74 results about "Distributed firewall" patented technology

A method and apparatus for a implementing a distributed firewall is described. A packet filter processor receives a packet sent from a first device to a second device. The packet filter processor authenticates an identifier for the packet. For example, authentication could be performed using a cryptographically-verifiable identifier. The packet filter processor determines whether to send the packet to the second device, based on the authentication and a set of policy rules. The packet filter processor sends the packet to the second device in accordance with the determination.

Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

A distributed firewall of a gateway device includes at least one IO module for performing IO functionality of the distributed firewall, at least one security processing module for performing security functionality of the distributed firewall and a firewall controller for managing the IO module and the security processing module. Each of the at least one IO and security processing modules is executed within a virtual machine. In response to a packet received from an ingress interface, the at least one IO module is to identify a security processing module corresponding to a connections session associated with the packet, to transmit the packet to the identified security processing module to perform a security process on the packet, and in response to a signal received from the identified security processing module indicating that the security process has been completed, to transmit the packet to the egress interface.

In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.

A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

The invention provides a method and a device for achieving packet forwarding. The method is applied to a distributed firewall device which is at least composed of a plurality of interface boards, a plurality of business boards and a main control board. The method at least includes that each interface board receives a forward message in a private network and sends the forward message to a corresponding business board, each business board receives the forward message, a source internet protocol (IP) address of the forward message is modified to a preset public network IP address of the local business board, a source port of the forward message is modified to any network address translation port of a network address translation port section distributed by the main control board, a network address translation session is established, the converted forward message is sent to a corresponding interface board, and the interface boards send the converted forward message in a public network. According to the method and the device, the main control board of a distributed firewall distributes ports used for network address translation (NAT) based on a request of each business board, and thereby the NAT is performed for the forward message, a corresponding NAT is established, and the new establishing and concurrence of the NAT session can increase with the increasing of the business boards.

Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing, firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.