Distributed multi-processing security gateway

Information

  • Patent Grant
  • 9258332
  • Patent Number
    9,258,332
  • Date Filed
    Thursday, October 23, 2014
    10 years ago
  • Date Issued
    Tuesday, February 9, 2016
    8 years ago
Abstract
A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.
Description
BACKGROUND

1. Field


This invention relates generally to data networking, and more specifically, to a system and method for a distributed multi-processing security gateway.


2. Related Art


Data network activities increase as more and more computers are connected through data networks, and more and more applications utilize the data networks for their functions. Therefore, it becomes more important to protect the data network against security breaches.


There are currently many security gateways such as firewalls, VPN firewalls, parental control appliances, email virus detection gateways, special gateways for phishing and spyware, intrusion detection and prevention appliances, access control gateways, identity management gateways, and many other types of security gateways. These products are typically implemented using a general purpose micro-processor such as Intel Pentium, an AMD processor or a SPARC processor, or an embedded micro-processor based on RISC architecture such as MIPS architecture, PowerPC architecture, or ARM architecture.


Micro-processor architectures are limited in their processing capability. Typically they are capable of handling up to a gigabit per second of bandwidth. In the past few years, data network bandwidth utilization increases at a pace faster than improvements of micro-processor capabilities. Today, it is not uncommon to see multi-gigabit per second of data network bandwidth utilization in many medium and large secure corporate data networks. It is expected such scenarios to become more prevailing in most data networks, including small business data network, residential networks, and service provider data networks.


The trend in the increasing usage of data networks illustrates a need for better and higher capable security gateways, particularly in using multiple processing elements, each being a micro-processor or based on micro-processing architecture, to work in tandem to protect the data networks.


SUMMARY

A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.


System and computer program products corresponding to the above-summarized methods are also described and claimed herein.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1
a illustrates a secure data network.



FIG. 1
b illustrates an overview of a network address translation (NAT) process.



FIG. 1
c illustrates a NAT process for a TCP session.



FIG. 2 illustrates a distributed multi-processing security gateway.



FIG. 3 illustrates a dispatching process.



FIG. 4 illustrates a proxy network address selection process.



FIG. 5 illustrates a multi-processor core embodiment of the invention.





DETAILED DESCRIPTION


FIG. 1
a illustrates an exemplary secure data network. Security gateway 170 protects a secure data network 199.


In some embodiments, secure data network 199 is a residential data network, a corporate network, a regional corporate network, or a service provider network.


In various embodiments, security gateway 170 is a residential broadband gateway, a corporate firewall, a regional office firewall or a department firewall, a corporate virtual private network (VPN) firewall, or an Internet gateway of a service provider network.


When host 130 inside secure data network 199 accesses a server 110 outside secure data network 199, host 130 establishes a session with server 110 through security gateway 170. Data packets exchanged within the session, between host 130 and server 110, pass through security gateway 170. Security gateway 170 applies a plurality of security policies during processing of the data packets within the session. Examples of security policies include network address protection, content filtering, virus detection and infestation prevention, spyware or phishing blocking, network intrusion or denial of service prevention, data traffic monitoring, or data traffic interception.



FIG. 1
b illustrates an overview of an exemplary network address translation (NAT) process.


In some embodiments, a security policy is to protect network address of host 130. Host 130 uses a host network address 183 in a session 160 between host 130 and server 110. In various embodiments, the host network address 183 includes an IP address of host 130. In other embodiments, the host network address 183 includes a session port address of host 130.


Security gateway 170 protects host 130 by not revealing the host network address 183. When host 130 sends a session request for session 160 to security gateway 170, the session request includes host network address 183.


Security gateway 170 establishes host side session 169 with host 130. Host 130 uses host network address 183 in host side session 169.


Security gateway 170 selects a proxy network address 187. Security gateway 170 uses proxy network address 187 to establish server side session 165 with server 110.


Server side session 165 is the session between security gateway 170 and server 110. Host side session 169 is the session between security gateway 170 and host 130. Session 160 includes server side session 165 and host side session 169.


Security gateway 170 performs network address translation (NAT) process on session 160. Security gateway 170 performs network address translation process on data packets received on server side session 165 by substituting proxy network address 187 with host network address 183. Security gateway 170 transmits the translated data packets onto host side session 169. Similarly, security gateway 170 performs network address translation process on data packets received on host side session 169 by substituting host network address 183 with proxy network address 187. Security gateway 170 transmits the translated data packets onto server side session 165.


In some embodiments, session 160 is a transmission control protocol (TCP) session, a user datagram protocol (UDP) session, an internet control messaging protocol (ICMP) session, a session based on a transport session protocol on top of IP protocol, or a session based on an application session protocol on top of IP protocol.



FIG. 1
c illustrates a NAT process for a TCP session.


Host 130 sends a session request 192 for establishing a session 160 with server 110. Session 160 is a TCP session. Session request 192 includes host network address 183 and server network address 184. Security gateway 170 receives session request 192. Security gateway 170 extracts host network address 183 from session request 192. Security gateway 170 determines a proxy network address 187. In some embodiments, host network address 183 includes a host's IP address, and security gateway 170 determines a proxy IP address to substitute host's IP address. In other embodiments, host network address 183 includes a host's TCP port number, and security gateway 170 determines a proxy TCP port number to substitute host's TCP port number. Security gateway 170 extracts server network address 184 from session request 192. Security gateway 170 establishes a server side session 165 with server 110 based on server network address 184 and proxy network address 187. Server side session 165 is a TCP session.


Security gateway 170 also establishes a host side session 169 with host 130 by responding to session request 192.


After establishing server side session 165 and host side session 169, security gateway 170 processes data packets from server side session 165 and host side session 169.


In some embodiments, security gateway 170 receives a data packet 185 from server side session 165. Data packet 185 includes server network address 184 and proxy network address 187. Security gateway 170 extracts server network address 184 and proxy network address 187. Security gateway 170 determines host side session 169 based on the extracted network addresses. Security gateway 170 further determines host network address 183 from host side session 169. Security gateway 170 modifies data packet 185 by first substituting proxy network address 187 with host network address 183. Security gateway 170 modifies other parts of data packet 185, such as TCP checksum, IP header checksum. In some embodiments, security gateway 170 modifies payload of data packet 185 by substituting any usage of proxy network address 187 with host network address 183.


After security gateway 170 completes modifying data packet 185, security gateway 170 transmits the modified data packet 185 onto host side session 169.


In a similar fashion, security gateway 170 receives a data packet 188 from host side session 169. Data packet 188 includes server network address 184 and host network address 183. Security gateway 170 extracts server network address 184 and host network address 183. Security gateway 170 determines server side session 165 based on the extracted network addresses. Security gateway 170 further determines proxy network address 187 from server side session 165. Security gateway 170 modifies data packet 188 by first substituting host network address 183 with proxy network address 187. Security gateway 170 modifies other parts of data packet 188, such as TCP checksum, IP header checksum. In some embodiments, security gateway 170 modifies payload of data packet 188 by substituting any usage of host network address 183 with proxy network address 187.


After security gateway 170 completes modifying data packet 188, security gateway 170 transmits the modified data packet 188 onto server side session 165.



FIG. 2 illustrates a distributed multi-processing security gateway.


In various embodiments, security gateway 270 is a distributed multi-processing system. Security gateway 270 includes a plurality of processing elements. A processing element 272 includes a memory module. The memory module stores host network addresses, proxy network addresses and other information for processing element 272 to apply security policies as described in FIG. 1. Processing element 272 has a processing element identity 273.


In an exemplary embodiment illustrated in FIG. 5, processing element 272 is a central processing unit (CPU) core 572 in a multi-core processor 579 which combines two or more independent cores. In some embodiments, multi-core processor 579 is a dual-core processor such as Intel's Core 2 Duo processor, or AMD's Athlon dual-core processor. In other embodiments, multi-core processor 579 is a quad-core processor such as Intel's quad-core Xeon 5300 series processor, or AMD's Opteron Quad-Core processor.


In various embodiments, security gateway 270 includes a plurality of multi-core processors, wherein processing element 272 is a multi-core processor.


In some embodiments, processing element 272 is a packet processing module within a network processor, such as Intel's IXP2855 or IXP2805 network processor. AMD's Au1500 processor, or Cavium's Octeon MIPS64 network processor.


Security gateway 270 includes a dispatcher 275. Dispatcher 275 receives a data packet and determines a processing element to process the data packet. Dispatcher 275 typically calculates a processing element identity based on the data packet. Based on the calculated processing element identity, security gateway 270 assigns the data packet to the identified processing element for processing.


In some embodiments, dispatcher 275 receives a data packet 288 from host side session 269 and calculates a first processing element identity based on the host network address and server network address in data packet 288. In another embodiment dispatcher 275 receives a data packet 285 from server side session 265 and calculates a second processing element identity based on the proxy network address and server network address in data packet 285.


Security gateway 270 includes a network address selector 277. Network address selector 277 selects a proxy network address based on network information. The network information includes a host network address obtained in a session request for session 260 and a security gateway network address. Other types of network information may also be used. The proxy network address is used to establish server side session 265. The proxy network address is selected such that the first processing element identity and the second processing element identity calculated by dispatcher 275 are the same. In other words, a same processing element is assigned to process data packet 285 from server side session 265 and data packet 288 from host side session 269.


In some embodiments, the proxy network address is selected such that the first processing element identity calculated by dispatcher 275 identifies a processing element that has the lightest load among the plurality of processing elements. In various embodiments, the load is based on processor idle time of the processing element, or the load is based on active sessions for the processing element. In some embodiments, network address selector 277 obtains load from a processing element over an Application Programming Interface (API) or from the memory module of a processing element. The proxy network address may be selected such that the second processing element identity calculated by dispatcher 275 identifies a processing element that has the lightest load among the plurality of processing elements.


In various embodiments, the proxy network address is selected such that the first processing element identity calculated by dispatcher 275 identifies a processing element with a functional role. The functional role may include the processing of a security policy. In some embodiments, network address selector 277 obtains the functional role of a processing element through a registration process or an Application Programming Interface (API), or network address selector 277 obtains the functional role from the memory module of the processing element.



FIG. 3 illustrates a dispatching process.


Dispatcher 375 calculates a processing element identity based on two network addresses obtained from a data packet 385 of session 360. Session 360 includes host side session 369 and server side session 365. The two network addresses of host side session 369 are server network address and host network address. The two network addresses of server side session 365 are proxy network address and server network address. Dispatcher 375 calculates to the same processing element identity for host side session 369 and server side session 365.


In some embodiments, dispatcher 375 calculates based on a hashing function.


In other embodiments, dispatcher 375 computes a sum by adding the two network addresses. For example, dispatcher 375 computes a sum by performing a binary operation, such as an exclusive or (XOR) binary operation, or an and (AND) binary operation, onto the two network addresses in binary number representation. For example, dispatcher 375 computes a sum by first extracting portions of the two network addresses, such as the first 4 bits of a network address, and applies an operation such as a binary operation to the extracted portions. For example, dispatcher 375 computes a sum by first multiplying the two network addresses by a number, and by applying an operation such as addition to the multiple.


In various embodiments, dispatcher 375 computes a processing element identity by processing on the sum. In some embodiments, there are 4 processing elements in security gateway 370. For example, dispatcher 375 extracts the first two bits of the sum, and interprets the extracted two bits as a numeric number between 0 and 3. For example, dispatcher 375 extracts the first and last bit of the sum, and interprets the extracted two bits as a numeric number between 0 and 3. For example, dispatcher 375 divides the sum by 4 and determines the remainder of the division. The remainder is a number between 0 and 3.


In some embodiments, security gateway 370 includes 8 processing elements. Dispatcher 375 extracts 3 bits of the sum and interprets the extracted three bits as a numeric number between 0 and 7. For example, dispatcher 375 divides the sum by 8 and determines the remainder of the division. The remainder is a number between 0 and 7.


In various embodiment, a network address includes an IP address and a session port address. Dispatcher 375 computes a sum of the IP addresses and the session port addresses of the two network addresses.


Though the teaching is based on the above description of hashing functions, it should be obvious to the skilled in the art to implement a different hashing function for dispatcher 375.



FIG. 4 illustrates a proxy network address selection process.


Network address selector 477 selects a proxy network address 487 for a host network address 483. In some embodiments, host network address 483 includes a host IP address 484 and a host session port address 485; proxy network address 487 includes a proxy IP address 488 and a proxy session port address 489. Proxy network address 487 is selected such that dispatcher 475 calculates to the same processing element identity on host side session 469 and server side session 465.


In an exemplary embodiment, the selection process is based on the dispatching process, illustrated in FIG. 3. For example, dispatcher 475 uses the method of computing the sum of two IP addresses, and two session port addresses, and then divides the sum by 4. In some embodiments, network address selector 477 first selects proxy IP address 488. Network address selector 477 then selects proxy session port address 489 such that when using the method on server network address 490 and host network address 483 dispatcher 475 calculates the same processing element identity as when using the method on server network address 490 and proxy network address 487.


For example, dispatcher 475 computes a sum from a binary operator XOR of the two network addresses, and extracts the last 3 digits of the sum. Network address selector 477 selects a proxy session port address 489 that has the same last 3 digits of the host session port address 485.


In some embodiments, security gateway 470 performs network address translation process for a plurality of existing sessions. Network address selector 477 checks if the selected proxy network address 487 is not used in the plurality of existing sessions. In various embodiment, security gateway 470 includes a datastore 479. Datastore 479 stores a plurality of proxy network addresses used in a plurality of existing sessions. Network address selector 477 determines the selected proxy network address 487 is not used by comparing the selected proxy network address 487 against the stored plurality of proxy network addresses and not finding a match.


In some embodiments, a processing element includes network address selector. A processing element receives a data packet assigned by security gateway based on a processing element identity calculated by dispatcher. In various embodiments, the processing element determines that the data packet includes a session request. The network address selector in the processing element selects a proxy network address based on the host network address in the session request as illustrated in FIG. 4.


In various embodiments, a particular first processing element includes network address selector. A second processing element without network address selector receives a data packet and determines that the data packet includes a session request. The second processing element sends the data packet to the first processing element using, for example, a remote function call. The first processing element receives the data packet. The network address selector selects a proxy network address based on the host network address in the session request.


In some embodiments, datastore is implemented in the memory module of a processing element. In various embodiments, the plurality of proxy network addresses in datastore are stored in each of the memory modules of each of the processing elements. In other embodiments, the plurality of proxy network addresses in datastore are stored in the memory modules in a distributive manner, with the proxy network addresses used in the sessions processed by a processing element stored in the memory module of the processing element.


In some embodiments, security gateway includes a memory shared by the plurality of processing elements. Security gateway partitions the shared memory into memory regions. A processing element has access to a dedicated memory region, and does not have access to other memory regions.


In various embodiments, security gateway includes a central processing unit. The central process unit may include a plurality of processing threads such as hyper-thread, micro-engine or other processing threads implemented in circuitry such as application specific integrated circuit (ASIC) or field programmable gate array (FPGA). A processing element is a processing thread.


Furthermore, in some embodiments, a central processing unit includes a plurality of micro-processor cores. A processing thread is a micro-processor core.


In some embodiments, a security policy is for virus detection or blocking, phishing detection or blocking, traffic quota enforcement, or lawful data interception.


In various embodiments, the NAT process is for a UDP session where security gateway receives a UDP packet. In some embodiments, security gateway determines that the UDP packet is not from an existing session. Security gateway processes the UDP packet as a session request.


In other embodiments, the NAT process is for an ICMP session. In a similar fashion, security gateway processes an ICMP packet from a non-existing session as a session request.


Although the present invention has been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations to the embodiments and those variations would be within the spirit and scope of the present invention. Accordingly, many modifications may be made by one of ordinary skill in the art without departing from the spirit and scope of the appended claims.

Claims
  • 1. A network computing device comprising: a plurality of processing elements in a multi-core processor including: a first processing element integrating a network address selector; anda second processing element that determines that a data packet includes a session request and sends the data packet to the first processing element using a remote function call;wherein the first processing element further receives the data packet from the second processing element and uses the network address selector to select a proxy network address based on a host network address in the session request; anda dispatcher performing a method comprising: calculating a processing element identity based on network addresses obtained from the data packet; andassigning the processing element identity to the second processing element to process the data packet.
  • 2. The network computing device of claim 1, wherein the proxy network address is selected based further on the network address of the network computing device.
  • 3. The network computing device of claim 1, wherein the proxy network address is used to establish a server side session.
  • 4. The network computing device of claim 1, wherein the calculating a processing element identity for a host side session is based on a server network address and a host network address.
  • 5. The network computing device of claim 1, wherein the calculating a processing element identity for a server side session is based on the proxy network address and a server network address.
  • 6. The network computing device of claim 1, wherein the calculating a processing element identity is based on a sum of at least a portion of two network address obtained from the data packet.
  • 7. A method for network address translation, the method comprising: receiving a data packet at a network computing device, including a network address;selecting a network address by a network address selector, the network address selector associated with a first processing element;calculating, by a dispatcher, a processing element identity using network addresses obtained from the data packet;assigning, by the dispatcher, the processing element identity to a second processing element of a plurality of processing elements in a multi-core processor to process the data packet, wherein the second processing element determines that the data packet includes a session request and sends the data packet to the first processing element using a remote function call;receiving, by the first processing element, the data packet from the second processing element; andselecting, by the network address selector associated with the first processing element, a proxy network address based on a host network address in the session request.
  • 8. The method of claim 7, wherein the proxy network address is selected based further on the network address of the network computing device.
  • 9. The method of claim 7, wherein the proxy network address is used to establish a server side session.
  • 10. The method of claim 7, wherein the calculating a processing element identity using network addresses obtained from the data packet is calculating a processing element identity for a host side session based on a server network address and a host network address.
  • 11. The method of claim 7, wherein the calculating a processing element identity using network addresses obtained from the data packet is calculating a processing element identity for a server side session based on the proxy network address and a server network address.
  • 12. The method of claim 7, wherein the calculating a processing element identity using network addresses obtained from the data packet is based on a sum of at least a portion of two network address obtained from the data packet.
  • 13. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a computer processor to perform a method for network address translation, the method comprising: receiving a data packet at a network computing device, including a network address;selecting a network address by a network address selector, the network address selector associated with a first processing element;calculating, by a dispatcher, a processing element identity using network addresses obtained from the data packet;assigning, by the dispatcher, the processing element identity to a second processing element of a plurality of processing elements in a multi-core processor to process the data packet, wherein the second processing element determines that the data packet includes a session request and sends the data packet to the first processing element using a remote function call;receiving, by the first processing element, the data packet from the second processing element; andselecting, by the network address selector associated with the first processing element, a proxy network address based on a host network address in the session request.
  • 14. The non-transitory computer-readable storage medium of claim 13, wherein the proxy network address is selected based further on the network address of the network computing device.
  • 15. The non-transitory computer-readable storage medium of claim 13, wherein the proxy network address is used to establish a server side session.
  • 16. The non-transitory computer-readable storage medium of claim 13, wherein the calculating a processing element identity using network addresses obtained from the data packet is calculating a processing element identity for a host side session based on a server network address and a host network address.
  • 17. The non-transitory computer-readable storage medium of claim 13, wherein the calculating a processing element identity using network addresses obtained from the data packet is calculating a processing element identity for a server side session based on the proxy network address and a server network address.
  • 18. The non-transitory computer-readable storage medium of claim 13, wherein the calculating a processing element identity using network addresses obtained from the data packet is based on a sum of at least a portion of two network address obtained from the data packet.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims the priority benefit of U.S. patent application Ser. No. 13/875,163 filed on May 1, 2013, now U.S. Pat. No. 8,904,512, issued Dec. 2, 2014 and entitled “Distributed Multi-Processing Security Gateway,” which in turn is a continuation of U.S. patent application Ser. No. 13/347,027 filed on Jan. 10, 2012, now U.S. Pat. No. 8,464,333, issued Jun. 11, 2013 and entitled “System and Method for Distributed Multi-Processing Security Gateway,” which is in turn a continuation of U.S. patent application Ser. No. 13/284,869, filed on Oct. 29, 2011, now U.S. Pat. No. 8,387,128, issued Feb. 26, 2013 and entitled “System and Method for Distributed Multi-Processing Security Gateway,” which in turn is a continuation of U.S. patent application Ser. No. 11/947,755, filed on Nov. 29, 2007, now U.S. Pat. No. 8,079,077, issued Dec. 13, 2011 and entitled “System and Method for Distributed Multi-Processing Security Gateway,” which in turn is a continuation-in-part of U.S. patent application Ser. No. 11/501,607, filed on Aug. 8, 2006, now U.S. Pat. No. 8,332,925, issued Dec. 11, 2012 and entitled “System and Method for Distributed Multi-Processing Security Gateway”. All of the above disclosures are incorporated herein by reference.

US Referenced Citations (126)
Number Name Date Kind
5432908 Heddes et al. Jul 1995 A
5781550 Templin et al. Jul 1998 A
5875185 Wang et al. Feb 1999 A
5931914 Chiu Aug 1999 A
6141749 Coss et al. Oct 2000 A
6167428 Ellis Dec 2000 A
6324286 Lai et al. Nov 2001 B1
6360265 Falck et al. Mar 2002 B1
6363075 Huang et al. Mar 2002 B1
6389462 Cohen et al. May 2002 B1
6415329 Gelman et al. Jul 2002 B1
6519243 Nonaka et al. Feb 2003 B1
6535516 Leu et al. Mar 2003 B1
6578066 Logan et al. Jun 2003 B1
6587866 Modi et al. Jul 2003 B1
6658114 Farn et al. Dec 2003 B1
6832322 Boden et al. Dec 2004 B1
7013338 Nag et al. Mar 2006 B1
7058789 Henderson et al. Jun 2006 B2
7058973 Sultan Jun 2006 B1
7086086 Ellis Aug 2006 B2
7111162 Bagepalli et al. Sep 2006 B1
7266604 Nathan et al. Sep 2007 B1
7284272 Howard et al. Oct 2007 B2
7290050 Smith et al. Oct 2007 B1
7308710 Yarborough Dec 2007 B2
7370100 Gunturu May 2008 B1
7373500 Ramelson et al. May 2008 B2
7406709 Maher, III et al. Jul 2008 B2
7441270 Edwards et al. Oct 2008 B1
7451312 Medvinsky et al. Nov 2008 B2
7516485 Lee et al. Apr 2009 B1
7529242 Lyle May 2009 B1
7568041 Turner et al. Jul 2009 B1
7583668 Mayes et al. Sep 2009 B1
7591001 Shay Sep 2009 B2
7603454 Piper Oct 2009 B2
7716369 Le Pennec et al. May 2010 B2
7779130 Toutonghi Aug 2010 B1
7908651 Maher Mar 2011 B2
7948952 Hurtta et al. May 2011 B2
8079077 Chen et al. Dec 2011 B2
8244876 Sollee Aug 2012 B2
8255644 Sonnier et al. Aug 2012 B2
8291487 Chen et al. Oct 2012 B1
8327128 Prince et al. Dec 2012 B1
8332925 Chen et al. Dec 2012 B2
8347392 Chess et al. Jan 2013 B2
8387128 Chen et al. Feb 2013 B1
8464333 Chen et al. Jun 2013 B1
8520615 Mehta et al. Aug 2013 B2
8595383 Chen et al. Nov 2013 B2
8595819 Chen et al. Nov 2013 B1
8675488 Sidebottom et al. Mar 2014 B1
8904512 Chen et al. Dec 2014 B1
8914871 Chen et al. Dec 2014 B1
8918857 Chen et al. Dec 2014 B1
8943577 Chen et al. Jan 2015 B1
9032502 Chen et al. May 2015 B1
9118618 Davis Aug 2015 B2
9118620 Davis Aug 2015 B1
9124550 Chen et al. Sep 2015 B1
20010015812 Sugaya Aug 2001 A1
20020026531 Keane et al. Feb 2002 A1
20020046348 Brustoloni Apr 2002 A1
20020053031 Bendinelli et al. May 2002 A1
20020141448 Matsunaga Oct 2002 A1
20030065950 Yarborough Apr 2003 A1
20030081624 Aggarwal et al. May 2003 A1
20030088788 Yang May 2003 A1
20030135653 Marovich Jul 2003 A1
20030152078 Henderson et al. Aug 2003 A1
20030167340 Jonsson Sep 2003 A1
20030229809 Wexler et al. Dec 2003 A1
20040054920 Wilson et al. Mar 2004 A1
20040107360 Herrmann et al. Jun 2004 A1
20040184442 Jones et al. Sep 2004 A1
20040243718 Fujiyoshi Dec 2004 A1
20050027947 Landin Feb 2005 A1
20050033985 Xu et al. Feb 2005 A1
20050038898 Mittig et al. Feb 2005 A1
20050050364 Feng Mar 2005 A1
20050074001 Mattes et al. Apr 2005 A1
20050114492 Arberg et al. May 2005 A1
20050135422 Yeh Jun 2005 A1
20050144468 Northcutt et al. Jun 2005 A1
20050169285 Wills et al. Aug 2005 A1
20050251856 Araujo et al. Nov 2005 A1
20060031506 Redgate Feb 2006 A1
20060062142 Appanna et al. Mar 2006 A1
20060063517 Oh et al. Mar 2006 A1
20060064440 Perry Mar 2006 A1
20060080446 Bahl Apr 2006 A1
20060126625 Schollmeier et al. Jun 2006 A1
20060195698 Pinkerton et al. Aug 2006 A1
20060227771 Raghunath et al. Oct 2006 A1
20060233100 Luft et al. Oct 2006 A1
20070002857 Maher Jan 2007 A1
20070011419 Conti Jan 2007 A1
20070124487 Yoshimoto et al. May 2007 A1
20070165622 O'Rourke et al. Jul 2007 A1
20070177506 Singer et al. Aug 2007 A1
20070180226 Schory et al. Aug 2007 A1
20070180513 Raz et al. Aug 2007 A1
20070294694 Jeter et al. Dec 2007 A1
20080034111 Kamath et al. Feb 2008 A1
20080034419 Mullick et al. Feb 2008 A1
20080040789 Chen et al. Feb 2008 A1
20080216177 Yokosato et al. Sep 2008 A1
20080289044 Choi Nov 2008 A1
20090049537 Chen et al. Feb 2009 A1
20090113536 Zhang et al. Apr 2009 A1
20090210698 Candelore Aug 2009 A1
20100257278 Gunturu Oct 2010 A1
20100333209 Alve Dec 2010 A1
20110307606 Cobb Dec 2011 A1
20120026897 Guichard et al. Feb 2012 A1
20120155495 Clee et al. Jun 2012 A1
20120215910 Wada Aug 2012 A1
20130089099 Pollock et al. Apr 2013 A1
20130166762 Jalan et al. Jun 2013 A1
20130191548 Boddukuri et al. Jul 2013 A1
20130227165 Liu Aug 2013 A1
20130262702 Davis Oct 2013 A1
20130311686 Fetterman et al. Nov 2013 A1
20130315241 Kamat et al. Nov 2013 A1
Foreign Referenced Citations (42)
Number Date Country
1921457 Feb 2007 CN
1937591 Mar 2007 CN
101495993 Jul 2009 CN
101878663 Nov 2010 CN
ZL200780001807 Feb 2011 CN
103365654 Oct 2013 CN
103428261 Dec 2013 CN
ZL200880118178.9 Jun 2014 CN
1482685 Dec 2004 EP
1720287 Nov 2006 EP
2057552 May 2009 EP
2215863 Aug 2010 EP
2575328 Apr 2013 EP
2667571 Nov 2013 EP
2575328 Nov 2014 EP
1182547 Nov 2013 HK
1188498 May 2014 HK
1190539 Jul 2014 HK
1182547 Apr 2015 HK
2004350188 Dec 2004 JP
2005518595 Jun 2005 JP
2006180295 Jul 2006 JP
2006333245 Dec 2006 JP
2007048052 Feb 2007 JP
2011505752 Feb 2011 JP
2013059122 Mar 2013 JP
2013070423 Apr 2013 JP
2013078134 Apr 2013 JP
5364101 Sep 2013 JP
5480959 Feb 2014 JP
5579820 Jul 2014 JP
5579821 Jul 2014 JP
NI086309 Feb 1996 TW
NI109955 Dec 1999 TW
NI130506 Mar 2001 TW
NI137392 Jul 2001 TW
WO03073216 Sep 2003 WO
WO03103233 Dec 2003 WO
WO2006065691 Jun 2006 WO
WO2007076883 Jul 2007 WO
WO2008021620 Feb 2008 WO
WO2009073295 Jun 2009 WO
Non-Patent Literature Citations (4)
Entry
Chiussi et al., “A Network Architecture for MPLS-Based Micro-Mobility”, IEEE WCNC 02, Orlando, Mar. 2002.
Smith, M. et al; “Network Security Using NAT and NAPT”, 10th IEEE International Converence on Aug. 27-30, 2002, Piscataway, NJ, USA, 2012; Aug. 27, 2002; pp. 355-360.
Cardellini et al., “Dynamic Load Balancing on Web-server Systems”, IEEE Internet Computing, vol. 3, No. 3, pp. 28-39, May-Jun. 1999.
Wang et al., “Shield: Vulnerability Driven Network Filters for Preventing Known Vulnerability Exploits”, SIGCOMM'04, Aug. 30-Sep. 3, 2004, Portland, Oregon, USA.
Related Publications (1)
Number Date Country
20150047012 A1 Feb 2015 US
Continuations (4)
Number Date Country
Parent 13875163 May 2013 US
Child 14522504 US
Parent 13347027 Jan 2012 US
Child 13875163 US
Parent 13284869 Oct 2011 US
Child 13347027 US
Parent 11947755 Nov 2007 US
Child 13284869 US
Continuation in Parts (1)
Number Date Country
Parent 11501607 Aug 2006 US
Child 11947755 US