Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular node for directing data and applying cryptography
Reexamination Certificate
1999-04-01
2004-03-02
Barrón, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular node for directing data and applying cryptography
C713S154000, C713S152000
Reexamination Certificate
active
06701432
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates generally to data routing systems, and more particularly to a method and apparatus for providing secure communications on a network.
A packet switch communication system includes a network of one or more routers connecting a plurality of users. A packet is the fundamental unit of transfer in the packet switch communication system. A user can be an individual user terminal or another network. A router is a switching device which receives packets containing data or control information on one port, and based on destination information contained within the packet, routes the packet out another port to the destination (or intermediary destination). Conventional routers perform this switching function by evaluating header information contained within the packet in order to determine the proper output port for a particular packet.
The network can be an intranet, that is, a network connecting one or more private servers such as a local area network (LAN). Alternatively, the network can be a public network, such as the Internet, in which data packets are passed over untrusted communication links. The network configuration can include a combination of public and private networks. For example, two or more LAN's can be coupled together with individual terminals using a public network such as the Internet. When public and private networks are linked, data security issues arise. More specifically, conventional packet switched communication systems that include links between public and private networks typically include security measures for assuring data integrity.
In order to assure individual packet security, packet switched communication systems can include encryption/decryption services. Prior to leaving a trusted portion of a network, individual packets can be encrypted to minimize the possibility of data loss while the packet is transferred over the untrusted portion of the network (the public network). Upon receipt at a destination or another trusted portion of the communication system, the packet can be decrypted and subsequently delivered to a destination. The use of encryption and decryption allows for the creation of a virtual private network (VPN) between users separated by untrusted communication links.
In addition to security concerns for the data transferred over the public portion of the communications system, the private portions of the network must safeguard against intrusions through the gateway provided at the interface of the private and the public networks. A firewall is a device that can be coupled in-line between a public network and private network for screening packets received from the public network. Referring now to
FIG. 1
a
, a conventional packet switch communication system
100
can include two private networks
102
coupled by a public network
104
for facilitating the communication between a plurality of user terminals
106
. Each private network can include one or more servers and a plurality of individual terminals. Each private network
102
can be an intranet such as a LAN. Public network
104
can be the Internet, or other public network having untrusted links for linking packets between private networks
102
a
and
102
b
. At each gateway between a private network
102
and public network
104
is a firewall
110
. The architecture for a conventional firewall is shown in
FIG. 1
b.
Firewall
110
includes a public network link
120
, private network link
122
and memory controller
124
coupled by a bus (e.g., PCI bus)
125
. Memory controller
124
is coupled to a memory (RAM)
126
and firewall engine
128
by a memory bus
129
. Firewall engine
128
performs packet screening prior to routing packets through to private network
102
. A central processor (CPU)
134
is coupled to memory controller
124
by a CPU bus
132
. CPU
134
oversees the memory transfer operations on all buses shown. Memory controller
124
is a bridge conncting CPU Bus
132
, memory bus
129
and PCI bus
125
.
Packets are received at public network link
120
. Each packet is transferred on bus
125
to, and routed through, memory controller
124
and on to RAM
126
via memory bus
129
. When firewall engine
128
is available, packets are fetched using memory bus
129
and processed by the firewall engine
128
. After processing by the firewall engine
128
, the packet is returned to RAM
126
using memory bus
129
. Finally, the packet is retrieved by the memory controller
124
using memory bus
129
, and routed to private network link
122
.
Unfortunately this type of firewall is inefficient in a number of ways. A majority of the traffic in the firewall utilizes memory bus
129
. However, at any time, memory bus
129
can allow only one transaction. Thus, memory bus
129
becomes a bottleneck for the whole system and limits system performance.
The encryption and decryption services as well as authentication services performed by firewall engine
128
typically are performed in series. That is, a packet is typically required to be decrypted prior to authentication. Serial processes typically slow performance.
A conventional software firewall can sift through packets when connected through a T-1 or fractional T-1 link. But at T-3, Ethernet, or fast Ethernet speeds software-based firewalls running on an average desktop PC can get bogged down.
SUMMARY OF THE INVENTION
In general, in one aspect, the invention provides a gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy. An expandable external rule memory is coupled to the local bus and includes one or more rule sets accessible by the firewall engine using the local bus. The firewall engine is operable to retrieve rules from a rule set and screen packets in accordance with the retrieved rules.
Aspects of the invention can include one or more of the following features. The firewall engine can be implemented in a hardware ASIC. The ASIC includes an authentication engine operable to authenticate a retrieved packet contemporaneously with the screening of the retrieved packet by the firewall engine. The gateway includes a decryption/encryption engine for decrypting and encrypting retrieved packets.
The ASIC can include an internal rule memory for storing one or more rule sets used by the firewall engine for screening packets. The internal rule memory includes oft accessed rule sets while the external rule memory is configured to store lesser accessed rule sets. The internal rule memory includes a first portion of a rule set, and a second portion of the rule set is stored in the external rule memory. The memory can be a dual-port memory configured to support simultaneous access from each of the memory bus and the local bus.
The gateway can include a direct memory access controller configured for controlling memory accesses by the firewall engine to the memory when using the local bus.
In another aspect, the invention provides a rule set for use in a gateway. The gateway is operable to screen packets transferred over a network and includes a plurality of network interfaces, a memory, a memory controller and a firewall engine. Each network interface receives and forwards messages from a network through the gateway. The memory is configured to temporarily
Deng Feng
Ke Yan
Luo Dongping
Barrón Gilberto
Fish & Richardson P.C.
Netscreen Technologies, Inc.
Zand Kambiz
LandOfFree
Firewall including local bus does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Firewall including local bus, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Firewall including local bus will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3219424