzer Engineering Laboratories, Inc. | System, method and device to preserve protection communication active during a bypass operation |
US20080071770A1 (en) * | 2006-09-18 | 2008-03-20 | Nokia Corporation | Method, Apparatus and Computer Program Product for Viewing a Virtual Database Using Portable Devices |
US9125130B2 (en) * | 2006-09-25 | 2015-09-01 | Hewlett-Packard Development Company, L.P. | Blacklisting based on a traffic rule violation |
US8051474B1 (en) * | 2006-09-26 | 2011-11-01 | Avaya Inc. | Method and apparatus for identifying trusted sources based on access point |
US8533846B2 (en) * | 2006-11-08 | 2013-09-10 | Citrix Systems, Inc. | Method and system for dynamically associating access rights with a resource |
US7643431B2 (en) * | 2006-11-10 | 2010-01-05 | Ixia | Distributed packet group identification for network testing |
US20080148382A1 (en) | 2006-12-15 | 2008-06-19 | International Business Machines Corporation | System, method and program for managing firewalls |
US8127347B2 (en) * | 2006-12-29 | 2012-02-28 | 02Micro International Limited | Virtual firewall |
US20090328193A1 (en) * | 2007-07-20 | 2009-12-31 | Hezi Moore | System and Method for Implementing a Virtualized Security Platform |
US8594085B2 (en) * | 2007-04-11 | 2013-11-26 | Palo Alto Networks, Inc. | L2/L3 multi-mode switch including policy processing |
US8549135B1 (en) * | 2007-05-18 | 2013-10-01 | Raytheon Company | Method and apparatus for performing quality of service in secure networks |
US8108924B1 (en) * | 2007-05-24 | 2012-01-31 | Sprint Communications Company L.P. | Providing a firewall's connection data in a comprehendible format |
US20090080365A1 (en) * | 2007-09-24 | 2009-03-26 | Qualcomn Incorporated | Generating multicast flow identifiers |
US7916728B1 (en) | 2007-09-28 | 2011-03-29 | F5 Networks, Inc. | Lockless atomic table update |
US7970894B1 (en) | 2007-11-15 | 2011-06-28 | Airtight Networks, Inc. | Method and system for monitoring of wireless devices in local area computer networks |
US8125796B2 (en) | 2007-11-21 | 2012-02-28 | Frampton E. Ellis | Devices with faraday cages and internal flexibility sipes |
US8306036B1 (en) | 2008-06-20 | 2012-11-06 | F5 Networks, Inc. | Methods and systems for hierarchical resource allocation through bookmark allocation |
US8769681B1 (en) | 2008-08-11 | 2014-07-01 | F5 Networks, Inc. | Methods and system for DMA based distributed denial of service protection |
US10255463B2 (en) | 2008-11-17 | 2019-04-09 | International Business Machines Corporation | Secure computer architecture |
US8447884B1 (en) * | 2008-12-01 | 2013-05-21 | F5 Networks, Inc. | Methods for mapping virtual addresses to physical addresses in a network device and systems thereof |
US8873556B1 (en) | 2008-12-24 | 2014-10-28 | Palo Alto Networks, Inc. | Application based packet forwarding |
US8880632B1 (en) | 2009-01-16 | 2014-11-04 | F5 Networks, Inc. | Method and apparatus for performing multiple DMA channel based network quality of service |
US8880696B1 (en) | 2009-01-16 | 2014-11-04 | F5 Networks, Inc. | Methods for sharing bandwidth across a packetized bus and systems thereof |
US9152483B2 (en) | 2009-01-16 | 2015-10-06 | F5 Networks, Inc. | Network devices with multiple fully isolated and independently resettable direct memory access channels and methods thereof |
US8103809B1 (en) | 2009-01-16 | 2012-01-24 | F5 Networks, Inc. | Network devices with multiple direct memory access channels and methods thereof |
US8112491B1 (en) | 2009-01-16 | 2012-02-07 | F5 Networks, Inc. | Methods and systems for providing direct DMA |
CN101662425B (en) * | 2009-09-17 | 2012-07-04 | 中兴通讯股份有限公司 | Method for detecting validity of access control list and device |
CN102035821A (en) * | 2009-09-29 | 2011-04-27 | 凹凸电子(武汉)有限公司 | Firewall / virtual private network integrated system and circuit |
US9313047B2 (en) | 2009-11-06 | 2016-04-12 | F5 Networks, Inc. | Handling high throughput and low latency network data packets in a traffic management device |
CN102075404A (en) * | 2009-11-19 | 2011-05-25 | 华为技术有限公司 | Message detection method and device |
US8255986B2 (en) * | 2010-01-26 | 2012-08-28 | Frampton E. Ellis | Methods of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers |
US8429735B2 (en) | 2010-01-26 | 2013-04-23 | Frampton E. Ellis | Method of using one or more secure private networks to actively configure the hardware of a computer or microchip |
US20110225645A1 (en) * | 2010-01-26 | 2011-09-15 | Ellis Frampton E | Basic architecture for secure internet computers |
CA2825850A1 (en) * | 2010-01-29 | 2011-08-04 | Frampton E. Ellis | The basic architecture for secure internet computers |
US8601578B1 (en) * | 2011-01-20 | 2013-12-03 | Google Inc. | Identifying potentially suspicious business listings for moderation |
US10135831B2 (en) | 2011-01-28 | 2018-11-20 | F5 Networks, Inc. | System and method for combining an access control system with a traffic management system |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
US9047441B2 (en) | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
CN102209124B (en) * | 2011-06-08 | 2014-03-12 | 杭州华三通信技术有限公司 | Method for communication between private network and public network and network address translation equipment |
US8745266B2 (en) * | 2011-06-30 | 2014-06-03 | Citrix Systems, Inc. | Transparent layer 2 redirection of request to single sign in service based on applying policy to content of request |
US9065860B2 (en) | 2011-08-02 | 2015-06-23 | Cavium, Inc. | Method and apparatus for multiple access of plural memory banks |
US8631244B1 (en) | 2011-08-11 | 2014-01-14 | Rockwell Collins, Inc. | System and method for preventing computer malware from exfiltrating data from a user computer in a network via the internet |
EP3629181B1 (en) | 2012-01-24 | 2022-10-05 | SSH Communications Security Oyj | Privileged access auditing |
US9036822B1 (en) | 2012-02-15 | 2015-05-19 | F5 Networks, Inc. | Methods for managing user information and devices thereof |
US9059853B1 (en) | 2012-02-22 | 2015-06-16 | Rockwell Collins, Inc. | System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment |
US9575906B2 (en) | 2012-03-20 | 2017-02-21 | Rubicon Labs, Inc. | Method and system for process working set isolation |
US8661246B1 (en) | 2012-04-09 | 2014-02-25 | Rockwell Collins, Inc. | System and method for protecting certificate applications using a hardened proxy |
US10031782B2 (en) | 2012-06-26 | 2018-07-24 | Juniper Networks, Inc. | Distributed processing of network device tasks |
US10033837B1 (en) | 2012-09-29 | 2018-07-24 | F5 Networks, Inc. | System and method for utilizing a data reducing module for dictionary compression of encoded data |
KR101563059B1 (en) * | 2012-11-19 | 2015-10-23 | 삼성에스디에스 주식회사 | Anti-malware system and data processing method in same |
US9270602B1 (en) | 2012-12-31 | 2016-02-23 | F5 Networks, Inc. | Transmit rate pacing of large network traffic bursts to reduce jitter, buffer overrun, wasted bandwidth, and retransmissions |
US10375155B1 (en) | 2013-02-19 | 2019-08-06 | F5 Networks, Inc. | System and method for achieving hardware acceleration for asymmetric flow connections |
US20140240758A1 (en) * | 2013-02-28 | 2014-08-28 | Fuji Xerox Co., Ltd. | Image forming apparatus, image forming method, and non-transitory computer readable medium |
US9864606B2 (en) | 2013-09-05 | 2018-01-09 | F5 Networks, Inc. | Methods for configurable hardware logic device reloading and devices thereof |
US10193801B2 (en) | 2013-11-25 | 2019-01-29 | Juniper Networks, Inc. | Automatic traffic mapping for multi-protocol label switching networks |
WO2015095000A1 (en) | 2013-12-16 | 2015-06-25 | F5 Networks, Inc. | Methods for facilitating improved user authentication using persistent data and devices thereof |
US9544402B2 (en) | 2013-12-31 | 2017-01-10 | Cavium, Inc. | Multi-rule approach to encoding a group of rules |
US9667446B2 (en) | 2014-01-08 | 2017-05-30 | Cavium, Inc. | Condition code approach for comparing rule and packet data that are provided in portions |
US10015143B1 (en) | 2014-06-05 | 2018-07-03 | F5 Networks, Inc. | Methods for securing one or more license entitlement grants and devices thereof |
US10192062B2 (en) | 2014-06-20 | 2019-01-29 | Cypress Semiconductor Corporation | Encryption for XIP and MMIO external memories |
US10169618B2 (en) * | 2014-06-20 | 2019-01-01 | Cypress Semiconductor Corporation | Encryption method for execute-in-place memories |
US10691838B2 (en) | 2014-06-20 | 2020-06-23 | Cypress Semiconductor Corporation | Encryption for XIP and MMIO external memories |
US11838851B1 (en) | 2014-07-15 | 2023-12-05 | F5, Inc. | Methods for managing L7 traffic classification and devices thereof |
US10182013B1 (en) | 2014-12-01 | 2019-01-15 | F5 Networks, Inc. | Methods for managing progressive image delivery and devices thereof |
US11895138B1 (en) | 2015-02-02 | 2024-02-06 | F5, Inc. | Methods for improving web scanner accuracy and devices thereof |
US9560010B1 (en) * | 2015-03-30 | 2017-01-31 | Amazon Technologies, Inc. | Network file transfer |
CN104965676B (en) * | 2015-06-17 | 2018-10-16 | 深圳市中兴微电子技术有限公司 | A kind of access method of random access memory, device and control chip |
EP3139548B1 (en) * | 2015-09-04 | 2018-04-11 | Airbus Operations | High assurance segregated gateway interconnecting different domains |
US10154062B2 (en) | 2015-09-25 | 2018-12-11 | Nxp Usa, Inc. | Rule lookup using predictive tuples based rule lookup cache in the data plane |
RO132177A2 (en) | 2016-03-21 | 2017-09-29 | Ixia, A California Corporation | Methods, system and computerized medium for testing network equipment devices using connectionless protocol |
US10193773B2 (en) | 2016-11-09 | 2019-01-29 | Keysight Technologies Singapore (Holdings) Pte. Ltd. | Methods, systems, and computer readable media for distributed network packet statistics collection in a test environment |
WO2018141358A1 (en) * | 2017-01-31 | 2018-08-09 | Huawei Technologies Co., Ltd. | Processing device, communication device and methods thereof |
US10972453B1 (en) | 2017-05-03 | 2021-04-06 | F5 Networks, Inc. | Methods for token refreshment based on single sign-on (SSO) for federated identity environments and devices thereof |
CN109842585B (en) * | 2017-11-27 | 2021-04-13 | 中国科学院沈阳自动化研究所 | Network information safety protection unit and protection method for industrial embedded system |
US10764148B2 (en) | 2017-11-29 | 2020-09-01 | Keysight Technologies, Inc. | Methods, systems, and computer readable media for network traffic statistics collection |
US11855898B1 (en) | 2018-03-14 | 2023-12-26 | F5, Inc. | Methods for traffic dependent direct memory access optimization and devices thereof |
US11537716B1 (en) | 2018-11-13 | 2022-12-27 | F5, Inc. | Methods for detecting changes to a firmware and devices thereof |
US10764315B1 (en) * | 2019-05-08 | 2020-09-01 | Capital One Services, Llc | Virtual private cloud flow log event fingerprinting and aggregation |
US11831606B2 (en) * | 2020-04-29 | 2023-11-28 | Kyndryl, Inc. | Dynamically managing firewall ports of an enterprise network |
US11599649B2 (en) * | 2020-06-29 | 2023-03-07 | Rockwell Automation Technologies, Inc. | Method and apparatus for managing transmission of secure data packets |
US11606346B2 (en) * | 2020-06-29 | 2023-03-14 | Rockwell Automation Technologies, Inc. | Method and apparatus for managing reception of secure data packets |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998036539A1 (en) * | 1997-02-14 | 1998-08-20 | Advanced Micro Devices, Inc. | Apparatus and method for synthesizing management packets for transmission between a network switch and a host controller |
US5857083A (en) * | 1996-06-07 | 1999-01-05 | Yamaha Corporation | Bus interfacing device for interfacing a secondary peripheral bus with a system having a host CPU and a primary peripheral bus |
US5884025A (en) * | 1995-05-18 | 1999-03-16 | Sun Microsystems, Inc. | System for packet filtering of data packet at a computer network interface |
Family Cites Families (74)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4028675A (en) * | 1973-05-14 | 1977-06-07 | Hewlett-Packard Company | Method and apparatus for refreshing semiconductor memories in multi-port and multi-module memory system |
US4313160A (en) * | 1976-08-17 | 1982-01-26 | Computer Automation, Inc. | Distributed input/output controller system |
US4396995A (en) * | 1981-02-25 | 1983-08-02 | Ncr Corporation | Adapter for interfacing between two buses |
US4490785A (en) * | 1982-05-07 | 1984-12-25 | Digital Equipment Corporation | Dual path bus structure for computer interconnection |
US4654788A (en) * | 1983-06-15 | 1987-03-31 | Honeywell Information Systems Inc. | Asynchronous multiport parallel access memory system for use in a single board computer system |
US4720780A (en) * | 1985-09-17 | 1988-01-19 | The Johns Hopkins University | Memory-linked wavefront array processor |
US4992926A (en) * | 1988-04-11 | 1991-02-12 | Square D Company | Peer-to-peer register exchange controller for industrial programmable controllers |
JPH0711793B2 (en) * | 1989-07-13 | 1995-02-08 | 株式会社東芝 | Microprocessor |
EP0489504B1 (en) * | 1990-11-30 | 1997-03-05 | International Business Machines Corporation | Bidirectional FIFO buffer for interfacing between two buses |
US5544045A (en) * | 1991-10-30 | 1996-08-06 | Canon Inc. | Unified scanner computer printer |
US5442754A (en) * | 1992-12-04 | 1995-08-15 | Unisys Corporation | Receiving control logic system for dual bus network |
US5606668A (en) | 1993-12-15 | 1997-02-25 | Checkpoint Software Technologies Ltd. | System for securing inbound and outbound data packet flow in a computer network |
US5835726A (en) | 1993-12-15 | 1998-11-10 | Check Point Software Technologies Ltd. | System for securing the flow of and selectively modifying packets in a computer network |
US5828856A (en) * | 1994-01-28 | 1998-10-27 | Apple Computer, Inc. | Dual bus concurrent multi-channel direct memory access controller and method |
US5546546A (en) * | 1994-05-20 | 1996-08-13 | Intel Corporation | Method and apparatus for maintaining transaction ordering and arbitrating in a bus bridge |
DE19509558A1 (en) * | 1995-03-16 | 1996-09-19 | Abb Patent Gmbh | Process for fault-tolerant communication under high real-time conditions |
US5781550A (en) | 1996-02-02 | 1998-07-14 | Digital Equipment Corporation | Transparent and secure network gateway |
US6546430B2 (en) * | 1996-04-25 | 2003-04-08 | Microsoft Corporation | Negotiating optimum parameters in a system of interconnected components |
US5842040A (en) | 1996-06-18 | 1998-11-24 | Storage Technology Corporation | Policy caching method and apparatus for use in a communication device based on contents of one data unit in a subset of related data units |
US6226723B1 (en) * | 1996-09-20 | 2001-05-01 | Advanced Memory International, Inc. | Bifurcated data and command/address communication bus architecture for random access memories employing synchronous communication protocols |
KR100205072B1 (en) * | 1996-12-05 | 1999-06-15 | 정선종 | Vram-based parity engine of a disk array controller |
US6009475A (en) * | 1996-12-23 | 1999-12-28 | International Business Machines Corporation | Filter rule validation and administration for firewalls |
US6240513B1 (en) * | 1997-01-03 | 2001-05-29 | Fortress Technologies, Inc. | Network security device |
US6591303B1 (en) | 1997-03-07 | 2003-07-08 | Sun Microsystems, Inc. | Method and apparatus for parallel trunking of interfaces to increase transfer bandwidth |
US6044207A (en) * | 1997-03-21 | 2000-03-28 | Adaptec, Inc. | Enhanced dual port I/O bus bridge |
US6101255A (en) * | 1997-04-30 | 2000-08-08 | Motorola, Inc. | Programmable cryptographic processing system and method |
US6088356A (en) | 1997-06-30 | 2000-07-11 | Sun Microsystems, Inc. | System and method for a multi-layer network element |
US6049528A (en) | 1997-06-30 | 2000-04-11 | Sun Microsystems, Inc. | Trunking ethernet-compatible networks |
US5909686A (en) | 1997-06-30 | 1999-06-01 | Sun Microsystems, Inc. | Hardware-assisted central processing unit access to a forwarding database |
US6016310A (en) * | 1997-06-30 | 2000-01-18 | Sun Microsystems, Inc. | Trunking support in a high performance network device |
US5951651A (en) * | 1997-07-23 | 1999-09-14 | Lucent Technologies Inc. | Packet filter system using BITMAP vector of filter rules for routing packet through network |
EP0893921A1 (en) * | 1997-07-25 | 1999-01-27 | Scientific Atlanta, Inc. | Programmable two-level packet filter |
US6775692B1 (en) | 1997-07-31 | 2004-08-10 | Cisco Technology, Inc. | Proxying and unproxying a connection using a forwarding agent |
US6154775A (en) | 1997-09-12 | 2000-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules |
US6098172A (en) | 1997-09-12 | 2000-08-01 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with proxy reflection |
US6170012B1 (en) | 1997-09-12 | 2001-01-02 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with cache query processing |
US7143438B1 (en) | 1997-09-12 | 2006-11-28 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with multiple domain support |
US6141749A (en) | 1997-09-12 | 2000-10-31 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with stateful packet filtering |
US6067595A (en) * | 1997-09-23 | 2000-05-23 | Icore Technologies, Inc. | Method and apparatus for enabling high-performance intelligent I/O subsystems using multi-port memories |
US6061449A (en) * | 1997-10-10 | 2000-05-09 | General Instrument Corporation | Secure processor with external memory using block chaining and block re-ordering |
US6128661A (en) * | 1997-10-24 | 2000-10-03 | Microsoft Corporation | Integrated communications architecture on a mobile device |
US6330610B1 (en) | 1997-12-04 | 2001-12-11 | Eric E. Docter | Multi-stage data filtering system employing multiple filtering criteria |
AU771269B2 (en) * | 1998-03-13 | 2004-03-18 | Schlumberger Technology Corporation | Providing secure access to network services |
US6321336B1 (en) * | 1998-03-13 | 2001-11-20 | Secure Computing Corporation | System and method for redirecting network traffic to provide secure communication |
US6457129B2 (en) * | 1998-03-31 | 2002-09-24 | Intel Corporation | Geographic location receiver based computer system security |
US6154839A (en) * | 1998-04-23 | 2000-11-28 | Vpnet Technologies, Inc. | Translating packet addresses based upon a user identifier |
US8254371B2 (en) * | 1998-06-26 | 2012-08-28 | Alcatel Lucent | Method and system for routing and security for telephone calls over a packet-switched network |
US6247101B1 (en) * | 1998-07-01 | 2001-06-12 | Lsi Logic Corporation | Tagged access synchronous bus architecture |
US6223237B1 (en) * | 1998-07-07 | 2001-04-24 | Adaptive Systems, Inc. | Expandable communications bus |
US6400707B1 (en) * | 1998-08-27 | 2002-06-04 | Bell Atlantic Network Services, Inc. | Real time firewall security |
US6434600B2 (en) * | 1998-09-15 | 2002-08-13 | Microsoft Corporation | Methods and systems for securely delivering electronic mail to hosts having dynamic IP addresses |
CA2287689C (en) * | 1998-12-03 | 2003-09-30 | P. Krishnan | Adaptive re-ordering of data packet filter rules |
US6625150B1 (en) * | 1998-12-17 | 2003-09-23 | Watchguard Technologies, Inc. | Policy engine architecture |
US20020188720A1 (en) * | 1998-12-28 | 2002-12-12 | William F. Terrell | Method and apparatus for dynamically controlling the provision of differentiated services |
US6418472B1 (en) * | 1999-01-19 | 2002-07-09 | Intel Corporation | System and method for using internet based caller ID for controlling access to an object stored in a computer |
US6169700B1 (en) * | 1999-02-04 | 2001-01-02 | Lucent Technologies, Inc. | Wait state generator circuit and method to allow asynchronous, simultaneous access by two processors |
US6470342B1 (en) * | 1999-03-12 | 2002-10-22 | Compaq Computer Corporation | Process of maintaining a distributed map of transaction identifiers and using hashing to access these maps |
US6952401B1 (en) | 1999-03-17 | 2005-10-04 | Broadcom Corporation | Method for load balancing in a network switch |
US7643481B2 (en) | 1999-03-17 | 2010-01-05 | Broadcom Corporation | Network switch having a programmable counter |
US6470378B1 (en) * | 1999-03-31 | 2002-10-22 | Intel Corporation | Dynamic content customization in a clientserver environment |
US6701432B1 (en) | 1999-04-01 | 2004-03-02 | Netscreen Technologies, Inc. | Firewall including local bus |
US7051066B1 (en) | 1999-07-02 | 2006-05-23 | Cisco Technology, Inc. | Integrating service managers into a routing infrastructure using forwarding agents |
US6735169B1 (en) | 1999-07-02 | 2004-05-11 | Cisco Technology, Inc. | Cascading multiple services on a forwarding agent |
US6742045B1 (en) | 1999-07-02 | 2004-05-25 | Cisco Technology, Inc. | Handling packet fragments in a distributed network service environment |
US6650641B1 (en) | 1999-07-02 | 2003-11-18 | Cisco Technology, Inc. | Network address translation using a forwarding agent |
US6970913B1 (en) | 1999-07-02 | 2005-11-29 | Cisco Technology, Inc. | Load balancing using distributed forwarding agents with application based feedback for different virtual machines |
US6606315B1 (en) | 1999-07-02 | 2003-08-12 | Cisco Technology, Inc. | Synchronizing service instructions among forwarding agents using a service manager |
US6633560B1 (en) | 1999-07-02 | 2003-10-14 | Cisco Technology, Inc. | Distribution of network services among multiple service managers without client involvement |
US6704278B1 (en) | 1999-07-02 | 2004-03-09 | Cisco Technology, Inc. | Stateful failover of service managers |
US6549516B1 (en) | 1999-07-02 | 2003-04-15 | Cisco Technology, Inc. | Sending instructions from a service manager to forwarding agents on a need to know basis |
US7212534B2 (en) | 2001-07-23 | 2007-05-01 | Broadcom Corporation | Flow based congestion control |
US7245632B2 (en) | 2001-08-10 | 2007-07-17 | Sun Microsystems, Inc. | External storage for modular computer systems |
US7895431B2 (en) | 2004-09-10 | 2011-02-22 | Cavium Networks, Inc. | Packet queuing, scheduling and ordering |
US7535907B2 (en) | 2005-04-08 | 2009-05-19 | Oavium Networks, Inc. | TCP engine |
-
1999
- 1999-04-01 US US09/283,730 patent/US6701432B1/en not_active Expired - Lifetime
-
2000
- 2000-03-15 US US09/525,369 patent/US6772347B1/en not_active Expired - Lifetime
- 2000-03-31 WO PCT/US2000/008708 patent/WO2000060793A2/en active Application Filing
- 2000-03-31 AU AU40630/00A patent/AU4063000A/en not_active Abandoned
-
2004
- 2004-01-26 US US10/765,677 patent/US7363653B2/en not_active Expired - Fee Related
-
2008
- 2008-02-29 US US12/040,006 patent/US7784093B2/en not_active Expired - Fee Related
-
2010
- 2010-07-15 US US12/837,271 patent/US8490158B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5884025A (en) * | 1995-05-18 | 1999-03-16 | Sun Microsystems, Inc. | System for packet filtering of data packet at a computer network interface |
US5857083A (en) * | 1996-06-07 | 1999-01-05 | Yamaha Corporation | Bus interfacing device for interfacing a secondary peripheral bus with a system having a host CPU and a primary peripheral bus |
WO1998036539A1 (en) * | 1997-02-14 | 1998-08-20 | Advanced Micro Devices, Inc. | Apparatus and method for synthesizing management packets for transmission between a network switch and a host controller |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10552603B2 (en) | 2000-05-17 | 2020-02-04 | Finjan, Inc. | Malicious mobile code runtime monitoring system and methods |
US6996573B2 (en) | 2001-01-18 | 2006-02-07 | Stonesoft Oy | Screening of data packets in a gateway |
US7701942B2 (en) | 2001-06-14 | 2010-04-20 | Nec Corporation | Network monitor system, data amount counting method and program for use in the system |
EP1336915A1 (en) * | 2002-02-19 | 2003-08-20 | Broadcom Corporation | Method and apparatus for flexible frame processing and classification engine |
US7719980B2 (en) | 2002-02-19 | 2010-05-18 | Broadcom Corporation | Method and apparatus for flexible frame processing and classification engine |
EP1351110A1 (en) * | 2002-03-18 | 2003-10-08 | Broadcom Corporation | Fast flexible range checking |
US7277438B2 (en) | 2002-03-18 | 2007-10-02 | Broadcom Corporation | Fast flexible range checking |
EP1662700A1 (en) * | 2003-08-26 | 2006-05-31 | ZTE Corporation | Network communication security processor and data processing method |
EP1662700A4 (en) * | 2003-08-26 | 2012-06-13 | Zte Corp | Network communication security processor and data processing method |
CN107491953A (en) * | 2004-05-25 | 2017-12-19 | 沐溪支付技术股份公司 | System for supporting Web applications in POS terminal |
Also Published As
Publication number | Publication date |
---|---|
US6772347B1 (en) | 2004-08-03 |
US20040158744A1 (en) | 2004-08-12 |
US20100281532A1 (en) | 2010-11-04 |
US20080209540A1 (en) | 2008-08-28 |
WO2000060793A3 (en) | 2001-01-11 |
US6701432B1 (en) | 2004-03-02 |
AU4063000A (en) | 2000-10-23 |
US7363653B2 (en) | 2008-04-22 |
US8490158B2 (en) | 2013-07-16 |
US7784093B2 (en) | 2010-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6701432B1 (en) | Firewall including local bus | |
US8566612B2 (en) | System and method for a secure I/O interface | |
US7703138B2 (en) | Use of application signature to identify trusted traffic | |
US5386471A (en) | Method and apparatus for securely conveying network control data across a cryptographic boundary | |
JP4685855B2 (en) | Two parallel engines for high-speed transmission IPsec processing | |
JP5074558B2 (en) | Network processing using IPSec | |
US7467406B2 (en) | Embedded data set processing | |
US6839346B1 (en) | Packet switching apparatus with high speed routing function | |
US7676814B2 (en) | Four layer architecture for network device drivers | |
US4881263A (en) | Apparatus and method for secure transmission of data over an unsecure transmission channel | |
JP4743894B2 (en) | Method and apparatus for improving security while transmitting data packets | |
US8645537B2 (en) | Deep packet scan hacker identification | |
US7412726B1 (en) | Method and apparatus for out of order writing of status fields for receive IPsec processing | |
US11838318B2 (en) | Data plane with connection validation circuits | |
US8438641B2 (en) | Security protocol processing for anti-replay protection | |
US20070242682A1 (en) | Information processing device, information processing method, program, and recording medium | |
JP2007166514A (en) | Device and method for processing communication | |
US7624263B1 (en) | Security association table lookup architecture and method of operation | |
KR100864889B1 (en) | Device and method for tcp stateful packet filter | |
US7512787B1 (en) | Receive IPSEC in-line processing of mutable fields for AH algorithm | |
US7178023B1 (en) | System and method to facilitate secure communication of data | |
Lin et al. | Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues | |
JP2023519910A (en) | Methods for handling data anomalies, especially in automobiles | |
WO2005069578A1 (en) | Method and apparatus for network intrusion detection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |