Method and System for Transparent Network Acceleration
US-2015195122-A1 · Jul 9, 2015 · US
Deploying a security appliance system in a high availability environment without extra network burden
US9628505B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9628505-B2 |
| Application number | US-201514721084-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 26, 2015 |
| Priority date | Mar 9, 2015 |
| Publication date | Apr 18, 2017 |
| Grant date | Apr 18, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A security appliance system routing strings of data packets in a high availability environment. The security appliance system contains a plurality of intrusion prevention systems connected to a load balancer and a computing device. Each intrusion prevention system contains stored session state information in a local session state data store, the load balancer contains a shared hash algorithm, and the computing device contains a connection state manager containing a network session state data store. The computing device includes a topology manager recording connectivity changes of the intrusion prevention systems and accordingly adjusting the shared hash algorithm for the recorded connectivity changes. Using the shared hash algorithm and routing information, a hash value is assigned to received strings. Strings are forwarded an intrusion prevention system based on assigned hash value and processed using stored session state information within the local session state data store and the network session state data store.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for operating a security appliance system in a high availability environment, the security appliance system contains a plurality of intrusion prevention systems connected to a load balancer and a client computing device, each intrusion prevention system containing stored session state information in a local session state data store, the load balancer containing a shared hash algorithm, the client computing device containing a connection state manager and a topology manager, the connection state manager containing a network session state data store, the topology manager recording connectivity changes of the intrusion prevention systems and adjusting the shared hash algorithm to accommodate the changes, the method comprising: receiving, in the load balancer, a string of data packets that include session state information and routing information wherein the string includes data packets sent from an identified source to an identified destination; generating, in the load balancer, a hash value for the string using the shared hash algorithm and the routing information, wherein the generated hash value is a hexadecimal value; selecting, by the load balancer, one of the plurality of intrusion prevention systems based on the generated hash value, wherein a last digit of the generated hash value corresponds to a primary intrusion prevention system within the plurality of intrusion prevention systems to which the received string of data packets will be forwarded, and wherein a penultimate digit of the generated hash value corresponds to an alternate intrusion prevention system within the plurality of intrusion prevention systems to which the received string of data packets will be forwarded; in response to the primary intrusion prevention system being operational, forwarding the string from the load balancer to the primary intrusion prevention system based on the generated hash value; in response to the primary intrusion prevention system not being operational, forwarding the string from the load balancer to the alternate intrusion prevention system based on the generated hash value; in response to determining, by the primary intrusion prevention system, that the forwarded string has stored session state information within the local session state data store using the generated hash value, processing, by the primary intrusion prevention system, the forwarded string using the stored session state information; in response to forwarding the string to the alternate intrusion prevention system: creating a session state lookup request based on the forwarded string; locating the stored session state information in the network session state data store in a connection state manager based on the created session state lookup request, wherein the connection state manager is a central management system that stores session state information for all of the plurality of intrusion prevention systems; processing the forwarded string using the located session state information; and updating the stored session state information in the local session state data store and the network session state data store using the processed string. 2. The method of claim 1 further comprising: in response to determining, by the selected intrusion prevention system, that the forwarded string does not have stored session state information within the local session state data store and the network session state data store using the generated hash value, creating a new stored session state information in the local session state data store and the network session state data store based on the forwarded string. 3. The method of claim 1 , wherein the routing information includes a source internet protocol address, a destination internet protocol address, a protocol, a source port, and a destination port. 4. The method of claim 1 , wherein the network session state data store is partitioned into a plurality of connection tables based on each intrusion prevention system within the security appliance system. 5. The method of claim 1 , wherein the network session state data store is located in a connection state manager. 6. The method of claim 1 , wherein session state information includes flow state information and connection state information.
Assignees
Inventors
Classifications
Event detection, e.g. attack signature detection · CPC title
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Traffic logging, e.g. anomaly detection · CPC title
relying on flow classification, e.g. using integrated services [IntServ] · CPC title
using forward notification · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9628505B2 cover?
- A security appliance system routing strings of data packets in a high availability environment. The security appliance system contains a plurality of intrusion prevention systems connected to a load balancer and a computing device. Each intrusion prevention system contains stored session state information in a local session state data store, the load balancer contains a shared hash algorithm, a…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 18 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).