1111111111111111 IIIIII IIIII 1111111111 11111 111111111111111 IIIII lllll 111111111111111 11111111
`US 20130291088Al
`
`c19) United States
`c12) Patent Application Publication
`Shieh et al.
`
`c10) Pub. No.: US 2013/0291088 Al
`Oct. 31, 2013
`(43) Pub. Date:
`
`(54) COOPERATIVE NETWORK SECURITY
`INSPECTION
`
`(71) Applicants:Choung-Yaw Michael Shieh, Palo Alto,
`CA (US); Meng Xu, Los Altos, CA
`(US); Yi Sun, San Jose, CA (US);
`Jia-Jyi Roger Lian, Saratoga, CA (US)
`
`(72)
`
`Inventors: Choung-Yaw Michael Shieh, Palo Alto,
`CA (US); Meng Xu, Los Altos, CA
`(US); Yi Sun, San Jose, CA (US);
`Jia-Jyi Roger Lian, Saratoga, CA (US)
`
`(21) Appl. No.: 13/860,408
`
`(22)
`
`Filed:
`
`Apr. 10, 2013
`
`Related U.S. Application Data
`
`(60)
`
`Provisional application No. 61/686,828, filed on Apr.
`11, 2012.
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`H04L29/06
`
`(2006.01)
`
`(52) U.S. Cl.
`CPC ........ H04L 6310218 (2013.01); H04L 6310263
`(2013.01)
`USPC .. .. ... ... ... ... ... .. ... ... ... ... .. ... ... ... ... ... .. ... ... .. 726/11
`
`(57)
`
`ABSTRACT
`
`A network system includes a security device and a network
`access device. The network access device is to receive a
`packet from a source node destined to a destination node, and
`to examine a data structure maintained by the network access
`device to determine whether the data structure stores a data
`member having a predetermined value, the data member indi(cid:173)
`cating whether the packet should undergo security process(cid:173)
`ing. If the data member matches the predetermined value, the
`packet is transmitted to a security device associated with the
`network access device to allow the security device to perform
`content inspection, and in response to a response received
`from the security device, the packet is routed to the destina(cid:173)
`tion node dependent upon the response. The packet is routed
`to the destination node without forwarding the packet to the
`security device.
`
`Node
`(e.g., client)
`201
`
`Node
`(e.g., client)
`202
`
`200
`
`,----------
`1
`Firewall
`I
`Controller
`m!i
`I
`I
`L _ Distributed Firewall ill _
`
`Firewall
`Module(s)
`209
`
`Firewall
`Module(s)
`210
`
`Network Access Device(s) 204
`
`Firewall Processing Node(s)
`m
`
`Node
`(e.g., server)
`206
`
`Node
`(e.g., server)
`207
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 1 of 19
`
`

`

`Node
`(e.g., client)
`201
`
`Node
`(e.g., client)
`202
`
`200
`
`,----------
`'
`Firewall
`I
`Controller
`2iIB
`I
`I
`L _ Distributed Firewall ill _
`
`-------------
`Firewall
`Module(s)
`209
`
`Firewall
`Module(s)
`210
`
`Network Access Device(s) 204
`
`Firewall Processing Node(s)
`m
`
`-1
`I
`I
`I
`
`I _,
`
`Node
`(e.g., server)
`206
`
`FIG. 1
`
`Node
`(e.g., server)
`207
`
`""O
`~ .....
`
`(')
`
`~ .....
`
`(')
`
`~ .....
`
`('D = ..... t "e -....
`.... 0 = ""O = O" -....
`.... 0 =
`0
`(') ...
`~ ....
`0 ....
`rJJ =(cid:173)
`.....
`....
`0 ....
`....
`
`N
`
`~
`
`('D
`('D
`
`0
`
`c
`rJJ
`N
`0 ....
`~ ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 2 of 19
`
`

`

`Administrator
`265
`
`Other Network(s)
`
`250
`
`FW Controller
`208
`
`, ~
`
`-----
`
`·~,)
`
`Flow Table
`251A
`
`FW Module
`209A
`
`Network Access Device
`204A
`
`FW Processing
`Node
`2118
`
`',
`' ' '
`
`Flow Table
`251C
`
`FW Module
`209C
`
`Network Access Device
`204C
`
`\
`'
`I
`
`' ~ Secured ' , \
`I
`\ ~ Tunnels__,,/1',
`I
`260
`' ,
`\
`I
`-
`'
`I
`Ir~~=~~~==~-
`
`I
`
`Flow Table
`251B
`
`FW Module
`209B
`
`FW Processing
`Node
`211A
`
`Network Access Device
`204B
`
`""O
`~ .....
`
`(')
`
`~ .....
`
`(')
`
`~ .....
`
`('D = ..... t "e -....
`.... 0 = ""O = O" -....
`.... 0 =
`0
`(') ...
`~ ....
`0 ....
`rJJ =(cid:173)
`.....
`N
`0 ....
`....
`
`N
`
`~
`
`('D
`('D
`
`0
`
`Node
`(e.g., server)
`206
`
`Node
`(e.g., server)
`207
`
`FIG. 2A
`
`c
`rJJ
`N
`0 ....
`~ ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 3 of 19
`
`

`

`/271
`Packet
`source
`
`/272
`
`Nehvork
`s~vitc:he-s
`
`/273
`
`Security
`Device
`
`/274
`Packet
`destination
`
`/281
`Packet in
`
`/282
`... F~~~~~!'~f ('.lr.i~~P~~~~f) ..... ~
`/283
`
`Return after inspection
`
`.. ,
`
`/284
`
`P~·tket out
`
`,o,:-•·
`
`Notify: No more inspection
`~:~~ ~ ~~:~• ~ : ~ • ·~-~~ :~ ~ · !
`
`""285
`
`/286
`Packet out
`
`Packet in
`
`/287
`
`~ - ~Ol~y: ~:sv }S~FJr! _ 0):1 Security device
`
`Clean up states
`
`FIG. 2B
`
`""O
`~ ....
`('D = ....
`
`(')
`
`~ ....
`
`(')
`
`~ ....
`
`t "e -....
`.... 0 = ""O = O" -....
`.... 0 =
`0
`(') ...
`~ ....
`0 ....
`rJJ =(cid:173)
`('D ....
`0 ....
`....
`
`N
`
`~
`
`('D
`
`~
`
`0
`
`c
`rJJ
`N
`0 ....
`~ ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 4 of 19
`
`

`

`~-
`
`1 '
`,.;,
`,/
`'
`1
`I
`{
`i
`:!
`I
`\
`I
`I
`l
`:!
`
`' '
`
`'
`
`'
`
`'
`
`'
`
`,
`service
`
`312
`
`-~
`
`'~
`
`-~.;.,,,,.~_,.,.,.-..,,.
`
`309
`
`'\...--....i«~:..........,__,
`f
`
`,
`service
`'
`~~~~~L)
`
`313
`
`"··
`.,\
`,
`\
`\
`i
`1
`j
`I:
`I
`
`l
`
`!
`I
`i·
`
`:!
`
`:
`,
`i
`
`_.-,,-"""""""""'---
`
`I
`
`Cet1tral
`_
`.
`· •....
`controller
`'""t . '"· ,
`=.,,,. .
`
`I
`
`'•
`
`j
`
`310
`
`311
`
`.
`.
`processing
`
`\ ; Security
`
`i 1 - 1 'l
`I
`+-~-____ .,.,:cL< .. :
`
`External
`Network
`320
`
`···\~··············
`'
`"• ....... ...,.,Y,'S~--,--.--- --·--
`Distributed Firewall 212
`
`<W,_
`
`':::::::~::::'. ............................. ,J Vi~a~
`.___~
`I~™
`308 , f,..,v,,,,/❖V
`'
`' ,
`LAN
`320
`
`FIG. 3
`
`! E_
`..... _
`l • -· ..
`-· · -
`, ~
`.
`• Server
`/f/ . 1 . . ....... 3~1
`[
`··~··· r\\. J"<{ ···········@322
`/ I
`I
`J ........... ..:: .... t .. •·
`/
`,
`
`~ .............. ~.
`J server
`3
`
`' · ,
`
`I
`I
`j:
`
`/ F.
`
`323
`
`f .. .__ ....... __.
`!
`
`l
`
`1
`
`7
`i
`!
`
`'
`
`_ _.__virtua
`'
`I
`'
`'
`··:: .. ,.::.:-....
`1/0 302 ____ """
`Virtual
`·. ·:,
`Cache «««« -=
`___
`1/0 303
`'
`-
`
`;
`;
`
`.
`.
`··.::\:
`"❖,
`
`""O
`~ .....
`
`(')
`
`~ .....
`
`(')
`
`~ .....
`
`('D = ..... t "e -....
`.... 0 = ""O = O" -....
`.... 0 =
`0
`(') ...
`....
`0 ....
`rJJ =(cid:173)
`.....
`.i;..,
`0 ....
`....
`
`(,H
`
`N
`
`(,H
`
`('D
`('D
`
`0
`
`c
`rJJ
`N
`0 ....
`(,H ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 5 of 19
`
`

`

`Nel:\lvork interface
`448
`
`1
`
`Serial Port
`430
`
`410~
`
`Central Pmces.sor
`414
`-~
`
`B
`l:S 2_-~\
`41
`
`··-
`
`•
`
`. .
`
`Display
`Adapter
`426
`•
`
`;
`
`Display
`Screen
`~.21
`
`I
`
`Serial Port
`~
`
`J,
`
`Mouse
`446.
`
`System Memory· I
`4171~1
`
`110 Controller
`ill
`
`ti· .. ~~~ t
`t
`
`' ~
`
`.Keyboard
`ControHer
`~
`j
`
`Storage
`Interface
`434
`
`' .
`Keyboard
`-
`432
`
`•
`
`Fixe1 Disk
`!4,4
`
`J
`
`HB/l.
`43-SA
`
`'
`
`'
`
`,-- -
`
`FIG. 4
`
`t
`
`. ......
`
`•
`•
`
`HBA
`4358
`
`l
`
`SCSI BUS'.
`43-9
`
`Modem
`447
`
`J
`
`' j.
`
`1
`
`Optitail Disk
`Drive
`440
`
`Floppy Disk Unit
`437
`
`l -
`.
`
`• • • • • • • '!"
`
`' r
`ALldlo
`lntefface
`422
`
`~ \
`
`~r,i:,,~kM ~v,;:.t~m
`
`(')
`
`~ .....
`
`""O
`~ .....
`('D = .....
`~ "e -....
`.... 0 = ""O = O" = (')
`.... 0 =
`
`~ .....
`
`(')
`
`N
`
`~
`
`0
`:-+-
`~ ....
`0 ....
`rJJ =(cid:173)
`.....
`Ul
`0 ....
`....
`
`('D
`('D
`
`0
`
`c
`rJJ
`N
`0 ....
`~ ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 6 of 19
`
`

`

`Patent Application Publication
`
`Oct. 31, 2013 Sheet 6 of 10
`
`US 2013/0291088 Al
`
`--1/)
`
`©
`::J
`a:: <")I
`0)0
`C L!)
`·.:::
`(l)
`.:!:: u::
`
`C o-· - 1/)
`u col
`CU :;:::'N
`:;:::; > ow
`z
`
`(l) l!)
`
`;,;:::
`
`CJ)
`co
`LL
`
`1/) ~1
`
`1/) 0
`CO LO
`0.
`>,
`co
`
`CJ)
`
`C ·;;;
`
`1/)
`Q.)
`
`(.) e
`CL
`£ci,
`'- .._,
`::J Q)
`U-
`::J
`Q.)
`(/) "O
`0 02
`-
`en
`(l)
`00
`
`1/)
`(l)
`'-
`"'Cl
`"'Cl
`<(
`
`0
`3
`0
`U:::
`---
`C
`0
`·u5
`1/)
`(l)
`(/)
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`■
`
`(!)
`
`-LL
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 7 of 19
`
`

`

`300A
`
`.
`I
`
`C
`O
`
`\, \
`
`Virtual l/0, or
`Security processing, or
`Service processing
`?.
`.
`"\.
`"'"_ , ______ ::,-,\
`,· -
`'{
`I
`'-
`C:
`0
`I
`0
`!:g
`:;:,
`,-~
`3N ! 9M
`! W<"'i
`-a 10..
`·-
`·-
`I
`·-
`'
`! 1:i..
`I -~-,;, ....,,_ __ ,.,,
`!
`o..
`o..
`I
`Uc
`<
`!4'.
`i<.
`! 1------------
`'< ............. 4
`
`Operation System
`
`!
`!
`!
`!:::::::::::-:::::::::-:::::::::-:::::::::-:::::::::-::::::
`!
`~ 1 Z22:21ZBI21£11lli22ZZJJ
`!""'"
`~:-v_M_E_th_e_r_n_e_t_in_t_e_rf_a_c_e_. '"'"""]
`
`301
`
`A
`
`!sJ
`
`'
`
`VM Ethernet Driver
`
`l;.
`
`/
`
`300B
`Virtual !/0,. or
`Security processing, er
`Servka processing
`~ C
`
`'"" ·~
`C
`0
`µ
`m:
`,!::t
`-a
`0.. <
`
`('-"'!
`
`0
`:p
`fl!.
`.S'. <"'i
`0..
`0.. <
`
`C
`0
`';;:;
`.~ r--~
`0.,
`0.. <
`
`i f Operation System
`
`VM Ethernet interface
`
`VM Ethernet Driver
`
`301B
`
`""O
`~ .....
`
`(')
`
`~ .....
`
`(')
`
`~ .....
`
`('D = ..... t "e -....
`.... 0 = ""O = O" -....
`.... 0 =
`0
`(') ...
`~ ....
`0 ....
`rJJ =(cid:173)
`.....
`-....J
`0 ....
`....
`
`N
`
`~
`
`('D
`('D
`
`0
`
`Layer 2 protocol (e,g. Ethernet protocol}1 or
`Layer 3 protocol {e.g. IP protocol)
`
`FIG. 6
`
`c
`rJJ
`N
`0 ....
`~ ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 8 of 19
`
`

`

`Receive at a network access device (NAO) a
`packet from a source node destined to a
`destination node.
`701
`
`700
`
`Determine (e.g., based on a bypass flag) whether
`the packet should be forwarded to a security
`processing device for security processing.
`702
`
`No
`
`Forward the packet to the security processing
`device.
`704
`
`Route the packet to a next hop to be delivered to
`the destination node.
`703
`
`End
`
`FIG. 7
`
`""O
`~ .....
`
`(')
`
`~ .....
`
`(')
`
`~ .....
`
`('D = ..... t "e -....
`.... 0 = ""O = O" -....
`.... 0 =
`0
`(') ...
`~ ....
`0 ....
`rJJ =(cid:173)
`.....
`QO
`0 ....
`....
`
`N
`
`~
`
`('D
`('D
`
`0
`
`c
`rJJ
`N
`0 ....
`~ ---0
`....
`
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 9 of 19
`
`

`

`Patent Application Publication
`
`Oct. 31, 2013 Sheet 9 of 10
`
`US 2013/0291088 Al
`
`Q)
`:5
`"O
`0
`O') ~1
`2
`.§ g
`.8
`·c
`0
`2
`
`en
`©
`:5 NI
`-0 0
`0 co
`2
`0
`
`O')
`C
`'in
`Q)
`
`(/)
`
`(/) -
`(.) -
`0 ~ (")I
`,._
`:::10
`CL -o co
`=E~
`
`::i
`(.)
`Cl)
`(/)
`
`ct)
`
`O')
`C:
`"in
`(/),.....__
`Q)
`(/) -
`(.) -
`Q) C: ""Tl
`a:::g:§g
`0
`Q) 0 a.
`-~2~
`C:
`Q)
`CJ)
`
`::i
`
`C
`0
`'"§
`(.)
`·c
`E LOI
`Eo
`0 CO
`0
`...
`.:.::
`0
`i
`(]) z
`
`■
`
`00
`C)
`u.
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 10 of 19
`
`

`

`900
`
`VIRTUAL MACHINE
`CREATOR
`901
`
`Virtual Machine(s)
`902
`
`Processing Module
`(e.g., 10 module, security
`processing module, and/or
`service processing module)
`903
`
`I I
`I I
`I
`
`Virtual Machine Manager
`(VMM)
`904
`
`COMMUNICATION
`INTERFACE
`905
`
`FIG. 9
`
`""O
`~ .....
`
`(')
`~
`
`.....
`
`(')
`
`~ .....
`
`(')
`
`N
`
`~
`
`('D = ..... t "e
`-....
`.... 0 = ""O = O"
`-....
`.... 0 =
`0
`...
`~ ....
`0 ....
`rJJ =-('D
`.....
`....
`0
`0 ....
`....
`
`('D
`
`0
`
`c
`rJJ
`N
`0 ....
`~ ---
`....
`
`0
`N
`1,0
`
`0
`QO
`QO
`
`> ....
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 11 of 19
`
`

`

`US 2013/0291088 Al
`
`Oct. 31, 2013
`
`1
`
`COOPERATIVE NETWORK SECURITY
`INSPECTION
`
`RELATED APPLICATIONS
`
`[0001] This application claims the benefit of U.S. Provi(cid:173)
`sional Patent Application No. 61/686,828, filedApr. 11, 2012,
`which is incorporated by reference in its entirety.
`
`FIELD OF THE INVENTION
`
`[0002] Embodiments of the present invention relate gener(cid:173)
`ally to network security. More particularly, embodiments of
`the invention relate to enabling network security with net(cid:173)
`work equipment.
`
`BACKGROUND
`
`[0003] Network security devices are designed to be put in
`the data path of the network traffic in order to inspect and
`control the network traffic. A popular way to deploy network
`security is so called "bump-in-the-wire" that the devices are
`deployed in the data path for security inspection. However, it
`may not be practical to deploy security devices on every data
`path of network traffic in a data center. There are also needs to
`be able to flexibly perform security inspection on different
`parts of networks. The traditional bump-in-the-wire deploy(cid:173)
`ment cannot fulfill the needs.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0004] Embodiments of the invention are illustrated by way
`of example and not limitation in the figures of the accompa(cid:173)
`nying drawings in which like references indicate similar ele(cid:173)
`ments.
`[0005] FIG. 1 is a block diagram illustrating an example of
`a network configuration according to one embodiment of the
`invention.
`[0006] FIG. 2A is a block diagram illustrating an example
`of a network configuration according to another embodiment
`of the invention.
`[0007] FIG. 2B is a processing flow diagram illustrating a
`process of security inspection according to one embodiment
`of the invention.
`[0008] FIG. 3 is a block diagram illustrating an example of
`a distributed firewall according to one embodiment of the
`invention.
`[0009] FIG. 4 is a block diagram illustrating an example of
`a data processing system which may be used as an embodi(cid:173)
`ment of the invention.
`[0010] FIG. 5 is a block diagram illustrating a forwarding
`table according to one embodiment of the invention.
`[0011] FIG. 6 is a block diagram illustrating an architecture
`of a processing module according to one embodiment of the
`invention.
`[0012] FIG. 7 is a flow diagram illustrating a method for
`performing firewall operations using a distributed firewall
`according to one embodiment of the invention.
`[0013] FIG. 8 illustrates a set of code ( e.g., programs) and
`data that is stored in memory of one embodiment of a security
`gateway according to one embodiment.
`[0014] FIG. 9 illustrates a set of code ( e.g., programs) and
`data that is stored in memory according to one embodiment.
`
`DETAILED DESCRIPTION
`
`[0015] Various embodiments and aspects of the inventions
`will be described with reference to details discussed below,
`and the accompanying drawings will illustrate the various
`embodiments. The following description and drawings are
`illustrative of the invention and are not to be construed as
`limiting the
`invention. Numerous specific details are
`described to provide a thorough understanding of various
`embodiments of the present invention. However, in certain
`instances, well-known or conventional details are not
`described in order to provide a concise discussion of embodi(cid:173)
`ments of the present inventions.
`[0016] Reference in the specification to "one embodiment"
`or "an embodiment" means that a particular feature, structure,
`or characteristic described in conjunction with the embodi(cid:173)
`ment can be included in at least one embodiment of the
`invention. The appearances of the phrase "in one embodi(cid:173)
`ment" in various places in the specification do not necessarily
`all refer to the same embodiment.
`[0017] According to some embodiments, a mechanism is
`utilized to dynamically perform security inspection in a net(cid:173)
`work. In one embodiment, the mechanism includes two func(cid:173)
`tions: 1) an input/output (IO) function that performs the dis(cid:173)
`tribution of network traffic; and 2) a security-processing
`function that performs security processing, including security
`inspection and policy enforcement. The IO function receives
`the packets and uses a session table to forward the packets to
`the security-processing function. A session table is a data
`structure that stores connection states, including the destina(cid:173)
`tion of the security-processing function. In one embodiment,
`the IO function determines, based on an internal data struc(cid:173)
`ture such as a session or flow table, whether the packet should
`be forwarded to the security processing function for security
`inspection. The configuration of the IO function to control
`whether to forward the packets to the security processing
`function can be set based on a command received from an
`administrator or alternatively, based on a signal received from
`the security processing function.
`[0018] According to one embodiment, an administrator can
`configure, for example, via a controller or a management
`entity, a network access device to set up a set of filtering rules
`specifying whether and/or what types of packets should be
`forwarded to a security device and which of the security
`devices for security inspection. In this embodiment, the con(cid:173)
`troller is configured to manage multiple network access
`devices and/or multiple security devices. Alternatively, a
`security device may inform a network access device that
`subsequent packets of a particular session should be for(cid:173)
`warded from the network access device for security inspec(cid:173)
`tion. In one embodiment, a security device performs the secu(cid:173)
`rity inspection at the beginning of the flow or session, and at
`a certain point, the security device decides that it no longer
`needs to inspect further packets of the same session.
`[0019] Advantages of embodiments of the present inven(cid:173)
`tion include, without limitation, providing a way to integrate
`partial network security functions into other network equip(cid:173)
`ment, such as switches or routers. The integration allows
`network administrators to turn on security inspection func(cid:173)
`tionality when there are needs for such, thus one can flexibly
`perform security inspection if needed. The notification
`between I/O functions and security-processing functions can
`reduce the number of packets to be inspected, thus enhancing
`the performance without lax the network security.
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 12 of 19
`
`

`

`US 2013/0291088 Al
`
`Oct. 31, 2013
`
`2
`
`[0020] FIG. 1 is a block diagram illustrating an example of
`network configuration according to one embodiment of the
`invention. Referring to FIG. 1, network access device 204,
`which may be a router or gateway, a switch or an access point,
`etc., provides an interface between network 203 and network
`205. Network 203 may be an external network such as a wide
`area network (WAN) (e.g., Internet) while network 205 rep(cid:173)
`resents a local area network (LAN). Nodes 206-207 go
`through gateway device 204 in order to reach nodes 201-202,
`or vice versa. Any of nodes 201-202 and 206-207 may be a
`client device (e.g., a desktop, laptop, Smartphone, gaming
`device) or a server.
`[0021] According to one embodiment, network access
`device 204 is associated with a distributed firewall 212 that
`includes various firewall processing modules, for example,
`each being executed within a virtual machine (VM). In one
`embodiment, each firewall module is responsible for per(cid:173)
`forming one or more firewall functions, but it does not include
`all of the firewall functions of a firewall. Examples of the
`firewall functions include, but are not limited to, network
`address translation (NAT), virtual private network (VPN),
`deep packet inspection (DPI), and/or anti-virus, etc. In one
`embodiment, some of the firewall processing modules are
`located within network access device 204 ( e.g., firewall mod(cid:173)
`ules 209) and some are located external to network access
`device 204 (e.g., firewall modules 210 maintained by firewall
`processing node(s) 211, which may be a dedicated firewall
`processing machine. All of the firewall modules 209-210 are
`managed by firewall controller 208, which may be located
`within network access device 204, or external to network
`access device 204, such as, for example, in a public cloud
`associated with network 203, or in a private cloud associated
`with network 205. Controller 208 and firewall processing
`modules 209-210 collectively are referred to herein as dis(cid:173)
`tributed firewall 212.
`[0022] A virtual machine represents a completely isolated
`operating environment with a dedicated set of resources asso(cid:173)
`ciated therewith. A virtual machine may be installed or
`launched as a guest operating system (OS) hosted by a host
`OS. In one embodiment, a host OS represents a virtual
`machine monitor (VMM) ( also referred to as a hypervisor) for
`managing the hosted virtual machines. A guest OS may be of
`the same or different types with respect to the host OS. For
`example, a guest OS may be a Windows™ operating system
`and a host OS may be a LINUX operating system. In addition,
`the guest operating systems (OSes) running on a host can be
`of the same or different types. A virtual machine can be any
`type of virtual machine, such as, for example, hardware emu(cid:173)
`lation, full virtualization, para-virtualization, and operating
`system-level virtualization virtual machines. Different virtual
`machines hosted by a server may have the same or different
`privilege levels for accessing different resources.
`[0023] According to one embodiment, a mechanism is uti(cid:173)
`lized to dynamically perform security inspection in a net(cid:173)
`work. In one embodiment, the mechanism includes two func(cid:173)
`tions: 1) an input/output (IO) function (e.g., firewall module
`( s) 209) that performs the distribution of network traffic; and
`2) a security-processing function (e.g., firewall module(s)
`210) that performs security processing, including security
`inspection and policy enforcement. IO function 209 receives
`the packets and uses a session table to forward the packets to
`security-processing function 210. A session table is a data
`structure that stores connection states, including the destina(cid:173)
`tion of security-processing function. In one embodiment, IO
`
`function 209 determines, based on an internal data structure
`such as a session or flow table ( e.g., session table as shown in
`FIG. 5), whether the packet should be forwarded to security
`processing function 210 for security inspection. The configu(cid:173)
`ration of IO function 209 to control whether to forward the
`packets to security processing function 210 can be set based
`on a command received from an administrator or alterna(cid:173)
`tively, based on a signal received from security processing
`function 210.
`[0024] FIG. 2A is a block diagram illustrating an example
`of network configuration according to another embodiment
`of the invention. System 250 may represent at least part of
`system 200 as shown in FIG. 1. Referring to FIG. 2A, in this
`embodiment, multiple network access devices such as
`devices 204A-204C are arranged in a hierarchical structure,
`where each network access device provides an interface of a
`corresponding LAN or local network segment to an external
`network. For example, network access device 204B provides
`an interface of a LAN having at least one member such as
`node 206 to an external network or network segment that is
`hosted by network access device 204A. Similarly, network
`access device 104C provides an interface for its members
`such as node 207. The LAN s associated with network access
`devices 204B-204C may be located within a physical site or a
`data center or alternatively, they may be allocated across
`multiple physical sites or data centers.
`[0025] According to one embodiment, each of network
`access devices 204A-204C maintains a persistent connection
`such as secure connections or tunnels 260 with a controller or
`management entity 208 for exchanging management mes(cid:173)
`sages and configurations, or distributing routing information
`to network access devices 204A-204C, etc. In one embodi(cid:173)
`ment, controller 208 communicates with each of the network
`access devices 204A-204C using a management protocol
`such as the OpenFlow™ protocol. OpenFlow is a Layer 2
`communications protocol ( e.g., media access control or MAC
`layer) that gives access to the forwarding plane of a network
`switch or router over the network. In simpler terms, Open(cid:173)
`Flow allows the path of network packets through the network
`of switches to be determined by software running on multiple
`routers (minimum two of them, primary and secondary, hav(cid:173)
`ing a role of observers). This separation of the control from
`the forwarding allows for more sophisticated traffic manage(cid:173)
`ment than is feasible using access control lists (ACLs) and
`routing protocols.
`[0026] The OpenFlow technology consists of three parts:
`flow tables installed on switches, a controller, and an Open(cid:173)
`Flow protocol for the controller to talk securely with
`switches. Flow tables are set up on switches or routers. Con(cid:173)
`trollers talk to the switches via the OpenFlow Protocol, which
`is secure, and impose policies on flows. For example, a simple
`flow might be defined as any traffic from a given IP address.
`The rule governing it might be to route the flow through a
`given switch port. With its knowledge of the network, the
`controller could set up paths through the network optimized
`for speed, fewest number of hops or reduced latency, among
`other characteristics. Using OpenFlow takes control of how
`traffic flows through the network out of the hands of the
`infrastructure, the switches and routers, and puts it in the
`hands of the network owner (such as a corporation), indi(cid:173)
`vidual users or individual applications.
`[0027] Referring back to FIG. 2A, in one embodiment, each
`of the network access devices 204A-204C maintains a flow
`table or session table (e.g., flow tables 251A-251C) and a
`
`Exhibit 1006
`Cisco v. Orckit – IPR2023-00554
`Page 13 of 19
`
`

`

`US 2013/0291088 Al
`
`Oct. 31, 2013
`
`3
`
`firewall module ( e.g., 209A-209C). A network flow refers to
`a sequence of packets from a source computer to a destina(cid:173)
`tion, which may be another host, a multicast group, or a
`broadcast domain. For example, a TCP/IP flow can be
`uniquely identified by the following parameters within a cer(cid:173)
`tain time period: 1) Source and Destination IP address; 2)
`Source and Destination Port; and 3) Layer 4 Protocol (TCP/
`UDP/ICMP). A session is a semi-permanent interactive infor(cid:173)
`mation interchange, also known as a dialogue, a conversation
`or a meeting, between two or more communicating devices. A
`session is set up or established at a certain point in time and
`torn down at a later point in time. An established communi(cid:173)
`cation session may involve more than one message in each
`direction. A session is typically, but not always, stateful,
`meaning that at least one of the communicating entities needs
`to save information about the session history in order to be
`able to communicate, as opposed to stateless communication,
`where the communication consists of independent requests
`with responses. Flow tables 251A-251C may be implemented
`as a combination of a flow table and a session table.
`[0028] Firewall modules 209A-209C may be part of a dis(cid:173)
`tributed firewall described above. For example, firewall mod(cid:173)
`ules 209A-209C may be the IO functions of a firewall while
`nodes 211A-211B may be firewall processing nodes. That is,
`modules 211A-211B may be dedicated firewall processing
`devices that perform some firewall processing operations
`such as DPI, content inspection, antivirus, etc., while firewall
`modules 209A-209C are responsible for routing data packets.
`For example, when firewall module 209B receives a packet
`from node 206, it may forward the packet to firewall process(cid:173)
`ing node 211A for content inspection and/or forwards the
`packet to controller 208 for routing information. In response,
`firewall processing node 211A analyzes the received packet
`and/or further communicates with controller 208. Controller
`208 may provide further routing information back to network
`access device 204B regarding how to route the packet. Each
`of the firewall processing nodes 211A-211B may further
`maintains a persistent connection or tunnel with controller
`208, for example, using the OpenFlow communication pro(cid:173)
`tocol.
`[0029] According to one embodiment, an administrator
`265 configures, for example, via a controller or a management
`entity 208, a network access device ( e.g., network access
`devices 204A-204C) to set up a set of filtering rules concern(cid:173)
`ing whether and/or what types of packets should be forwarded
`to a security device and which of the security devices ( e.g.,
`security devices 211A-211B) for security inspection. In this
`embodiment, controller 208 is configured to manage multiple
`network access devices 204A-204C and/or multiple security
`devices 211A-211B. Alternatively, a security device, such as
`security device 211A, may inform a network access device,
`such as network access device 204B, whether subsequent
`packets of a particular session should be forwarded from the
`network access device for security inspection. A security
`device may perform the security inspection on packets at the
`beginning of the flow or session, and at a certain point, the
`security device decides that it no longer needs to inspect
`further packets of the same session.
`[0030] The configuration information may be stored in a
`memory or storage device of a network access device. In one
`embodiment, such configuration information may be stored
`as part of a flow table or session table as shown in FIG. 5.
`Referring to FIG. 5, a bypass flag 501 may be received from
`a security device indicating that the security device no longer
`
`wishes to receive further packets of the same session for
`security inspection. In addition, a security device may register
`certain notification events 502 with a network access device,
`such that when the network access device detects such events,
`it will notify the security device. Further, a set of one or more
`filtering rules 503 may be received from an administrator to
`filter and send only certain types of packets to a security
`device for inspection.
`[0031] According to one embodiment, referring back to
`FIG. 2A, when a security-processing function ( e.g., process(cid:173)
`ing node 211A) receives the packets, it does the security
`inspection and security policy enforcement. The packets then
`are forwarded to the next I/O function (e.g., modules 209A-
`209C). The choices of the next I/O function could be from the
`decision from layer 2 such as Ethernet MAC address looknp,
`or IP address routing, or other methods.
`[0032] To be able to flexibly apply network security into the
`network, in one embodiment of the invention the I/O function
`(e.g., module 209B) is integrated with existing network
`equipment, such as network switches or routers (e.g., network
`access device 204B). The integration of I/O functions could
`be onto physical network switches or virtual software
`switches. The security-processing function is processed on
`separate network security devices.
`[0033] The I/O function does a couple of operations when it
`receives the packets. The first is to look up the connection to
`which the packets belong to. It performs a looknp into the
`session table (e.g., table 251B) to determine if it has previ(cid:173)
`ously processed any packets of the connection. If the connec(cid:173)
`tion state has been in the session table, it can determine where
`the security-processing function is then forward the packet. If
`it cannot find the connection in the session table, it can either
`forward to any known security-processing function, or
`another network devices to determine to which security-pro(cid:173)
`cessing function to forward the packets.
`[0034] Once the network switches integrate the security I/O
`functions, one can easily turn on or off network security in
`networks. If network administrators want to apply security
`policies to networks, they can turn on the I/O functions on the
`network equipment. The packets then are forwarded to the
`security-processing functions for security inspection and
`policy enforcement. The administrators can apply a filter to
`the I/O functions so that only interested packets are forwarded
`to security-processing function. The administrators can turn
`off the I/O functions to skip the security inspection.
`[0035] An embodiment of the invention also controls the
`communication between I/O functions and security-process(cid:173)
`ing functions to enable packets to bypass security-processing
`function ifthere is no more need to inspect the packets of the
`connection. Some of the security functions do not need to
`inspect all the packets of a connection. For examples, to
`identify the application of a connection, there may be only
`need to inspect first four or five packets to make the identifi(cid:173)
`cation. In this case, the security-processing function can
`notify I/O functions to bypass the security-processing func(cid:173)
`tion for the rest of the packets of the connections. Once the I/O
`function receives the notification, it will forward the packets
`out without redirecting the packets to the security-processing
`functions. This would greatly improve the performance even