TREA

Preconfigured filters, dynamic updates and cloud based configurations in a network access switch

Follow

Information

  • Patent Grant
  • 10904075
  • Patent Number
    10,904,075
  • Date Filed
    Tuesday, July 2, 2013
    11 years ago
  • Date Issued
    Tuesday, January 26, 2021
    3 years ago
Information
Abstract
Methods and systems for providing a configuration file on a network access switch that may be configured by a third party. A third party remotely defines a set of filters for the network access switch, absolving the user of any responsibility to update or configure the filters on the device. The configuration files may be stored and accessed remotely in the cloud. The system and method also provide for a simple software interface to facilitate easy implementation of the filters stored in the configuration files.
Description
BACKGROUND OF THE INVENTION

1. Field of the Invention


The present invention relates to network access switch architectures, and more particularly, to a system that allows for the easy construction and updating of filters on a network access switch.


2. Description of the Related Art


Access switches are often used to assist in the monitoring of telecommunication links. Taps or span ports are used to feed traffic to Access Switches. The Access Switches then filter and direct the traffic to the correct monitoring devices such as intrusion detection systems (IDS) or traffic monitoring and analytical devices. Typical deployments are shown in FIG. 1.


Filters can be based on a number of different parameters such as protocol type (eg. UDP or TCP), destination or source addresses (be they layer 2 (MAC) or layer 3 (IP) addresses), and even specific bits within the payload data packets. Filters can also be assigned names chosen by users and which typically define the role of the filter, for example: “Voice over IP traffic on LAN port number 1.” End users can also construct complex logical Boolean filters based on the above parameters.


However, the construction of such complex filters can be both complex, tedious, time consuming and prone to errors. Once the filters have been defined they are typically stored in a “configuration file” that is stored within the firmware of a specific network Access Switch. Accordingly, there is a need in the art for simple, accurate construction of filters on network access switches.


Within the financial services industry there are particular challenges due to the large number of destination IP addresses used to define various traded instrument ranges within multicast data feeds that are published by major stock exchanges and execution venues. Major stock exchanges can have hundreds of IP addresses that are mapped to specific traded instruments. Different ranges can apply to production versus test feeds, and feeds originating from different data centers may also have multiple addresses. Companies who wish to set up their network Access Switches to filter on given financial instruments or for specific exchanges face significant logistical challenges in keeping track of all these parameters and ensuring that the filters are correctly defined. In addition it is not unusual for major stock exchanges to change their IP address ranges and their mappings to traded instruments on a regular basis. This again can cause logistical issues as these changes have to be tracked and then modifications made to the filters. Accordingly, there is a need in the art to reduce administration resources and costs with a network access switch that can simply track the changes to IP addresses made by major stock exchanges and execution venues.


BRIEF SUMMARY OF THE INVENTION

The present invention provides a method for defining a set of filters on a network access switch, comprising the steps of providing a network access switch having access to a configuration file for defining filters based on received data; limiting remote access to the configuration file to at least a single third party; receiving from the third party data defining a set of filters; and storing the data representing a set of filters within the configuration file.


According to another aspect, a user may not locally or remotely access the configuration file.


According to another aspect, the access switch has a second configuration file, and further comprises the steps of: receiving from the user data defining a set of filters; and storing the data representing a set of filters within the second configuration file.


According to another aspect, the third party is a manufacturer of the network access switch.


According to another aspect, the third party is a service provider.


According to another aspect the filter filters incoming network data based on trade type.


According to another aspect, the configuration file is stored on a remote server where it may accessible to the network access switch.


According to another aspect, the method further comprises the steps of providing a software interface to the network access switch; selecting a filter from set the filters stored within the configuration file with the software interface; and implementing the selected filter on the network access switch.


According to another aspect, the step of receiving occurs at a time of user's election.


According to another aspect, further comprising, after the step of limiting, the step of purchasing from the party data defining a set of filters.


According to an aspect, a system for filtering network traffic, comprising a network access switch having a configuration file, wherein the configuration file may be remotely accessed and programmed by at least a single third party to define a set of filters.


According to another aspect, a user of the network access switch may not access or program the configuration file.


According to another aspect, the system further comprises a second configuration file, wherein the configuration file may be accessed and programmed by a user to define a set of filters.


According to another aspect, the third party is the manufacturer of the network access switch.


According to another aspect, the third party is a service provider.


According to another aspect, the filter filters based on trade type.


According to another aspect, the configuration file is stored on a remote server.


According to another aspect, the system further comprises a software interface to the network access switch, wherein the software interface allows the user to select a filter from the set of filters to be implemented on the network access switch.


According to another aspect, the set of filters is purchased by a user.





BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

The present invention will be more fully understood and appreciated by reading the following Detailed Description in conjunction with the accompanying drawings, in which:



FIG. 1 is a typical deployment of a network access switch;



FIG. 2 is a schematic view of an embodiment of the present invention.





DETAILED DESCRIPTION OF THE INVENTION

Referring now to the drawings, wherein like reference numerals refer to like parts throughout, there is seen in FIG. 2 a schematic of a new architecture for a network access switch according to an embodiment of the present invention. The new architecture provides two or more configuration files 12 to be located within network access switch 10. The first allows standard user defined filters. Configuration files 16 following the user defined filter, are made up of filters that are defined centrally by a third party and can be remotely updated from a central server. The first configuration file 14 can be thought of as a ‘private configuration file’, while the others are ‘public configuration files’. Public configuration files 16 are based around groups of closely associated filters. For example, ‘Financial Trading’, contains all filters associated with major stock exchange feeds and trading applications that use multicast or FIX messaging. ‘Voice and Video’ contains all filters associated with common applications with voice and video application monitoring.


Configuration files 12 contain all the relevant information for a user of network Access Switch 10 to readily define which traffic can be forwarded or blocked within a filter. The user may configure the filters by selecting from simple drop down menus or drag and drop type operations rather than composing complex technical filter expressions based on IP addresses or other parameters.



FIG. 2 also shows how configuration files 12 are related of the network Access Switch.


For example, if the Financial Trading Configuration file is loaded and the user wished to forward the NSYE BBO Production Line A Symbols A-C traffic, the user would select “NYSE_BBO_Production_LineA_Symbols_A-C_” in a drop down menu, rather than looking up the destination IP address of the multicast group associated with this feed in a large spreadsheet and then manually entering this as ip.dst==224.0.5.221 AND udp.port==8221.


All the required filter configuration data and logical Boolean constructs are located within public configuration files 16. Public configuration files 16 also contain the user-friendly names and relationships of the filtered objects as well as descriptions of them. Sophisticated filtering based on parameters that are relevant to the trading application can also be made, for example the filters may filter by trade type or instrument.


Although the user of the device may back up private configuration file 14 on a local backup 18, public configuration file 16 cannot be altered and adjusted by the end user. However, public configuration file 16 can be updated on a regular basis by an autonomous process controlled by either the manufacturer of the hardware or a third party service provider. Alternatively, to account for security concerns by some users, a semi manual process can be used whereby the end user manually loads new public configuration file 16.


End users can choose to store both types of their backup configuration files 12 locally, but there is little point in doing so for public configuration file 16 as these are available from either the supplier or a third party service provider. The ability to store private configuration files off site and accessible via the internet (as a cloud based service) is also possible.


Filters may also be sold by manufacturers or service providers, and purchased by end users.


Although most of the above examples concern financial services applications, this embodiment can also be used in other applications as well.

Claims
  • 1. A method for defining filters on a network access switch, comprising: providing a network access switch that connects to at least one network tap and at least one span port, receives and filters traffic from the at least one network tap and span port, and directs the filtered traffic to network monitoring devices, the network access switch comprising a first configuration file for defining filters based on received data, wherein said filters in said first configuration file include filters for identifying and forwarding tapped traffic having destination Internet protocol (IP) addresses of multicast groups corresponding to real time traded instrument multicast data feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by stock exchanges and execution venues, and wherein the filters include a filter containing a destination IP address of a multicast group corresponding to one of the real time traded instrument feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by one of said stock exchanges or execution venues; andusing an autonomous process to update said filters within said first configuration file to track changes in mappings between said traded instruments and said IP addresses, the changes in the mappings including changes made by stock exchanges and execution venues in IP addresses associated with multicast data feeds published by the stock exchanges and execution venues, and wherein said network access switch uses said destination IP addresses to forward traffic to said multicast groups and wherein using said autonomous process to update said filters comprises providing a drop down menu having an identifier for a stock data feed mapped to a destination IP address of a multicast group, receiving selection of the identifier, and configuring the network access switch to forward traffic to the destination IP address of the multicast group.
  • 2. The method of claim 1, wherein said filters in said first configuration file include filters that filter incoming network data based on trade type.
  • 3. The method of claim 1, wherein said first configuration file is stored on a remote server where it is accessible to said network access switch.
  • 4. The method of claim 1, further comprising: providing a software interface to said network access switch;selecting a filter from said filters stored within said first configuration file with said software interface; andimplementing said selected filter on said network access switch.
  • 5. The method of claim 1, wherein said network access switch comprises a second configuration file manually updatable by an end user, and the method further comprises receiving, by the end user, data defining a set of filters and the receiving occurs at a time of said end user's election.
  • 6. The method of claim 1, further comprising, limiting access to said filters in said first configuration file to a third party, and, after the limiting, purchasing from said third party data defining a set of filters.
  • 7. A system for filtering network traffic, comprising: a network access switch that connects to at least one network tap and at least one span port, receives and filters traffic from the at least one network tap and span port, and directs the filtered traffic to network monitoring devices, the network access switch comprising:a first configuration file, wherein said first configuration file is remotely accessible and programmable to define a set of filters, wherein said filters in said first configuration file include filters for tapping and forwarding traffic having destination Internet protocol (IP) addresses of multicast groups corresponding to traded instrument multicast data feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by stock exchanges and execution venues,wherein said filters for tapping and forwarding traffic having destination IP addresses of multicast groups corresponding to traded instrument multicast data feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by stock exchanges and execution venues include a filter containing a destination IP address of a multicast group corresponding to one of the real time traded instrument feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by one of said stock exchanges or execution venues, and wherein said filters within said first configuration file are updatable using an autonomous process to track changes in said destination IP addresses of said multicast groups corresponding to real time traded instrument multicast data feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by stock exchanges and execution venues, the changes in the mappings including changes made by said stock exchanges and execution venues in said destination IP addresses of said multicast groups corresponding to said traded instrument multicast data feeds of symbols and bid and ask quotes for alphabetic ranges of traded instruments published by the stock exchanges and execution venues, and wherein said network access switch uses said destination IP addresses to forward traffic to said multicast groups and wherein using said autonomous process to update said filters comprises providing a drop down menu having an identifier for a stock data feed mapped to a destination IP address of a multicast group, receiving selection of the identifier, and configuring the network access switch to forward traffic to the destination IP address of the multicast group.
  • 8. The system of claim 7, wherein said filters in said first configuration file include filters that filter incoming network data based on trade type.
  • 9. The system of claim 7, wherein said first configuration file is stored on a remote server accessible to said network access switch.
  • 10. The system of claim 7, further comprising a software interface to said network access switch, wherein said software interface allows an end user to select a filter from said set of filters in said first configuration file to be implemented on said network access switch.
  • 11. The system of claim 7, wherein said network access switch comprises a second configuration file updatable by an end user, said second configuration file being accessible at a time of said end user's election.
  • 12. The system of claim 7, wherein said set of filters in said first configuration file is purchased by a user.
CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority to U.S. Provisional Patent Application No. 61/667,349, filed on Jul. 2, 2012.

US Referenced Citations (75)
Number Name Date Kind
5343473 Cidon et al. Aug 1994 A
5867763 Dean et al. Feb 1999 A
5983270 Abraham Nov 1999 A
6130887 Dutta Oct 2000 A
6434624 Gai Aug 2002 B1
6505255 Akatsu et al. Jan 2003 B1
6678250 Grabelsky et al. Jan 2004 B1
6814510 Sabbagh et al. Nov 2004 B1
6907001 Nakayama et al. Jun 2005 B1
7286652 Azriel et al. Oct 2007 B1
7424018 Gallatin et al. Sep 2008 B2
7515650 Warner et al. Apr 2009 B1
7596356 Rofougaran et al. Sep 2009 B2
7769873 Mackie Aug 2010 B1
7835348 Kasralikar Nov 2010 B2
7873702 Shen et al. Jan 2011 B2
7945216 Rakshani et al. May 2011 B2
8027637 Bims Sep 2011 B1
8098677 Pleshek Jan 2012 B1
8102783 Narayanaswamy et al. Jan 2012 B1
8134927 Gamage et al. Mar 2012 B2
8248928 Wang et al. Aug 2012 B1
8259722 Kharitonov Sep 2012 B1
8306063 Erdal et al. Nov 2012 B2
8386937 Gao Feb 2013 B1
8446916 Aybay et al. May 2013 B2
9270542 Gamage et al. Feb 2016 B2
9571296 Nachum Feb 2017 B2
9806968 Matityahu et al. Oct 2017 B2
9898781 Silverman Feb 2018 B1
9967150 Nachum May 2018 B2
10616098 Gamage et al. Apr 2020 B2
20020073136 Itoh et al. Jun 2002 A1
20030144868 MacIntyre et al. Jul 2003 A1
20030172123 Polan et al. Sep 2003 A1
20040015613 Ikeda Jan 2004 A1
20040218609 Foster Nov 2004 A1
20050282502 Kursula et al. Dec 2005 A1
20060174032 Winchester et al. Aug 2006 A1
20060223516 Fan Oct 2006 A1
20060294221 Graupner et al. Dec 2006 A1
20070177526 Siripunkaw Aug 2007 A1
20070189272 Hutchinson et al. Aug 2007 A1
20080052784 Wiley et al. Feb 2008 A1
20080104236 Yoshikawa May 2008 A1
20080147831 Redjaian Jun 2008 A1
20080153541 Rakshani et al. Jun 2008 A1
20080170561 Halbraich et al. Jul 2008 A1
20080190639 Baran et al. Aug 2008 A1
20080215477 Annunziata Sep 2008 A1
20090182874 Morford et al. Jul 2009 A1
20090190589 Bains et al. Jul 2009 A1
20100135164 Rofougaran Jun 2010 A1
20100228854 Morrison et al. Sep 2010 A1
20110026406 Gamage et al. Feb 2011 A1
20110026521 Gamage et al. Feb 2011 A1
20110103259 Aybay May 2011 A1
20110103595 Ramaswamy et al. May 2011 A1
20110264797 Matityahu et al. Oct 2011 A1
20120124257 Wu May 2012 A1
20120181540 Udagawa et al. Jul 2012 A1
20120317224 Caldwell Dec 2012 A1
20130010605 Jocha et al. Jan 2013 A1
20130272135 Leong Oct 2013 A1
20130336240 Cherian Dec 2013 A1
20140181267 Wadkins et al. Jun 2014 A1
20150009994 Keesara et al. Jan 2015 A1
20150029846 Liou et al. Jan 2015 A1
20150055720 Lin et al. Feb 2015 A1
20150113133 Srinivas et al. Apr 2015 A1
20150113143 Stuart et al. Apr 2015 A1
20150319049 Nachum Nov 2015 A1
20150319070 Nachum Nov 2015 A1
20160057039 Htay et al. Feb 2016 A1
20160226752 Gamage et al. Aug 2016 A1
Foreign Referenced Citations (2)
Number Date Country
2 561 645 Feb 2020 EP
WO 2011133711 Oct 2011 WO
Non-Patent Literature Citations (56)
Entry
Applicant-Initiated Interview Summary for U.S. Appl. No. 13/092,671 (dated Sep. 9, 2016).
Final Office Action for U.S. Appl. No. 14/266,668 (dated Aug. 25, 2016).
Non-Final Office Action for U.S. Appl. No. 13/092,671 (dated Jun. 2, 2016).
Notice of Allowance for U.S. Appl. No. 14/266,660 (dated May 13, 2016).
Non-Final Office Action for U.S. Appl. No. 14/266,668 (dated Feb. 1, 2016).
Commonly-assigned, co-pending Continuation U.S. Appl. No. 15/012,801 for “Apparatus and Methods for Forwarding Data Packets Captured From a Network,” (Unpublished, filed Feb. 1, 2016).
Notice of Allowance for U.S. Appl. No. 14/266,660 (dated Jan. 21, 2016).
Extended European Search Report for European Patent Application No. 11772665.3 (dated Oct. 1, 2015).
Non-Final Office Action for U.S. Appl. No. 14/266,660 (dated Sep. 18, 2015).
Notice of Allowance and Fee(s) Due and Exmainer-Initiated Interview Summary for U.S. Appl. No. 12/533,957 (dated Aug. 7, 2015).
Non-Final Office Action for U.S. Appl. No. 12/533,957 (dated Nov. 17, 2014).
Final Office Action for U.S. Appl. No. 13/092,671 (dated Nov. 6, 2014).
Non-Final Office Action for U.S. Appl. No. 13/092,671 (dated Apr. 23, 2014).
Final Office Action for U.S. Appl. No. 12/533,957 (dated Feb. 28, 2014).
Interview Summary for U.S. Appl. No. 12/533,957 (dated Jan. 24, 2014).
“OpenFlow Switch Specification,” Open Networking Foundation, Version 1.4.0 (Wire Protocol 0x05), pp. 1-206 (Oct. 14, 2013).
Non-Final Office Action for U.S. Appl. No. 12/533,957 (dated Sep. 12, 2013).
Final Office Action for U.S. Appl. No. 13/092,671 (dated May 23, 2013).
Selecting the Right VERAstreamTM Product, DATACOM Systems Inc, p. 1-1 (May 14, 2013).
Final Office Action for U.S. Appl. No. 12/533,957 (dated Jan. 2, 2013).
Non-Final Office Action for U.S. Appl. No. 13/092,671 (dated Nov. 9, 2012).
Non-Final Office Action for U.S. Appl. No. 12/533,957 (dated May 11, 2012).
“Smart Taps Getting Smarter,” Networking, Network Computing New, http://www.networkcomputing.com/networking/smart-taps-getting-smarter/1797861399, pp. 1-2 (Mar. 22, 2012).
“Command Today's Complex Data Center Challenges,” Data Center, Net Optics Data Sheet, Net Optics Inc., pp. 1-4 (2011).
Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority, or the Declaration for International Application No. PCT/US2011/033313 (dated Nov. 30, 2011).
Notice of Allowance and Fee(s) Due for U.S. Appl. No. 12/533,951 (dated Nov. 8, 2011).
Final Office Action for U.S. Appl. No. 12/533,957 (dated Oct. 31, 2011).
Interview Summary for U.S. Appl. No. 12/533,957 (dated Aug. 31, 2011).
Non-Final Office Action for U.S. Appl. No. 12/533,957 (Aug. 2, 2011).
Interview Summary for U.S. Appl. No. 12/533,951 (dated Jul. 28, 2011).
Non-Final Office Action for U.S. Appl. No. 12/533,951 (dated Feb. 18, 2011).
Agilent Technologies, “Agilent N2X: The Industry's Most Comprehensive Multiservices Test Solution for Converging Network Infrastructures,” 5989-1244EN, pp. 1-6 (Feb. 1, 2006).
Agilent Technologies, “Agilent N2X PITV Quality of Experience Test Solution,” N5570A and E7877A Technical Data Sheet, 5989-3440EN, pp. 1-12 (Jul. 21, 2006).
Agilent Technologies, “True Router Performance Testing: Agilent Technologies Router Tester Application Note,” 5980-1421E, Rev. A, pp. 1-8 (May 2000).
Letter from Ixia to Agilent Technologies re: Notice of Indemnification Claims/Dispute pp. 1-2 (Nov. 9, 2010).
Letter from Agilent Technologies to Ixia re: Notice of Indemnification Claims/Dispute, pp. 1-2 (Oct. 28, 2010).
Letter from Ixia to Agilent Technologies re Notice of Erroneously Assigned Patent Applications and Request for Executed Assignment, pp. 1-2 (Oct. 22, 2010).
Letter from Agilent Technologies to Ixia re: Notice of Erroneously Assigned Patent Application and Request for Executed Assignment, pp. 1-2 (Oct. 8, 2010).
“Radware's Smart IDS Management, FireProof and Intrusion Detection System, Deployment and ROI,” Radware, Inc. pp. 1-9 (Aug. 21, 2002).
Edwards, “Vulnerabilities of Network Intrusion Detection Systems: Realizing and Overcoming the Risks, the Case for Flow Mirroring,” Top Layer Networks, pp. 1-18 (May 1, 2002).
Notice of Decision from Post-Prosecution Pilot Program (P3) Conference for U.S. Appl. No. 14/266,668 (dated Dec. 22, 2016).
Final Office Action for U.S. Appl. No. 13/092,671 (dated Dec. 16, 2016).
Non-Final Office Action for U.S. Appl. No. 15/012,801 (dated Dec. 13, 2016).
Notice of Allowance and Fee(s) Due for U.S. Appl. No. 14/266,660 (dated Oct. 13, 2016).
Notice of Allowance and Examiner Initiated Interview Summary for U.S. Appl. No. 13/092,671 (dated Jul. 20, 2017).
Final Office Action for U.S. Appl. No. 15/012,801 (dated Jun. 2, 2017).
Non-Final Office Action for U.S. Appl. No. 14/266,668 (dated May 5, 2017).
Advisory Action and Examiner Initiated Interview Summary for U.S. Appl. No. 13/092,671 (dated Mar. 13, 2017).
Notice of Allowance and Fee(s) Due and Examiner-Initiated Interview Summary for U.S. Appl. No. 14/266,668 (dated Dec. 27, 2017).
Notice of Panel Decision from Pre-Appeal Brief Review for U.S. Appl. No. 15/012,801 (dated Oct. 25, 2017).
Communication pursuant to Article 94(3) EPC for European Patent Application Serial No. 11 772 665.3 (dated Apr. 4, 2019).
Notice of Allowance for U.S. Appl. No. 14/266,668 (dated Apr. 9, 2018).
Examiner's Answer for U.S. Appl. No. 15/012,801 (dated Mar. 27, 2018).
Notice of Allowance and Fee(s) Due for U.S. Appl. No. 15/012,801 (dated Jan. 8, 2020).
Decision on Appeal for U.S. Appl. No. 15/012,801 (dated Oct. 10, 2019).
Decision to grant a European patent pursuant to Article 97(1) EPC for European Patent Application Serial No. 11772665.3 (dated Jan. 30, 2020).
Related Publications (1)
Number Date Country
20140012962 A1 Jan 2014 US
Provisional Applications (1)
Number Date Country
61667349 Jul 2012 US