TREA

Policy based network address translation

Follow

Information

  • Patent Grant
  • 8194673
  • Patent Number
    8,194,673
  • Date Filed
    Monday, June 7, 2010
    14 years ago
  • Date Issued
    Tuesday, June 5, 2012
    12 years ago
Information
Abstract
A system and method is described for providing policy-based Network Address Translation (NAT) configurations wherein each user/resource policy within a network protection device may use a different set of address translation mappings.
Description
BACKGROUND OF THE INVENTION

Network Address Translation (NAT) is an Internet technology that was originally developed to work around the growing scarcity of Internet Protocol (IP) addresses on the Internet. The current, and most widely used, Internet Protocol (IPv4) supports more than four billion addresses. However, because of inefficient allocation of addresses, routing constraints, and the Internet's phenomenal growth, this number has proven insufficient. The NAT solution is to use private addresses on a company's (or homeowner's) internal network and only convert those internal addresses to globally routable IP addresses when communicating through a gateway (e.g., router, firewall, other switching or routing device) to hosts (other computers/servers) on the Internet. In some applications, hosts currently communicating will get their own globally routable IP address, while in other applications, as few as one globally routable IP address may be used for multiple internal hosts. Ideally, this translation will be invisible to the underlying networking applications and protocols. NAT functionality can also be exploited for its security features (internal IP addresses are effectively “hidden” to the external world) and has been employed in session redirection and load balancing.


There are many products available today that employ NAT functionality, including routers for business and home use, firewalls, and Internet/residential gateways. Some computer operating systems also implement NAT functionality so that a server or workstation running such an operating system can act as a NAT-enabled software router or firewall. Applications of NAT have been focused on address translations based on network structure, resource availability, and simple application requirements.



FIG. 1 illustrates an exemplary use of a NAT map (functionality) 100 within a NAT router 110 connecting an internal network 120 to the Internet 130. The internal network 120 includes the NAT router 110, an application server 140 and a file server 150. External users 160, 170 can connect to the internal network 120 via the Internet 130. The NAT map 100 includes a list of external IP addresses 180 and a list of internal IP addresses 190.


As is understood in the prior art, the first user 160 transmits packets to the externally known IP address for the application server 140 (196.28.43.2). With no regard for who the user is or what the resource is, the NAT router 110 receives the packets containing the externally known destination IP address 180 (196.28.43.2) and utilizes the NAT map 100 to translate the external address (196.28.43.2) to a corresponding internal IP address (10.33.96.5) 190 and routes the packets accordingly. The second user 170 sends packets to the file server 150 (using external IP address 196.29.74.4) and the NAT router 110 translates the external address to the internal IP address (10.33.96.9) and forwards to the file server 150. If the application server 140 or file server 150 communicates with an external user, the NAT router 110 utilizes the NAT map 100 to translate the source address from the internal IP address 190 (10.33.96.5 and 10.33.96.9 respectively) to the externally known IP address 180 (196.28.43.2 and 196.29.74.4) prior to forwarding the packets externally. The external users therefore do not know the internal IP addresses. Although as illustrated in FIG. 1 the user's addresses are not translated, the NAT map 100 may optionally perform user address translation.


Session flow, also referred to herein as flow, is well known to those skilled in the art and is described in detail in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2663, which is incorporated herein by reference. Session flow is a combination of inbound and outbound packets that form part of a session initiated in one direction. Packet flow is defined in RFC 2663 as the direction in which the packet has traveled with reference to a network interface. As an example, a session (session flow) initiated by a user on a server for telnet would consist of packet flows in both the inbound and outbound directions.


As network applications and Web application services have proliferated and corporate networks have become more distributed, there has been a growing need for more flexibility in address translation functionality. NAT is a process in which IP addresses are mapped from one group to another, transparent to end users. Network Address Port Translation (NAPT) is a method by which many network addresses and their TCP/UDP (Transmission Control Protocol/User Datagram Protocol) ports are translated into a single network address and its TCP/UDP ports. NAPT works well to share a single globally routable IP address when an internal user initiates the contact and receives a reply on the same port. The processes of NAT and NAPT are well known to those skilled in the art and are described in detail in ETF document RFC 3022, which is incorporated herein by reference. However, when multiple applications using the same well-known port (such as TCP port 443 for secure socket layer) are placed behind an NAPT enabled device some of the applications may become inoperative for inbound flows.


Other features of NAT have been developed, including the use of NATs for load sharing, where a session load can be distributed across a pool of servers, instead of directed to a single server. The use of NATs for load sharing is described in the IEETF document RFC 2391, which is incorporated herein by reference. A type of NAT has been developed for interfacing between end-nodes using version 6 of the Internet protocol (V6) trying to communicate with end-nodes using version 4 (V4) and vice versa. This type of Network Address Translation—Protocol Translation (NAT-PT) is described in RFC 2766, which is incorporated by reference herein.


The prior art systems essentially use address maps to provide address translations regardless of who the client is and what the service is. This limited flexibility results in unrestricted user access and uniform address translation. What is needed is a way to create and adjust network address translation configurations based on user and resource-specific network policies. Such capability would result in higher security based on user authorization, greater control of network resources and the general ability to vary network address translation for a wide range of purposes.


SUMMARY OF THE INVENTION

A network protection device (firewall or network access management system) may be responsible for establishing and enforcing packet traffic policies into and out of a corporate or home network. Each packet entering a piece of network protection equipment may be classified into a particular flow and, based on the established policies, either forwarded to a destination or dropped. In some cases, the source and/or destination addresses and ports may be modified for all packets in a particular flow. This may be done for a number of reasons, including security, load balancing, and to work around equipment failures. This rewriting of addresses and ports is referred to herein as “translation.” The set of translations that are active at any particular time is called a NAT configuration.


In an advanced access management system, resources may be made available (authorized) for specific users at specific times and in user-specific ways. A “policy” may be defined by the precise rules for how a particular resource is made available to a particular user at a particular time. An advanced access management system may filter some or all packets entering the system based on all of the policies in force when the packet arrives. In one embodiment, each policy within an access management system may employ a different NAT configuration. In this way, the address translation may vary from policy to policy (user to user). In an embodiment, no two policies need carry the same set of NAT translation parameters. This allows for resources to be given customized access rules and address translation functionality for each user.


Before explaining at least one embodiment in detail, it is to be understood that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein, as well as the abstract, are for the purpose of description and should not be regarded as limiting.


Those skilled in the art will appreciate that the conception upon which this disclosure is based may readily be used as a basis for designing other structures, methods, and systems for carrying out the several purposes of the present invention.





BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part of the specification, illustrate embodiments of the present invention and, together with the description serve to explain the principles of the invention.



FIG. 1 illustrates an exemplary use of a NAT map within a router for inbound access to enterprise applications;



FIG. 2 illustrates an exemplary system architecture of a network connecting to the Internet through two layers of network protection equipment, according to one embodiment;



FIG. 3 illustrates an exemplary policy-based NAT map, according to one embodiment;



FIG. 4 illustrates an exemplary network utilizing an access management system (AMS), according to one embodiment;



FIGS. 5A and 5B illustrate an exemplary policy-based NAT map, according to one embodiment; and



FIG. 6 illustrates an exemplary policy-based network address translation processor, according to one embodiment.





DETAILED DESCRIPTION

In describing an embodiment of the invention illustrated in the drawings, specific terminology will be used for the sake of clarity. However, the invention is not intended to be limited to the specific terms so selected, and it is to be understood that each specific term includes all technical equivalents which operate in a similar manner to accomplish a similar purpose.



FIG. 2 illustrates an exemplary system architecture of a network 200 (or network segment) connecting to the Internet 250 through at least two layers of network protection equipment. The network 200 may be internal to a location or facility (e.g. corporate network). The network 200 as illustrated includes two layers of network security: application servers 210, and an authentication server 220. An access management system (AMS) 230 and a firewall 240 provide protection for the network 200 (protected network/network segment). The application servers 210 and the authentication server 220 are connected to the AMS 230 which is connected to the Internet 250 through the firewall 240. An external/partner company 260 and/or a public Internet user 270 are also connected to the Internet 250. An exemplary operating scenario may be that an operator of the network 200 (e.g., company) desires to enable the external/partner company 260 to access the application servers 210 while blocking the public Internet user 270. It should be understood that the exemplary system architecture is a simplified architecture for illustrative purposes. That is, system architecture is likely to include many more servers, external and partner companies, and public Internet users.


The firewall 240 may provide traditional proxy/firewall protection based on simple packet rules. The typical proxy/firewall will block most or all external intruders, while allowing users within the company to access internal resources as well as resources connected to the Internet 250. The AMS 230 provides for authenticated, secure access to internal server equipment (e.g., application servers 210) by utilizing policies established by, for example, a system administrator. The policies define the use of more complex, multi-layer packet filtering rules, along with a means for authenticating users wishing to access resources within the company. The AMS 230 may also perform network address translation based on policies defined (e.g., authenticated users).



FIG. 3 illustrates an exemplary policy based NAT map 300. The NAT map 300 is divided by user 310 (identified by source IP address at a given time) and for each user 310 external IP addresses 320 are associated with internal IP addresses 330 for the internal resources. Note that different users may access internal resources with different external IP addresses 320 but having the same internal IP address (e.g., 198.76.29.2 for user 1 and 198.76.29.5 for user 2 both translate to 10.33.96.5) where the resource resides. It is also possible that the same external IP address can be used by different users to equate to different internal addresses (not illustrated). That is, utilizing the user (destination of the packet) in the NAT map provides flexibility. The exemplary policy based NAT map 300 utilizes users and maps or associates different externally known IP addresses to internal IP addresses for each internal resource.



FIG. 4 illustrates an exemplary network (or network segment) 400. It should be noted that there are similar components in both the exemplary network 400 and the exemplary network 200 of FIG. 2 (e.g., firewall, AMS). The similar components are referred to by different reference numbers in each of the figures to illustrate that they may be different embodiments. The network 400 includes a firewall 410, an AMS 420, an application server 430, and a file server 440. The network 400 communicates via the Internet 450 with an external/partner company 460 and an external user 470. The AMS 420 utilizes the NAT map 300 for network address translations. Initially it is pointed out that the AMS 420 authenticates a user at the external/partner company 460 and the external user 470 prior to the users accessing anything with the network 400. According to one embodiment, user authentication may involve logging into a Web-Page hosted by the AMS 420 and entering a user name and password. Other methods of authentication, familiar to those skilled in the art, can be used.


We will now discuss an embodiment of network address translation for communications with this network 400 with respect to the NAT map 300 of FIG. 3. The user at the external/partner company 460 accesses the application server 430 by transmitting packets having an externally known IP address (198.76.29.2) as the destination address. The user transmitting the packets is determined based on the source address of the packets (198.76.28.4). The AMS 420 then utilizes the NAT map 300 to find the externally known IP address 320 for that particular user 310 to determine the internal IP address 330 (10.33.96.5). The AMS 420 accordingly translates the destination address on all packets with this flow from 198.76.29.2 to 10.33.96.5 and the packets are forwarded to the application server 430. Likewise, when the external user 470 (68.151.70.32) transmits packets to the file server 440 utilizing the externally known IP address (198.76.29.6) the AMS 420 then finds the externally known IP address 320 for that particular user 310 and translates it to the internal IP address 330 (10.33.96.9).


Packets in the return flow (from application server 430 or file server 440) have their source address translated from local address (10.33.96.5 and 10.33.96.9 respectively) to the externally known address (198.76.29.2 and 198.76.29.6 respectively based on the user the packet is destined for). The AMS 420 determines the user by looking at the destination IP address. TCP/UDP port numbers are also mapped, as necessary, in a similar fashion. In this way, the user at the external/partner company 440 has no direct knowledge of the host IP addresses internal to the company and cannot directly access hosts within the company.



FIGS. 5A and 5B illustrate an exemplary policy based NAT map 500 for User 1 (FIG. 5A) and User 2 (FIG. 5B). Although shown as separate tables, these maps may exist in a contiguous table and are simply shown as separate figures for convenience. Referring to FIG. 5A, the first column contains external user IP addresses 510, the second column contains external resource IP addresses 520, the third column contains internally mapped user IP addresses 530, the fourth column contains internally mapped resource IP addresses 540, and the fifth column specifies the resource name 550, as known to the device implementing the policy based NAT.


Referring back to FIG. 4, we will now discuss network address translation for communications with network 400 with respect to the policy based NAT map 500 of FIGS. 5A and 5B. For a flow from User 1 to Resource 1, the user will use an external IP address (198.76.28.4) as the originating source address and will use an external resource address (198.76.29.2) as the destination address. When the first packet of the flow traverses the device implementing the policy based NAT, the device can identify the user and the flow ID of the user and will use the map selector to select address maps for the internal user's IP address (10.33.96.2) as well as the internal resource address (10.33.96.5). These address maps would be used for translation of all subsequent packets pertaining to this flow.


Referring to FIG. 5B, User 2 bearing the IP address of 68.151.70.32 goes through a different address map for translating the external user IP address and the external resource IP address to access the same Resource 1. The ability to select different address maps based on user parameters results in a policy based NAT.


When used herein the term policy refers to a set of access or security rules associated with one or more parameters of a user including, but not limited to, group membership, level of authorization or clearance, current network address, time of day, or location. Policies allow users access to certain network resources, and deny them access to other resources, either temporarily (e.g. for time of day based rules or location based rules) or permanently (level of authorization or clearance). In one embodiment, a user logs onto a system with a user ID and a password, and based on the policies associated with that user, they receive access to, or are denied access to, certain network resources. Other mechanisms can be used to determine which policies are applicable, including determinations based on information transmitted from the user.


According to one embodiment, an AMS may utilize a NAT map where the user address map and the resource address map can be divided into internal maps and external maps. That is, the NAT map may include a user address map as well as a resource address map.



FIG. 6 illustrates a policy based NAT processor 600 that is able to perform policy based address translation. Referring to FIG. 6, when an incoming packet arrives at the policy based NAT processor 600, the flow identifier is determined 610 from the packet. A determination 620 of whether the packet establishes a new flow 613 or is part of an existing flow 617. If the packet constitutes the start of a new flow 613, the flow identifier is directed to a map selector 640 which looks up the address map storage 630, uses appropriate policies pertaining to the user and resource being accessed (and other policy determining parameters) and identifies an address bind 625 that should be applied to the flow. This address bind may be stored into the active address bind 650 for subsequent use. Subsequent packets of the flow may also be subject to the same translation using the same address bind(s) applied to address translator 670. Address translator 670 may use address bind 625 to translate the incoming packet buffer 665 and perform the appropriate address translations on the incoming packet to generate an outgoing packet.


In the event that the incoming packet belongs to an existing flow 617, the bind selector 660 will look up the active address binds 650 against the existing flow ID and determine the appropriate address bind to be applied for the flow associated with the incoming packet.


For flows originating from the internal network to the external network, the AMS may utilize a particular policy based NAT table. Similarly, for flows originating from the external network to the internal network, a different policy based NAT table may be utilized.


For example, if an internal user wishes to access an external web server (an external resource) and has a specific IP address they use for the web server, the internal user address map may identify the resource associated with the unique IP address as an external resource. The outside resource address map may then identify the common IP address for that resource.


NAT address maps may be generated automatically, and they may optionally be edited by a system administrator. In addition, the administrator may set policies for the generation and/or selection of NAT address maps. The particular NAT address map that is used at any given time may depend on the policy that applies to the particular packet flow that is being routed. For example, the NAT resource address maps are typically generated by the AMS at the time of resource definition. User address maps may be automatically generated from policies established during system configuration, but may also be edited manually to fine tune policies. According to one embodiment, default NAT address maps are generated during the initialization and configuration of the AMS.


Computer program instructions to implement a software embodiment of the present invention may be stored in a computer program memory or on a computer readable carrier such as a disk, memory stick, portable memory device, communications signal or carrier wave. The instruments may be carried out in any computer programming language.


The many features and advantages of the invention are apparent from the detailed specification. Since numerous modifications and variations will readily occur to those skilled in the art, it is not desired to limit the invention to the exact construction and operation illustrated and described. Accordingly, all appropriate modifications and equivalents may be included within the scope of the invention.

Claims
  • 1. A method for applying an access rule to select a user based network address translation maps for accessing an internal network from an external network, the method comprising: (a) authenticating, by an access management system executing on a device deployed between an external network and an in internal network, a first external user of a plurality of external users;(b) selecting, by the access management system based on an access rule associated with one or more parameters of the first external user, a first network address translation map from a plurality of different network address translation maps of the plurality of external users; and(c) determining, by the access management system from the first network address translation map selected for the first external user, an internal internet protocol (IP) address of a resource to be accessed by the first external user.
  • 2. The method of claim 1, wherein step (a) further comprises authenticating, by the access management system, the first external user prior to the first external user accessing resources on the internal network.
  • 3. The method of claim 1, wherein step (b) further comprises selecting the first network address translation map from the plurality of different network address translation maps, based on the access rule associated with an external network address of the first external user.
  • 4. The method of claim 1, wherein step (b) further comprises selecting the first network address translation map from the plurality of different network address translation maps, based on the access rule associated with a time of day of access by the first external user.
  • 5. The method of claim 1, wherein step (b) further comprises selecting the first network address translation map from the plurality of different network address translation maps, based on the access rule associated with a location of the first external user.
  • 6. The method of claim 1, wherein step (b) further comprises selecting the first network address translation map from the plurality of different network address translation maps, based on the access rule associated with a level of authorization.
  • 7. The method of claim 1, wherein step (c) further comprises selecting the first network address translation map comprising a user address map and a resource address map.
  • 8. The method of claim 1, wherein step (c) further comprises determining from the first network address translation map selected for the first external user an internal IP address on the internal network for the first external user.
  • 9. The method of claim 1, further comprising translating, by the device using the first network address translation map selected for the first external user, an external source IP address of a packet received from the external user to an internal user IP address and an external destination IP address of the packet to the internal internet protocol (IP) address of the resource.
  • 10. The method of claim 1, wherein step (c) further comprises determining the internal internet protocol (IP) address of the resource to be accessed by the first external user, the internal IP address of the resource for the first external user is different than a second internal IP address for the same resource for a second external user.
  • 11. A method for using policies to apply a user specific address bind for accessing an internal network from an external network, the method comprising: (a) determining, by a processor deployed between an external network and an internal network, a flow identifier from a packet received by the processor from an external user;(b) determining, by the processor via the flow identifier, that the packet is part of a new flow of network traffic between the external user and a resource of the internal network; and(c) applying, by the processor one or more policies pertaining to the external user and the resource being accessed, to identify a user specific address bind to apply to the new flow of network traffic, the user specific address bind comprising a first mapping of a user internal internet protocol (IP) address to an external source IP address of the packet and a second mapping of an internal IP address of the resource to an external destination IP address of the packet.
  • 12. The method of claim 11, further comprising translating, by an address translator, the received packet using the user specific address bind to generate an outgoing packet to be transmitted on the internal network.
  • 13. The method of claim 11, wherein step (a) further comprises determining, by the processor, the flow identifier from a source IP address and a destination IP address of the packet.
  • 14. The method of claim 11, wherein step (a) further comprises determining, by the device, the external user from a source IP address of the packet.
  • 15. The method of claim 11, wherein step (c) further comprises determining, by the processor, a network address translation map selector from the flow identifier.
  • 16. The method of claim 11, further comprising determining, by the processor, via a second flow identifier for a second packet, that the second packet is part of an existing flow of network traffic of the external user.
  • 17. The method of claim 16, further comprising looking up, by a bind selector, a plurality of active address binds against the second flow identifier.
  • 18. The method of claim 17, further comprising determining, by the bind selector based on the one or more policies, an appropriate address bind from the plurality of active address binds.
  • 19. The method of claim 11, further comprising utilizing, by the processor, a first policy based network address translation table for flows originating from the internal network that is different from a second policy based network address translation table utilized for flows originating from the external network.
  • 20. The method of claim 11, forming, by the processor, the user specific address bind from a network address translation map selected for the external user from a plurality of different network address translation maps of a plurality of external users based on an access rule associated with one or more parameters of the external user.
RELATED APPLICATIONS AND CLAIM OF PRIORITY

This present application claims priority to and is a continuation of U.S. Non-Provisional application Ser. No. 10/857,225, entitled “Policy Based Network Address Translation”, filed on May 28, 2004, which claims the benefit of and priority to U.S. Provisional Patent Application No. 60/473,964, filed May 28, 2003, both of which are incorporated herein by reference in their entirety. This patent application incorporates by reference in its entirety each of the following U.S. patent applications: 1) “Method and System for Identifying Bidirectional Packet Flow” filed on May 28, 2004, having U.S. application Ser. No. 10/857,703, now abandoned; 2) “Method, System and Software for State Signing of Internet Resources” filed on May 28, 2004, having U.S. application Ser. No. 10/857,536, now abandoned; and 3) “Multilayer Access Control Security System” filed on May 28, 2004, having U.S. application Ser. No. 10/857,224 and co-pending with the present application.

US Referenced Citations (204)
Number Name Date Kind
5999525 Krishnaswamy et al. Dec 1999 A
6006264 Colby et al. Dec 1999 A
6023724 Bhatia et al. Feb 2000 A
6058431 Srisuresh et al. May 2000 A
6104700 Haddock et al. Aug 2000 A
6173325 Kukreja Jan 2001 B1
6249801 Zisapel et al. Jun 2001 B1
6289382 Bowman-Amuah Sep 2001 B1
6321336 Applegate et al. Nov 2001 B1
6321337 Reshef et al. Nov 2001 B1
6324582 Sridhar et al. Nov 2001 B1
6332163 Bowman-Amuah Dec 2001 B1
6333931 LaPier et al. Dec 2001 B1
6339832 Bowman-Amuah Jan 2002 B1
6360265 Falck et al. Mar 2002 B1
6389462 Cohen et al. May 2002 B1
6415329 Gelman et al. Jul 2002 B1
6434568 Bowman-Amuah Aug 2002 B1
6434618 Cohen et al. Aug 2002 B1
6434628 Bowman-Amuah Aug 2002 B1
6438594 Bowman-Amuah Aug 2002 B1
6442748 Bowman-Amuah Aug 2002 B1
6477580 Bowman-Amuah Nov 2002 B1
6477665 Bowman-Amuah Nov 2002 B1
6484206 Crump et al. Nov 2002 B2
6496850 Bowman-Amuah Dec 2002 B1
6496935 Fink et al. Dec 2002 B1
6502213 Bowman-Amuah Dec 2002 B1
6523027 Underwood Feb 2003 B1
6529909 Bowman-Amuah Mar 2003 B1
6529948 Bowman-Amuah Mar 2003 B1
6539396 Bowman-Amuah Mar 2003 B1
6549949 Bowman-Amuah Apr 2003 B1
6550057 Bowman-Amuah Apr 2003 B1
6571282 Bowman-Amuah May 2003 B1
6571285 Groath et al. May 2003 B1
6578068 Bowman-Amuah Jun 2003 B1
6584569 Reshef et al. Jun 2003 B2
6601192 Bowman-Amuah Jul 2003 B1
6601233 Underwood Jul 2003 B1
6601234 Bowman-Amuah Jul 2003 B1
6606660 Bowman-Amuah Aug 2003 B1
6606744 Mikurak Aug 2003 B1
6609128 Underwood Aug 2003 B1
6615199 Bowman-Amuah Sep 2003 B1
6615253 Bowman-Amuah Sep 2003 B1
6615357 Boden et al. Sep 2003 B1
6633878 Underwood Oct 2003 B1
6636242 Bowman-Amuah Oct 2003 B2
6640238 Bowman-Amuah Oct 2003 B1
6640244 Bowman-Amuah Oct 2003 B1
6640249 Bowman-Amuah Oct 2003 B1
6665702 Zisapel et al. Dec 2003 B1
6671818 Mikurak Dec 2003 B1
6683873 Kwok et al. Jan 2004 B1
6687732 Bector et al. Feb 2004 B1
6691227 Neves et al. Feb 2004 B1
6697377 Ju et al. Feb 2004 B1
6697824 Bowman-Amuah Feb 2004 B1
6704873 Underwood Mar 2004 B1
6715145 Bowman-Amuah Mar 2004 B1
6718359 Zisapel et al. Apr 2004 B2
6718535 Underwood Apr 2004 B1
6725253 Okano et al. Apr 2004 B1
6731625 Eastep et al. May 2004 B1
6735691 Capps et al. May 2004 B1
6742015 Bowman-Amuah May 2004 B1
6742045 Albert et al. May 2004 B1
6760775 Anerousis et al. Jul 2004 B1
6772347 Xie et al. Aug 2004 B1
6775692 Albert et al. Aug 2004 B1
6801528 Nassar Oct 2004 B2
6826627 Sjollema et al. Nov 2004 B2
6832322 Boden et al. Dec 2004 B1
6842906 Bowman-Amuah Jan 2005 B1
6871346 Kumbalimutt et al. Mar 2005 B1
6880086 Kidder et al. Apr 2005 B2
6891830 Curtis May 2005 B2
6904449 Quinones Jun 2005 B1
6909708 Krishnaswamy et al. Jun 2005 B1
6920502 Araujo et al. Jul 2005 B2
6931411 Babiskin et al. Aug 2005 B1
6934288 Dempo Aug 2005 B2
RE38902 Srisuresh et al. Nov 2005 E
6985901 Sachse et al. Jan 2006 B1
6996628 Keane et al. Feb 2006 B2
6996631 Aiken et al. Feb 2006 B1
7000012 Moore et al. Feb 2006 B2
7028333 Tuomenoksa et al. Apr 2006 B2
7028334 Tuomenoksa Apr 2006 B2
7047424 Bendinelli et al. May 2006 B2
7072807 Brown et al. Jul 2006 B2
7085854 Keane et al. Aug 2006 B2
7093280 Ke et al. Aug 2006 B2
7100195 Underwood Aug 2006 B1
7102996 Amdahl et al. Sep 2006 B1
7113962 Kee et al. Sep 2006 B1
7114180 DeCaprio Sep 2006 B1
7117530 Lin Oct 2006 B1
7123613 Chawla et al. Oct 2006 B1
7124101 Mikurak Oct 2006 B1
7130807 Mikurak Oct 2006 B1
7136645 Hanson et al. Nov 2006 B2
7155515 Brown et al. Dec 2006 B1
7162509 Brown et al. Jan 2007 B2
7181766 Bendinelli et al. Feb 2007 B2
7200530 Brown et al. Apr 2007 B2
7216173 Clayton et al. May 2007 B2
7227872 Biswas et al. Jun 2007 B1
7260649 Somasundaram et al. Aug 2007 B1
7272853 Goodman et al. Sep 2007 B2
7315541 Housel et al. Jan 2008 B1
7317717 Pankajakshan et al. Jan 2008 B2
7318100 Demmer et al. Jan 2008 B2
7334049 Somasundaram et al. Feb 2008 B1
7385924 Riddle Jun 2008 B1
7395335 Brown et al. Jul 2008 B2
7398552 Pardee et al. Jul 2008 B2
7464264 Goodman et al. Dec 2008 B2
7512702 Srivastava et al. Mar 2009 B1
20010016914 Tabata Aug 2001 A1
20010037387 Gilde et al. Nov 2001 A1
20010047406 Araujo et al. Nov 2001 A1
20020023152 Oguchi Feb 2002 A1
20020029285 Collins Mar 2002 A1
20020032725 Araujo et al. Mar 2002 A1
20020032798 Xu Mar 2002 A1
20020038339 Xu Mar 2002 A1
20020042875 Shukla Apr 2002 A1
20020073061 Collins Jun 2002 A1
20020081971 Travostino Jun 2002 A1
20020083175 Afek et al. Jun 2002 A1
20020103846 Zisapel et al. Aug 2002 A1
20020106005 Motiwala et al. Aug 2002 A1
20020138618 Szabo Sep 2002 A1
20020142774 Saint-Hilaire et al. Oct 2002 A1
20020147822 Susai et al. Oct 2002 A1
20020152373 Sun et al. Oct 2002 A1
20020165960 Chan Nov 2002 A1
20020169887 MeLampy et al. Nov 2002 A1
20020191612 Curtis Dec 2002 A1
20020199007 Clayton et al. Dec 2002 A1
20030014623 Freed et al. Jan 2003 A1
20030014628 Freed et al. Jan 2003 A1
20030041091 Cheline et al. Feb 2003 A1
20030041167 French et al. Feb 2003 A1
20030046586 Bheemarasetti et al. Mar 2003 A1
20030046587 Bheemarasetti et al. Mar 2003 A1
20030055962 Freund et al. Mar 2003 A1
20030067874 See et al. Apr 2003 A1
20030084162 Johnson et al. May 2003 A1
20030088788 Yang May 2003 A1
20030093691 Simon et al. May 2003 A1
20030110192 Valente et al. Jun 2003 A1
20030123481 Neale et al. Jul 2003 A1
20030131079 Neale et al. Jul 2003 A1
20030149899 Boden et al. Aug 2003 A1
20030154283 Brown Aug 2003 A1
20030182423 Shafir et al. Sep 2003 A1
20030182431 Sturniolo et al. Sep 2003 A1
20030188001 Eisenberg et al. Oct 2003 A1
20030191799 Araujo et al. Oct 2003 A1
20030195984 Zisapel et al. Oct 2003 A1
20030198189 Roberts et al. Oct 2003 A1
20030212776 Roberts et al. Nov 2003 A1
20030217126 Polcha et al. Nov 2003 A1
20030223361 Hussain et al. Dec 2003 A1
20040006643 Dolson et al. Jan 2004 A1
20040059942 Xie Mar 2004 A1
20040073707 Dillon Apr 2004 A1
20040078621 Talaugon et al. Apr 2004 A1
20040095934 Cheng et al. May 2004 A1
20040100907 Illikkal et al. May 2004 A1
20040100976 Chang et al. May 2004 A1
20040177158 Bauch et al. Sep 2004 A1
20040215746 McCanne et al. Oct 2004 A1
20040218611 Kim Nov 2004 A1
20040249975 Tuck et al. Dec 2004 A1
20040260922 Goodman et al. Dec 2004 A1
20040268357 Joy et al. Dec 2004 A1
20040268358 Darling et al. Dec 2004 A1
20050013280 Buddhikot et al. Jan 2005 A1
20050015507 Chin Jan 2005 A1
20050022203 Zisapel et al. Jan 2005 A1
20050089025 Boyer et al. Apr 2005 A1
20050132030 Hopen et al. Jun 2005 A1
20050141507 Curtis Jun 2005 A1
20050195780 Haverinen et al. Sep 2005 A1
20050198335 Brown et al. Sep 2005 A1
20050210150 Bahl Sep 2005 A1
20050286466 Tagg et al. Dec 2005 A1
20060064478 Sirkin Mar 2006 A1
20060080441 Chen et al. Apr 2006 A1
20060236095 Smith et al. Oct 2006 A1
20070067046 Berg Mar 2007 A1
20070156852 Sundarrajan et al. Jul 2007 A1
20070245409 Harris et al. Oct 2007 A1
20070280232 Dec et al. Dec 2007 A1
20080034416 Kumar et al. Feb 2008 A1
20080046616 Verzunov et al. Feb 2008 A1
20080225748 Khemani et al. Sep 2008 A1
20080225753 Khemani et al. Sep 2008 A1
20080229381 Sikka et al. Sep 2008 A1
20080320151 McCanne et al. Dec 2008 A1
Foreign Referenced Citations (3)
Number Date Country
1 343 296 Sep 2003 EP
1 398 715 Mar 2004 EP
WO-2006012612 Feb 2006 WO
Related Publications (1)
Number Date Country
20100251335 A1 Sep 2010 US
Provisional Applications (1)
Number Date Country
60473964 May 2003 US
Continuations (1)
Number Date Country
Parent 10857225 May 2004 US
Child 12795496 US