IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0271585
(2008-11-14)
|
등록번호 |
US-8316435
(2012-11-20)
|
발명자
/ 주소 |
- Varadhan, Kannan
- Gomes, Joao Campelo F. N.
|
출원인 / 주소 |
|
대리인 / 주소 |
Shumaker & Sieffert, P.A.
|
인용정보 |
피인용 횟수 :
66 인용 특허 :
1 |
초록
▼
An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to
An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.
대표청구항
▼
1. A network router comprising: a plurality of interfaces configured to send and receive packets;a firewall integrated within the network router, the firewall configured to provide a plurality of virtual security systems to apply stateful firewall services to the packets, each of the virtual securit
1. A network router comprising: a plurality of interfaces configured to send and receive packets;a firewall integrated within the network router, the firewall configured to provide a plurality of virtual security systems to apply stateful firewall services to the packets, each of the virtual security systems represents a logically partitioned firewall instance;a routing engine comprising hardware that executes a routing protocol to maintain separate routing information for each of the virtual security systems, the routing information for each of the virtual security systems specifying routes through a network, wherein the protocols include at least one protocol to establish virtual private network (VPN) tunnels for one or more customer VPNs for at least one of the virtual security systems;a forwarding engine configured by the routing engine to select next hops for the packets in accordance with the routing information for each of the virtual security systems, the forwarding engine comprising a switch fabric to forward the packets to the interfaces based on the selected next hops, wherein the forwarding engine includes a flow control module that, upon receiving packets from the network, directs one or more of the packets to the firewall for application of the stateful firewall services;a user interface by which a user defines one or more zones to be recognized by the firewall when applying stateful firewall services to the packets, wherein the user interface supports a syntax that allows the user to define the zones by specifying the customer VPNs as interfaces associated with the zones,wherein the routing engine executes a network services protocol that communicates mapping information between the routing engine and the firewall, wherein for each of the virtual security systems the mapping information associates VPN labels for VPN tunnels with the customer VPNs for that virtual security system as specified by the user interface, andwherein for VPN tunnels for which the network router operates as an egress label switched router, the mapping information associates inner VPN labels affixed to packets received from the VPN tunnels by the interface cards with respective ones of the customer VPNs for the different virtual security systems. 2. The network router of claim 1, wherein the user interface allows the user to specify one or more policies for the firewall,wherein, based on the mapping information, the firewall applies the policies to multi-protocol label switched (MPLS) packets received from the forwarding plane, andwherein, based on the mapping information, the firewall applies the policies to packets received from the forwarding plane that are destined to be forwarded by the routing device to the VPN tunnels as multi-protocol label switched (MPLS) packets. 3. The network router of claim 2, wherein the user interface allows the user to define the policies for a specific one of the virtual security systems of the firewall. 4. The network router of claim 1, wherein the user interface allows the user to define the zones for a specific one of the virtual security systems of the firewall. 5. The network router of claim 1, wherein the user interface allows the user to define the zones to be shared by all of the virtual security systems of the firewall. 6. The network router of claim 1, wherein the firewall comprises a plurality of service cards comprising hardware for applying of the stateful firewall services to the packets,wherein at least two of the virtual security systems are assigned to different ones of the service cards, andwherein the firewall directs packets associated to with the virtual security systems to the different service cards for application of the stateful firewall services. 7. The network router of claim 1, wherein the firewall stores configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the customer VPNs. 8. The network router of claim 1, wherein for VPN tunnels for which the network router operates as an ingress label switched router, the mapping information communicated between the network services protocol of the routing engine and the firewall associates pairs of a VPN label and a forwarding next hop with respective ones of the customer VPNs, wherein the VPN labels are VPN labels to be subsequently affixed to the packets when output to the network by the forwarding engine for the different virtual security systems. 9. The network router of claim 1, wherein the firewall determines an input zone and an output zone for each of the packets by associating the packet with one of the virtual security devices and selecting an input zone and an output zone defined by the user for the associated virtual security device,wherein the firewall applies one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet, andwherein at least one of the input zone or output zone is defined by the user by specifying at least one of the customer VPNs within a collection of interfaces associated with the input zone or output zone. 10. The network router of claim 1, wherein, based on the routing information, the routing engine programs the forwarding engine with separate forwarding information for each of the virtual security devices, wherein the forwarding information for each of the virtual security devices associates network destinations and MPLS labels for the virtual security device with specific next hops and corresponding interface ports of interface cards of the router,wherein the routing engine programs the firewall with at least a portion of the forwarding information for each of the virtual security devices, andwherein, for each packet received from the forwarding engine, the firewall associates the packet with one of the virtual security devices and performs a route lookup for the packet using the portion of the forwarding information for the associated virtual security device to determine an output zone for the packet. 11. The network router of claim 1, wherein the user interface is a text-based interface that supports a command syntax that allows the user to specify the zones for the different virtual security devices. 12. The network router of claim 1, wherein the user interface is a user interface output by the router to be presented remotely by a web browsers or management station. 13. The network router of claim 1, wherein the stateful firewall services include multiple services including, intrusion deep packet inspection, virus scanning of application-layer data carried by the packets, layer seven security services. 14. The network router of claim 1, wherein the network router comprises one of a provider edge router, a Broadband Remote Access Server (BRAS), a Broadband Network Gateway (BNG), Cable Modem Termination System (CMTS), a Multi-Service Edge router (MSE), a Gateway GPRS (General Packet Radio Services) Support Node (GGSN), a Packet Data Serving Node (PDSN), or a Public Data Network Gateway (PDN-GW), a data center device that provides routing and security functions for packets flowing in or out of a data center, a peering router that serves as a point of interconnection between network service providers or an autonomous system border router (ASBR). 15. A method comprising: executing, with a routing engine of a router, at least one protocol to establish VPN tunnels for one or more customer VPNs, wherein the router includes an integrated firewall configured to provide a plurality of virtual security systems, each of the virtual security systems represents a logically partitioned firewall instance;presenting, with the router, a user interface by which a user specifies one or more zones to be recognized by the firewall, wherein the user interface allows the user to define different zones for different ones of the virtual security systems, and wherein the user interface supports a syntax that allows the user to define at least one of the zones by specifying one or more of the customer VPNs as interfaces associated with the zone;communicating mapping information from the routing engine to the firewall, wherein for each of the virtual security systems the mapping information associates VPN labels for the VPN tunnels with the customer VPNs for that virtual security system, wherein for VPN tunnels for which the network router operates as an egress label switched router, the mapping information associates inner VPN labels affixed to packets received by the interface cards with respective ones of the customer VPNs for the different virtual security systems;receiving, from a network, packets at a plurality of interfaces of the router;directing, with a flow control module of a forwarding engine of the router, one or more of the received packets to the firewall for application of stateful firewall services;applying stateful firewall services to the packets with the firewall of the network router based on the zones specified by the user by associating each of the packets with one of the virtual security devices and identifying the zones specified by the user for the associated virtual security device based on the mapping information;after applying stateful firewall services, forwarding at least some of the packets from the firewall to the forwarding engine;selecting next hops for the packets within the network with the forwarding engine; andforwarding the packets to the interfaces in accordance with the selected next hops. 16. The method of claim 15, further comprising storing within the router configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the LSPs for the customer VPNs. 17. The method of claim 15, wherein for VPN tunnels for which the network router operates as an ingress label switched router, the mapping information associates pairs of a VPN label and a forwarding next hop with respective ones of the customer VPNs, wherein the VPN labels are to be subsequently affixed to the packets when output to the network by the forwarding engine for the different virtual security systems. 18. The method of claim 15, wherein the user interface allows the user to specify one or more policies for the virtual security systems of the firewall, the policies for at least one of the virtual security systems differing from a second one of the virtual security systems,wherein, based on the mapping information, the firewall applies the policies to multi-protocol label switched (MPLS) packets received from the forwarding plane that are encapsulated with at least one label, andwherein, based on the mapping information, the firewall applies the policies to packets received from the forwarding plane that are destined to be forwarded by the routing device. 19. The method of claim 15, wherein applying stateful firewall services comprises: determining, for each of the received packets, whether the received packet is an MPLS packet;when the received packet is an MPLS packet, accessing the mapping information to map an inner VPN label of received packet to one of the customer VPNs for the associated virtual security system to determine an input zone for the received packet;determining an output zone for the packet based on the associated virtual security system; andapplying one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet. 20. The method of claim 15, wherein applying stateful firewall services comprises: associating each of the packets with one of the virtual security systems;determining, for each of the received packets, an input zone for the received packet based on the associated virtual security system;performing a route lookup with the firewall to determine whether the received packet is to be output on a VPN tunnel by the forwarding engine;when the received packet is to be output on the VPN tunnel: (1) determining from the route lookup a next hop for the packet and a VPN label that the forwarding engine will affix to the packet when forwarding the packet; and(2) accessing the mapping information to map the next hop and the MPLS label to be affixed to the packet to one of the customer VPNs to determine an output zone for the received packet when the packet is subsequently forwarded by the forwarding engine; andapplying one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet. 21. The method of claim 15, wherein the user interface is one of a graphics-based user interface or a text-based interface that supports a command syntax that allows the user to specify the zones. 22. The method of claim 15, where the lists of interfaces are lists of logical interfaces, and wherein at least two or more or of the VPN tunnels for the customer VPNs flow through a single physical interface of the router. 23. A non-transitory computer-readable storage medium comprising program instructions to cause a processor to: execute, with a routing engine of a router, at least one protocol to establish label switched paths (LSPs) to carry VPN communications for a plurality of customer virtual private networks (VPNs), wherein the router includes an integrated firewall configured to provide a plurality of virtual security systems, each of the virtual security systems represents a logically partitioned firewall instance;present, with the router, a user interface by which a user specifies one or more zones to be recognized by the firewall integrated within the router, wherein the user interface allows the user to define different zones for different ones of the virtual security systems of the firewall, andwherein the user interface supports a syntax that allows the user to define at least one of the zones by specifying one or more of the customer VPNs as interfaces associated with the zone; andcommunicate mapping information from the routing engine to the firewall, wherein for each of the virtual security systems the mapping information associates VPN labels for the VPN tunnels with the customer VPNs for that virtual security system, wherein for VPN tunnels for which the network router operates as an egress label switched router, the mapping information associates inner VPN labels affixed to packets received by the interface cards with respective ones of the customer VPNs for the different virtual security systems.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.