Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Web History | Sign in

Patents

A method is disclosed for processing data using multiple interconnected firewall devices. A connection is initiated between an internal host and an external network, through a home firewall device. A separate, receiving firewall device may then receive a data packet for the internal host as part of a flow. The receiving device attempts to determine the home device for the packet. The receiving device sends a multicast to all other firewall devices in the firewall cluster. The multicast includes the data packet and information about the receiving device. The home device receives the multicast and responds, indicating that it is the home device. The home device extracts the data packet from the multicast and forwards it to the internal host. The receiving device stores the response information along with other forwarding information that is used to automatically forward to the home device subsequent data packets for the flow.

InventorsLebin Cheng, Samuel D. Horowitz, Brian L. Jemes
Original AssigneeHewlett-Packard Development Company, L.P.
Primary Examiner: Emmanuel L. Moise
Secondary Examiner: Courtney Fields
Current U.S. Classification726/3; 726/11; 726/12; 726/13

View patent at USPTO
Search USPTO Assignment Database

Citations

Cited PatentFiling dateIssue dateOriginal AssigneeTitle
US6078957Nov 20, 1998Jun 20, 2000Network Alchemy, Inc.Method and apparatus for a TCP/IP load balancing and failover process in an internet protocol (IP) network clustering system
US6779039Mar 31, 2000Aug 17, 2004Avaya Technology Corp.System and method for routing message traffic using a cluster of routers sharing a single logical IP address distinct from unique IP addresses of the routers
US6880089Mar 31, 2000Apr 12, 2005Avaya Technology Corp.Firewall clustering for multiple network servers
US20030002494Jul 2, 2001Processing of data packets within a network element cluster

Referenced by

Citing PatentFiling dateIssue dateOriginal AssigneeTitle
US7228562Dec 24, 2003Jun 5, 2007Hitachi, Ltd.Stream server apparatus, program, and NAS device
US7673049Aug 13, 2004Mar 2, 2010Network security system
US7707295May 3, 2002Apr 27, 2010Foundry Networks, Inc.Connection rate limiting
US7844731Nov 14, 2003Nov 30, 2010Symantec CorporationSystems and methods for address spacing in a firewall cluster
US7890637Feb 25, 2008Feb 15, 2011Juniper Networks, Inc.Secure communications in a system having multi-homed devices
US7890995Nov 26, 2003Feb 15, 2011Cisco Technology, Inc.System and method for remote management of communications networks
US8150976Feb 14, 2011Apr 3, 2012Juniper Networks, Inc.Secure communications in a system having multi-homed devices

Claims

1. A method of handling firewall transactions in a firewall cluster of interconnected firewall devices, the method comprising:

receiving, at only a first firewall device in the firewall cluster from an internal host, a connection-initiation signal for initiating a flow of data packets between an internal network and an external network;

receiving at only a second firewall device in the firewall cluster a data packet from the external network, the data packet being related to the flow; and

sending the data packet from the second firewall device in the cluster to the first firewall device in the cluster using forwarding information.

2. The method of claim 1, further comprising storing in the first firewall device state information related to the internal host.

3. The method of claim 1, further comprising determining whether the forwarding information includes information about a home device of the data packet, and wherein the step of sending comprises sending based on the determining.

4. The method of claim 3, wherein the step of sending comprises sending the data packet as part of a multicast including information about .the second device.

5. The method of claim 1, wherein the step of sending comprises sending the data packet as part of a multicast including information about the second device.

6. The method of claim 5, further comprising:

receiving at the second device information associating the flow with the first device; and

storing the information with the forward information.

7. The method of claim 1, further comprising using state information to determine whether the data packet should be sent to the first device, and wherein the step of sending comprises sending based on the using.

8. A method of processing firewall transactions in a firewall cluster having multiple interconnected firewall devices that connect at least one internal host connected to an internal network to an external network, the method comprising:

receiving at a firewall device in the cluster a data packet that is part of a flow of data between the external network and the internal network; and

sending a multicast from the firewall device in the cluster to at least one other firewall device in the cluster to determine a home device for the packet.

9. The method of claim 8, wherein the step of receiving comprises receiving an unrecognized data packet.

10. The method of claim 8, further comprising determining whether the firewall device is the home device using state information, and wherein the step of sending comprises sending based on the determining.

11. The method of claim 8, further comprising:

attempting to identify the home device using forwarding information; and

forwarding the packet to the home device based on the attempting, and wherein the step of sending comprises sending based on the forwarding.

12. The method of claim 8, wherein the step of sending comprises sending a multicast request comprising:

the data packet; and

information about the device.

13. The method of claim 12, further comprising receiving a response signal from the home device, wherein the response signal is sent based on the information.

14. The method of claim 13, further comprising storing forwarding information identifying the home device based on the response signal.

15. A firewall device comprising:

a storage medium;

a processor for executing a software program stored on the storage medium for processing firewall transactions, the software program comprising computer-executable instructions for performing a method, the method comprising:

receiving at a firewall device in a cluster a data packet that is part of a flow of data between an external network and an internal network; and

sending a multicast from the firewall device in the cluster to at least one other firewall device in the cluster to determine a home device for the packet.

16. The device of claim 15, wherein the step of receiving comprises receiving an unrecognized data packet.

17. The device of claim 15,

further comprising a state table stored on the storage medium, wherein the state table stores state information related to one or more flows of data packets for which the device is a home device, and

wherein the method further comprises determining whether the firewall device is the home device using the state information, and

wherein the step of sending comprises sending based on the determining.

18. The device of claim 15,

further comprising a forward table stored on the storage medium, wherein the forward table stores forwarding information about at least one home device of a data flow for which another firewall device is the home device;

wherein the method further comprises:

attempting to identify the home device using the forwarding information; and

forwarding the packet to the home device based on the attempting, and wherein the step of sending comprises sending based on the forwarding.

19. The device of claim 15, wherein the step of sending comprises sending a multicast request comprising:

the data packet; and

information about the device, and

wherein the method further comprises receiving a response signal from the home device.

20. The device of claim 15, wherein the method further comprises storing in a forward table data identifying the home device based on the information.

21. The method of claim 1, wherein the first firewall device and a second firewall device in the firewall cluster are geographically separated.

22. The method of claim 8, wherein the firewall device and the at least one other firewall device in a firewall cluster are geographically separated.

23. The firewall device of claim 15, wherein the firewall device and the at least one other firewall device in a firewall cluster are geographically separated.

24. A method for handling communication transactions in a firewall cluster including a plurality of interconnected firewall devices, the method comprising:

receiving a first data packet at only one of the plurality of firewall devices in the firewall cluster, wherein the first data packet is received from an internal network for initiating a connection to an external network;

receiving a second data packet associated with a data flow at only one of the plurality of firewall devices in the firewall cluster, wherein the second data packet is received from the external network in response to the first data packet;

if the only one firewall device in the firewall cluster receiving the second data packet is a home device for the second data packet, forwarding the second data packet associated with the data flow to a first internal host in the internal network;

if the only one firewall device in the firewall cluster receiving the second data packet is not the home device for the second data packet,
forwarding a multicast signal to other firewall devices in the firewall cluster,
receiving, in response to the multicast signal, at the only one firewall device in the firewall cluster, a confirmation from another firewall device in the firewall cluster that the another firewall device is the home device for the second data packet associated with the data flow, and
forwarding the second data packet associated with the data flow to the another firewall device in the firewall cluster confirmed to be the home device to the second data packet associated with the data flow.

25. The method of claim 24, further comprising:

receiving the second data packet associated with the flow at the another firewall device in the firewall cluster confirmed to be the home device for the second data packet; and

forwarding the second data packet associated with the data flow to a second internal host in the internal network by the another firewall device in the firewall cluster confirmed to be the home device for the second data packet.

26. The method of claim 24, further comprising:

storing in a forwarding table, at the only one firewall device in the firewall cluster receiving the second data packet, information identifying the another firewall device in the firewall cluster confirmed to be the home device for the second data packet associated with the data flow.

27. The method of claim 26, further comprising:

receiving additional data packets from the external network at the only one firewall device in the firewall cluster receiving the second data packet, wherein the additional data packets are associated with the data flow; and

based on information stored in the forwarding table, forwarding the additional data packets, received from the external network, to the another firewall device in the firewall cluster confirmed to be the home device for the second data packet associated with the data flow.

28. The method of claim 27, further comprising:

receiving the additional data packets associated with the flow at the another firewall device in the firewall cluster confirmed to be the home device for the second data packet; and

forwarding the additional data packets associated with the data flow to a second internal host in the internal network by the another firewall device in the firewall cluster confirmed to be the home device for the second data packet.

Drawings