Bibliographic Details
| Title: |
Cluster Architecture for Network Security Processing |
| Document Number: |
20100162383 |
| Publication Date: |
June 24, 2010 |
| Appl. No: |
12/643663 |
| Application Filed: |
December 21, 2009 |
| Abstract: |
A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed. |
| Inventors: |
Linden, Thomas (Los Gatos, CA, US); Huang, James (Irvine, CA, US); Hsu, Jeff (San Jose, CA, US); Lee, Ming-Jeng (Irvine, CA, US) |
| Assignees: |
WATCHGUARD TECHNOLOGIES, INC. (Seattle, WA, US) |
| Claim: |
1. A computer-readable storage medium comprising instructions to cause a computing device to perform a method for assigning network flow processing tasks within a cluster comprising a plurality of communicatively coupled computing devices, the method comprising: maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto; identifying a network flow for processing by the cluster; determining whether the network flow is already being processed by a cluster computing device using the flow assignment data structure; assigning the network flow to a selected one of the cluster computing devices when the flow has not been assigned to a cluster computing device; and updating the flow assignment data structure to map the network flow to the assigned cluster computing device. |
| Claim: |
2. The computer-readable storage medium of claim 1, further comprising configuring the assigned cluster computing device to process network traffic associated with the network flow. |
| Claim: |
3. The computer-readable storage medium of claim 2, wherein processing network traffic comprises subjecting network traffic associated with the flow to a security policy. |
| Claim: |
4. The computer-readable storage medium of claim 1, further comprising configuring an inbound network interface communicatively coupling the cluster computing devices to a network to forward network traffic associated with the network flow to the assigned cluster computing device. |
| Claim: |
5. The computer-readable storage medium of claim 1, wherein the network flow is assigned to a cluster computing device according to one or more flow assignment rules. |
| Claim: |
6. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that related network flows are to be assigned to the same cluster computing device. |
| Claim: |
7. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that related forward and reverse network flows are to be assigned to the same cluster computing device. |
| Claim: |
8. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that flows relating to the same protocol connection are to be assigned to the same cluster computing device. |
| Claim: |
9. The computer-readable storage medium of claim 8, wherein one of the one or more flow assignment rules specifies that file transfer protocol (FTP) control network flows are to be assigned to the same cluster computing device that is handling related FTP data network flows and vice versa. |
| Claim: |
10. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that flows associated with the same tunnel are to be assigned to the same cluster computing device. |
| Claim: |
11. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that flows associated with the same tunnel switch are to be assigned to the same cluster computing device. |
| Claim: |
12. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that network flows sharing the same security information are to be assigned to the same cluster computing device. |
| Claim: |
13. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that network flows sharing the same security association are to be assigned to the same cluster computing device. |
| Claim: |
14. The computer-readable storage medium of claim 13, wherein the flow assignment rule specifies that network flows sharing the same inbound security association are to be assigned to the same cluster computing device, and that network flows sharing the same outbound security association are to be assigned to the same cluster computing device. |
| Claim: |
15. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that all Internet Protocol Security (IPSec) flows associated with a particular peer are to be assigned to the same cluster computing device. |
| Claim: |
16. The computer-readable storage medium of claim 5, wherein one of the one or more flow assignment rules specifies that flows associated with the same secure tunnel are to be assigned to the same cluster computing device. |
| Claim: |
17. A system comprising: a cluster comprising a plurality of communicatively coupled computing devices, wherein one of the cluster computing devices is configured to operate as a cluster master; a network interface communicatively coupling the cluster to an external network; a flow assignment module implemented on the cluster master computing device and configured to assign network flows to the cluster computing devices according to one or more flow assignment rules, wherein the cluster computing devices are configured to receive inbound network traffic via the network interface, and wherein each of the cluster computing devices comprises a traffic processing module configured to ignore inbound network traffic that is not associated with a network flow assigned thereto, and to process inbound network traffic related to network flows that are assigned to the cluster computing device according to a security policy. |
| Claim: |
18. The system of claim 17, wherein responsive to receiving inbound network traffic from the external network, the flow assignment module is configured to determine whether a cluster computing device has been assigned to a network flow corresponding to the inbound network traffic, wherein if no cluster computing device is assigned to the corresponding network flow, the flow assignment module is configured to assign the flow to one of the cluster computing devices according to the one or more flow assignment rules, and wherein if a cluster computing device has been assigned to the corresponding network flow, the flow assignment module ignores the inbound network traffic. |
| Claim: |
19. The system of claim 18, wherein assigning the network flow to a cluster computing device comprises updating a flow assignment data structure to associate the network flow with one of the cluster computing devices. |
| Claim: |
20. The system of claim 18, wherein assigning the network flow to a selected cluster computing device comprises configuring a flow processing module of the selected cluster computing device to identify and process network traffic associated with the assigned network flow. |
| Claim: |
21. The system of claim 20, wherein assigning the network flow to a selected cluster computing device comprises transmitting the inbound network traffic to the selected cluster computing device. |
| Claim: |
22. The system of claim 18, wherein assigning the network flow to a selected cluster computing device comprises configuring the network interface to forward network traffic associated with the network flow to the selected cluster computing device. |
| Claim: |
23. The system of claim 17, wherein the one or more flow assignment rules comprise flow assignment rules specifying that related forward and reverse network flows, flows related to the same tunnel, the same protocol connection, and/or the same tunnel switch are to be assigned to the same cluster computing device. |
| Claim: |
24. The system of claim 17, wherein the one or more flow assignment rules comprise flow assignment rules specifying that flows sharing the same security information are to be assigned to the same cluster computing device. |
| Claim: |
25. The system of claim 24, wherein one of the one or more flow assignment rules specifies that network flows associated with the same secure tunnel are to be assigned to the same cluster computing device. |
| Claim: |
26. The system of claim 24, wherein one of the one or more flow assignment rules specifies that secure network flows to the same external peer are to be assigned to the same cluster computing device. |
| Claim: |
27. The system of claim 24, wherein one of the one or more flow assignment rules specifies that network flows sharing the same security association are to be assigned to the same cluster computing device. |
| Claim: |
28. The system of claim 24, wherein one of the one or more flow assignment rules specifies that network flows sharing the same inbound security association are to be assigned to the same cluster computing device, and network flows sharing the same outbound security association are to be assigned to the same cluster computing device. |
| Claim: |
29. The system of claim 17, further comprising a shared Internet Key Exchange (IKE) module implemented on the cluster master computing device, wherein the cluster computing devices are configured to negotiate security associations using the shared IKE module. |
| Claim: |
30. A method for assigning network flows within a cluster comprising a plurality of computing devices, the method comprising: maintaining a flow assignment data structure comprising mappings between network flows and computing devices assigned thereto; receiving network traffic on a network interface, the network traffic corresponding to a network flow; determining whether the received network flow has been assigned one of the computing devices using the flow assignment data structure; dropping the network traffic if the received network flow has been assigned to a computing device; and assigning the network flow to a selected one of the plurality of computing devices if the network flow is not assigned to a computing device by: identifying one or more computing devices that are eligible to be assigned the received network flow using the flow assignment data structure and one or more flow assignment rules, selecting one of the one or more eligible computing devices according to a selection criteria, and configuring the selected computing device to process network traffic associated with the received network flow. |
| Claim: |
31. The method of claim 30, further comprising transmitting the received network traffic to the selected computing device. |
| Claim: |
32. The method of claim 31, further comprising configuring the network interface to forward network traffic corresponding to the network flow to the selected computing device. |
| Claim: |
33. The method of claim 31, wherein one of the one or more traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow that is related to the received network flow. |
| Claim: |
34. The method of claim 31, wherein one of the one or more of the traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow that shares security information with the received network flow. |
| Claim: |
35. The method of claim 34, wherein one of the one or more traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow sharing a secure tunnel with the received network flow. |
| Claim: |
36. A method for processing network traffic by a computing device in a cluster comprising a plurality of computing devices, comprising: receiving a network flow assignment to assign one or more network flows to the computing device; receiving network traffic relating to a plurality of different network flows; processing the received network traffic by: identifying network traffic associated with network flows assigned to the computing device, processing the identified network traffic according to a security policy, and dropping network traffic that is not identified as associated with a network flow assigned to the computing device. |
| Claim: |
37. The method of claim 36, further comprising maintaining a flow assignment data structure identifying the one or more network flows assigned to the computing device. |
| Claim: |
38. The method of claim 37, wherein the flow assignment data structure identifies network flows using one selected from a source address of the assigned network flow, a destination address of the assigned network flow, a protocol of the assigned network flow, and a port assignment of the assigned network flow. |
| Claim: |
39. The method of claim 36, further comprising: for each of the assigned network flows: maintaining run-time synchronization data associated therewith, and synchronizing the run-time synchronization data to a cluster master computing device. |
| Claim: |
40. The method of claim 37, wherein processing the identified network traffic comprises negotiating a security association, the method further comprising accessing a shared Internet Key Exchange (IKE) service provided by one of the cluster computing devices to perform the security association negotiation. |
| Claim: |
41. A cluster computing device, comprising: a communication interface communicatively coupled to an external network interface and a cluster interface; and a traffic processing module operable on a processor of the cluster computing device and configured to receive a network flow assignment from a cluster master via the cluster interface, the network flow assignment identifying one or more network flows assigned to the cluster computing device, wherein the traffic processing module is configured to receive network traffic associated with a plurality of different network flows on the external network interface, and wherein upon receiving the network traffic, the traffic processing module is configured to identify network traffic associated with the one or more network flows assigned to the cluster computing device, to process the identified network traffic according to a security policy, and to drop network traffic that is not identified as assigned to the cluster computing device. |
| Claim: |
42. The cluster computing device of claim 41, wherein the cluster computing device is configured to maintain a flow assignment data structure identifying the one or more network flows assigned thereto, and wherein the traffic processing module identifies the network traffic assigned to the cluster computing device using the flow assignment data structure. |
| Claim: |
43. The cluster computing device of claim 42, wherein the flow assignment data structure identifies network flows assigned to the cluster computing device based upon one selected from a source address of the assigned network flow, a destination address of the assigned network flow, a protocol of the assigned network flow, and a port assignment of the assigned network flow. |
| Claim: |
44. The cluster computing device of claim 41, wherein the flow processing module is configured to maintain run-time synchronization data associated with each of the network flows assigned to the cluster computing device, and to synchronize the run-time synchronization data to a cluster master computing device via the cluster interface. |
| Claim: |
45. The cluster computing device of claim 41, wherein processing the identified network traffic comprises negotiating a security association, and wherein the flow processing module is configured to access a shared Internet Key Exchange (IKE) service provided by one of the cluster computing devices to perform the security association negotiation. |
| Current U.S. Class: |
726/13 |
| Current International Class: |
06; 06; 06; 06 |
| Accession Number: |
edspap.20100162383 |
| Database: |
USPTO Patent Applications |
