Patents Assigned to Netrake Corporation
  • Publication number: 20070283412
    Abstract: A system, method, and interface for segregating a network controller and a security gateway is provided. A security gateway-network controller interface is established between a security gateway and a network controller. One or more application interfaces are carried over the security gateway-network controller interface. An admission policy interface may be maintained on the security gateway-network controller interface that allows establishment of dynamic access control lists for admission policies applied on specific secure tunnels. Additionally, a security association-international mobile subscriber identity interface may be maintained on the security gateway-network controller interface that facilitates ensuring an IMSI used during a registration process matches an identity used to establish a tunnel. Thus, a subscriber validation mechanism is provided over the security gateway-network controller interface that couples the network controller and the security gateway.
    Type: Application
    Filed: January 24, 2007
    Publication date: December 6, 2007
    Applicant: NETRAKE CORPORATION
    Inventors: Milton Lie, Ben Campbell
  • Patent number: 7206313
    Abstract: A network processing system is described that is able to bind all the network traffic related to a bi-directional communication. Unidirectional processing engines take the data from line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows examined to determine if they are part of a bi-directional communication. If the flow is part of a bi-directional communication information related to the return flow or flows is extracted and passed to the unidirectional processing engine handling the flows in the opposite direction. This processing engine then pre-allocates resources in anticipation of the return flows. The pre-allocation of resources includes creating an entry in a session memory that contains state information on the flows passing through the network processing system.
    Type: Grant
    Filed: June 11, 2002
    Date of Patent: April 17, 2007
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, James Robert Deerman, Milton Andre Lie
  • Patent number: 7058974
    Abstract: A method and apparatus for preventing denial of service type attacks on data networks is described. The method involves scanning the contents of the data packets flowing over the data network using a traffic flow scanning engine. The data packets are reordered and reassembled and then the payload contents are scanned to determine whether they conform to predetermined requirements. Data packets which do not reorder or reassemble correctly or which do not conform to the predetermined requirements may be dropped. Dropping packets which do not reorder or reassemble correctly or which do not conform to the predetermined requirements prevent denial of service attack which exploit bugs in the TCP/IP implementation or shortcomings in the TCP/IP specification The traffic flow scanning engine is further operable to determine whether the data packets are associated with validated traffic flows.
    Type: Grant
    Filed: June 21, 2000
    Date of Patent: June 6, 2006
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, Victor A. Bennett
  • Publication number: 20060085548
    Abstract: An apparatus and method for traversing a network address translation/firewall device to maintain a registration between first and second devices separated by the firewall device are provided. In one example, the method includes intercepting a registration message from the first device to the second device. A determination is made based on a first timeout period defined by the second device as to whether it is time to renew the first device's registration. If it is time to renew the first device's registration, the registration message is forwarded to the second device. A response message that includes the first timeout period is intercepted, and the first timeout period is replaced with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.
    Type: Application
    Filed: October 18, 2004
    Publication date: April 20, 2006
    Applicant: Netrake Corporation
    Inventors: Robert Maher, Aswinkumar Rana, Milton Lie, James Deerman
  • Patent number: 7031316
    Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.
    Type: Grant
    Filed: March 28, 2002
    Date of Patent: April 18, 2006
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, Aswinkumar Vishanji Rana, Milton Andre Lie, Kevin William Brandon, Mark Warden Hervin, Corey Alan Garrow
  • Patent number: 7002974
    Abstract: A network processing system is described that is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows. This ability allows the network processing system to learn characteristics of flows and events contained within those flows. Further, the network processing system can remember characteristics and events that have already been learned for use in processing future data packets. And finally, the network processing system can apply treatments to individual data packets and flows based on the characteristics and events learned, as well as previous state that has been maintained for that flow.
    Type: Grant
    Filed: March 28, 2001
    Date of Patent: February 21, 2006
    Assignee: Netrake Corporation
    Inventors: James Robert Deerman, Aswinkumar Vishanji Rana, Milton Andre Lie, Travis Ernest Strother, Jr., Mark Warden Hervin, John Raymond Carman, Larry Gene Maxwell, Robert Daniel Maher, III
  • Patent number: 6957258
    Abstract: A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison.
    Type: Grant
    Filed: April 11, 2001
    Date of Patent: October 18, 2005
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, Aswinkumar Vishanji Rana, Milton Andre Lie, Travis Ernest Strother, Jr., Mark Warden Hervin, James Robert Deerman, John Raymond Carman, Larry Gene Maxwell
  • Patent number: 6910134
    Abstract: A method and device for detecting and inoculating emails infected with viruses are described. The method involves identifying a particular traffic and its associated data packets as an email session and scanning the associated data packets in order to compare their contents with a database of known signatures. If a match is found between the data packets and a signature of a known virus, it is determined if there is an attachment to the email. If an attachment is detected, some or all of the bits of the data packets associated with the attachment are altered, thereby rendering the infected attachment harmless. The network device includes memory for storing the database of known signatures and a content processor able to compare the contents of data packets with a database of known signatures. The content processor is also operable to alter some or all of the bits of the attachment to inoculate the email and attachment.
    Type: Grant
    Filed: August 29, 2000
    Date of Patent: June 21, 2005
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, Brian Michael Forbes, Milton Andre Lie, Mark Warden Hervin
  • Patent number: 6781992
    Abstract: A queue engine is described that is operable to reorder and reassemble data packets from network traffic into unfragmented and in order traffic flows for applications such as deep packet classification and quality of service determination. The queue engine stores incoming data packets in a packet memory that is controlled by a link list controller. A packet assembler extracts information from each data packet, particularly fields from the header information, and uses that information among other things, to determine if the data packet is fragmented or out of order, and to associate the data packet with a session id. If the packet is determined to be out of order, the queue engine includes a reordering unit which is able to modify links with the link list controller to reorder data packets. A fragment reassembly unit is also included which is capable of taking fragments and reassembling them into complete unfragmented data packets.
    Type: Grant
    Filed: February 23, 2001
    Date of Patent: August 24, 2004
    Assignee: Netrake Corporation
    Inventors: Aswinkumar Vishanji Rana, Corey Alan Garrow
  • Publication number: 20040128554
    Abstract: A system and method for allowing bidirectional network traffic to pass through a network address translation (“NAT”)/firewall device thereby allowing bidirectional traffic to flow between the private side of the NAT/firewall device and the public side of the NAT/firewall device while maintaining security between the public side and the private side is described. A network processing system on the public side of the NAT/firewall device anchors network traffic to and from the private side of the NAT/firewall device. A traversal client resides on the private side of the NAT/firewall device and has a secure connection with the network processing system. The traversal client is operable to pass signaling packets bound for a terminal on the private side of the NAT/firewall from the network processing system.
    Type: Application
    Filed: September 8, 2003
    Publication date: July 1, 2004
    Applicant: Netrake Corporation
    Inventors: Robert Daniel Maher, Aswinkumar Vishanji Rana, Milton Andre Lie, James Robert Deerman
  • Patent number: 6741595
    Abstract: A network processing system is described that is able to monitor IP network traffic, including the ability to perform trap and trace on IP communications flowing over the IP network. The network processing system is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows, which allows the network processing system to search for predetermined search criteria contained within those flows. If a flow is found to contain a predetermined search criteria, the network processing system is able to maintain a record of the flow or to replicate the flow and save it or send it to another IP address for monitoring. The monitoring of a flow can include the entire contents of the flow, or any subset of information in the flow such as call identifying information.
    Type: Grant
    Filed: June 11, 2002
    Date of Patent: May 25, 2004
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, James Robert Deerman, Milton Andre Lie
  • Publication number: 20030227942
    Abstract: A network processing system is described that is able to bind all the network traffic related to a bi-directional communication. Unidirectional processing engines take the data from line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows examined to determine if they are part of a bi-directional communication. If the flow is part of a bi-directional communication information related to the return flow or flows is extracted and passed to the unidirectional processing engine handling the flows in the opposite direction. This processing engine then pre-allocates resources in anticipation of the return flows. The pre-allocation of resources includes creating an entry in a session memory that contains state information on the flows passing through the network processing system.
    Type: Application
    Filed: June 11, 2002
    Publication date: December 11, 2003
    Applicant: Netrake Corporation
    Inventors: Robert Daniel Maher, James Robert Deerman, Milton Andre Lie
  • Publication number: 20030229708
    Abstract: A pattern matching engine is describe for matching complex pattern in internet protocol (IP) data streams. The pattern matching engine compares the incoming IP data stream to a database of known signatures to determine if there is a match. The pattern matching engine first uses a rake engine to determine if there are any potential matches between a signature in the database and the incoming IP data stream. If a signature is determined to be a potential match, a ruler engine in the pattern matching engine is then used to determine if the signature and the incoming data stream are an exact match. When and exact match is found a conclusion is reached that determines the treatment for the incoming data stream. The pattern matching engine also includes a session memory that is used to maintain state for one or more of the flows contained in the IP data stream. The state stored by the session memory allows the pattern matching engine to match patterns across packet boundaries and to perform complex matches.
    Type: Application
    Filed: June 11, 2002
    Publication date: December 11, 2003
    Applicant: Netrake Corporation
    Inventors: Milton Andre Lie, Yu Xia, Darren Bensley
  • Publication number: 20030229710
    Abstract: A method is described for matching complex patterns in internet protocol (IP) data streams. The method associates each data packet with a specific flow in the IP data stream. The packet is broken into fixed length contexts and state information for that flow is retrieved. The method then determines using a data base of known signatures and the state information whether there is a potential match between the incoming data stream and a signature in the database of known signatures. If a potential match is found the method then determines whether there is an exact match between the potential signature and the incoming data stream. The state information is then updated to reflect the outcome of the scanning. When and exact match is found a conclusion is reached that determines the treatment for the incoming data stream. The state information allows the pattern matching engine to match patterns across packet boundaries and to perform complex matches.
    Type: Application
    Filed: June 11, 2002
    Publication date: December 11, 2003
    Applicant: Netrake Corporation
    Inventors: Milton Andre Lie, Yu Xia, Darren Bensley
  • Publication number: 20030227917
    Abstract: A network processing system is described that is able to monitor IP network traffic, including the ability to perform trap and trace on IP communications flowing over the IP network. The network processing system is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows, which allows the network processing system to search for predetermined search criteria contained within those flows. If a flow is found to contain a predetermined search criteria, the network processing system is able to maintain a record of the flow or to replicate the flow and save it or send it to another IP address for monitoring. The monitoring of a flow can include the entire contents of the flow, or any subset of information in the flow such as call identifying information.
    Type: Application
    Filed: June 11, 2002
    Publication date: December 11, 2003
    Applicant: Netrake Corporation
    Inventors: Robert Daniel Maher, James Robert Deerman, Milton Andre Lie
  • Patent number: 6654373
    Abstract: A content aware network device is described that is able to scan the contents of entire data packets including header and payload information. The network device includes a physical interface for converting analog network signal into bit streams and vise versa. The bit stream from the physical interface is sent to a traffic flow scanning processor that may be, but is not necessarily, divided into a header processor and a payload analyzer. The header processor scans the header information from each data packet, which is used to determine routing information and session identification. The payload analyzer scans the data packet's payload and matches the payload against a database of known strings. The payload analyzer is able to scan across packet boundaries and to scan for strings of variable and arbitrary length. Once the payload has been scanned the network device can operate on the data packet based on the results of the payload analyzer.
    Type: Grant
    Filed: June 12, 2000
    Date of Patent: November 25, 2003
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, Victor A. Bennett, Aswinkumar Vishanji Rana, Milton Andre Lie, Kevin William Brandon, Mark Warden Hervin, Corey Alan Garrow
  • Patent number: 6381242
    Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.
    Type: Grant
    Filed: August 29, 2000
    Date of Patent: April 30, 2002
    Assignee: Netrake Corporation
    Inventors: Robert Daniel Maher, III, Aswinkumar Vishanji Rana, Milton Andre Lie, Kevin William Brandon, Mark Warden Hervin, Corey Alan Garrow