Abstract: A system, method, and interface for segregating a network controller and a security gateway is provided. A security gateway-network controller interface is established between a security gateway and a network controller. One or more application interfaces are carried over the security gateway-network controller interface. An admission policy interface may be maintained on the security gateway-network controller interface that allows establishment of dynamic access control lists for admission policies applied on specific secure tunnels. Additionally, a security association-international mobile subscriber identity interface may be maintained on the security gateway-network controller interface that facilitates ensuring an IMSI used during a registration process matches an identity used to establish a tunnel. Thus, a subscriber validation mechanism is provided over the security gateway-network controller interface that couples the network controller and the security gateway.

Abstract: A network processing system is described that is able to bind all the network traffic related to a bi-directional communication. Unidirectional processing engines take the data from line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows examined to determine if they are part of a bi-directional communication. If the flow is part of a bi-directional communication information related to the return flow or flows is extracted and passed to the unidirectional processing engine handling the flows in the opposite direction. This processing engine then pre-allocates resources in anticipation of the return flows. The pre-allocation of resources includes creating an entry in a session memory that contains state information on the flows passing through the network processing system.

Abstract: A method and apparatus for preventing denial of service type attacks on data networks is described. The method involves scanning the contents of the data packets flowing over the data network using a traffic flow scanning engine. The data packets are reordered and reassembled and then the payload contents are scanned to determine whether they conform to predetermined requirements. Data packets which do not reorder or reassemble correctly or which do not conform to the predetermined requirements may be dropped. Dropping packets which do not reorder or reassemble correctly or which do not conform to the predetermined requirements prevent denial of service attack which exploit bugs in the TCP/IP implementation or shortcomings in the TCP/IP specification The traffic flow scanning engine is further operable to determine whether the data packets are associated with validated traffic flows.

Abstract: An apparatus and method for traversing a network address translation/firewall device to maintain a registration between first and second devices separated by the firewall device are provided. In one example, the method includes intercepting a registration message from the first device to the second device. A determination is made based on a first timeout period defined by the second device as to whether it is time to renew the first device's registration. If it is time to renew the first device's registration, the registration message is forwarded to the second device. A response message that includes the first timeout period is intercepted, and the first timeout period is replaced with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.

Abstract: A network processing system is described that is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows. This ability allows the network processing system to learn characteristics of flows and events contained within those flows. Further, the network processing system can remember characteristics and events that have already been learned for use in processing future data packets. And finally, the network processing system can apply treatments to individual data packets and flows based on the characteristics and events learned, as well as previous state that has been maintained for that flow.

Abstract: A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison.

Abstract: A method and device for detecting and inoculating emails infected with viruses are described. The method involves identifying a particular traffic and its associated data packets as an email session and scanning the associated data packets in order to compare their contents with a database of known signatures. If a match is found between the data packets and a signature of a known virus, it is determined if there is an attachment to the email. If an attachment is detected, some or all of the bits of the data packets associated with the attachment are altered, thereby rendering the infected attachment harmless. The network device includes memory for storing the database of known signatures and a content processor able to compare the contents of data packets with a database of known signatures. The content processor is also operable to alter some or all of the bits of the attachment to inoculate the email and attachment.

Abstract: A queue engine is described that is operable to reorder and reassemble data packets from network traffic into unfragmented and in order traffic flows for applications such as deep packet classification and quality of service determination. The queue engine stores incoming data packets in a packet memory that is controlled by a link list controller. A packet assembler extracts information from each data packet, particularly fields from the header information, and uses that information among other things, to determine if the data packet is fragmented or out of order, and to associate the data packet with a session id. If the packet is determined to be out of order, the queue engine includes a reordering unit which is able to modify links with the link list controller to reorder data packets. A fragment reassembly unit is also included which is capable of taking fragments and reassembling them into complete unfragmented data packets.

Abstract: A system and method for allowing bidirectional network traffic to pass through a network address translation (“NAT”)/firewall device thereby allowing bidirectional traffic to flow between the private side of the NAT/firewall device and the public side of the NAT/firewall device while maintaining security between the public side and the private side is described. A network processing system on the public side of the NAT/firewall device anchors network traffic to and from the private side of the NAT/firewall device. A traversal client resides on the private side of the NAT/firewall device and has a secure connection with the network processing system. The traversal client is operable to pass signaling packets bound for a terminal on the private side of the NAT/firewall from the network processing system.

Abstract: A network processing system is described that is able to monitor IP network traffic, including the ability to perform trap and trace on IP communications flowing over the IP network. The network processing system is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows, which allows the network processing system to search for predetermined search criteria contained within those flows. If a flow is found to contain a predetermined search criteria, the network processing system is able to maintain a record of the flow or to replicate the flow and save it or send it to another IP address for monitoring. The monitoring of a flow can include the entire contents of the flow, or any subset of information in the flow such as call identifying information.

Abstract: A network processing system is described that is able to monitor IP network traffic, including the ability to perform trap and trace on IP communications flowing over the IP network. The network processing system is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows, which allows the network processing system to search for predetermined search criteria contained within those flows. If a flow is found to contain a predetermined search criteria, the network processing system is able to maintain a record of the flow or to replicate the flow and save it or send it to another IP address for monitoring. The monitoring of a flow can include the entire contents of the flow, or any subset of information in the flow such as call identifying information.

Abstract: A method is described for matching complex patterns in internet protocol (IP) data streams. The method associates each data packet with a specific flow in the IP data stream. The packet is broken into fixed length contexts and state information for that flow is retrieved. The method then determines using a data base of known signatures and the state information whether there is a potential match between the incoming data stream and a signature in the database of known signatures. If a potential match is found the method then determines whether there is an exact match between the potential signature and the incoming data stream. The state information is then updated to reflect the outcome of the scanning. When and exact match is found a conclusion is reached that determines the treatment for the incoming data stream. The state information allows the pattern matching engine to match patterns across packet boundaries and to perform complex matches.

Abstract: A pattern matching engine is describe for matching complex pattern in internet protocol (IP) data streams. The pattern matching engine compares the incoming IP data stream to a database of known signatures to determine if there is a match. The pattern matching engine first uses a rake engine to determine if there are any potential matches between a signature in the database and the incoming IP data stream. If a signature is determined to be a potential match, a ruler engine in the pattern matching engine is then used to determine if the signature and the incoming data stream are an exact match. When and exact match is found a conclusion is reached that determines the treatment for the incoming data stream. The pattern matching engine also includes a session memory that is used to maintain state for one or more of the flows contained in the IP data stream. The state stored by the session memory allows the pattern matching engine to match patterns across packet boundaries and to perform complex matches.

Abstract: A network processing system is described that is able to bind all the network traffic related to a bi-directional communication. Unidirectional processing engines take the data from line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows examined to determine if they are part of a bi-directional communication. If the flow is part of a bi-directional communication information related to the return flow or flows is extracted and passed to the unidirectional processing engine handling the flows in the opposite direction. This processing engine then pre-allocates resources in anticipation of the return flows. The pre-allocation of resources includes creating an entry in a session memory that contains state information on the flows passing through the network processing system.

Abstract: A content aware network device is described that is able to scan the contents of entire data packets including header and payload information. The network device includes a physical interface for converting analog network signal into bit streams and vise versa. The bit stream from the physical interface is sent to a traffic flow scanning processor that may be, but is not necessarily, divided into a header processor and a payload analyzer. The header processor scans the header information from each data packet, which is used to determine routing information and session identification. The payload analyzer scans the data packet's payload and matches the payload against a database of known strings. The payload analyzer is able to scan across packet boundaries and to scan for strings of variable and arbitrary length. Once the payload has been scanned the network device can operate on the data packet based on the results of the payload analyzer.

Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.