Abstract: An apparatus and method for traversing a network address translation/firewall device to maintain a registration between first and second devices separated by the firewall device are provided. In one example, the method includes intercepting a registration message from the first device to the second device. A determination is made based on a first timeout period defined by the second device as to whether it is time to renew the first device's registration. If it is time to renew the first device's registration, the registration message is forwarded to the second device. A response message that includes the first timeout period is intercepted, and the first timeout period is replaced with a second timeout period based on a binding lifetime of the firewall device before forwarding the response message to the first device.

Abstract: A method and system are described for resolving problems created by implementing multiple networks using private IP addresses and layer two tunneling protocols is described. A network processing system is operable to map flows from private IP addresses and ports on layer two tunneling protocol networks to public IP addresses and ports using the private IP addresses and ports and identifiers for the layer two tunneling protocol network. The network processing system uses its own public IP addresses and ports to anchor the traffic from the private network and performs the required mapping to pass traffic between the public and private networks.

Abstract: A method is described for detecting rogue packets in real-time protocol (“RTP”) data streams. Rogue packets occur due to a malfunctioning device continuing to send RTP packets after the termination of the media session, or by third party devices due to malfunction or malicious activity. The method recognizes rogue RTP packets by examining identifying fields in each packet associated with the RTP stream. The fields can be in the header of the packet or in the payload, and can include information such as destination address, destination port, protocol, sequence number, SSRC number, and others. Once rogue activity is detected the method can quarantine the associated pinhole information and/or alert a network operator.

Abstract: A method is described that is operable to reorder and reassemble data packets from network traffic into unfragmented and in-order traffic flows for applications such as deep packet classification and quality of service determination. A queue engine stores incoming data packets in a packet memory that is controlled by a link list controller. A packet assembler extracts information from each data packet, particularly fields from the header information, and uses that information among other things, to determine if the data packet is fragmented or out of order, and to associate the data packet with a session id. If the packet is determined to be out of order, the queue engine includes a reordering unit, which is able to modify links with the link list controller to reorder data packets. A fragment reassembly unit is also included which is capable of taking fragments and reassembling them into complete unfragmented data packets.

Abstract: A system and method for allowing bidirectional network traffic to pass through a network address translation (“NAT”)/firewall device thereby allowing bidirectional traffic to flow between the private side of the NAT/firewall device and the public side of the NAT/firewall device while maintaining security between the public side and the private side is described. A network processing system on the public side of the NAT/firewall device anchors network traffic to and from the private side of the NAT/firewall device. A traversal client resides on the private side of the NAT/firewall device and has a secure connection with the network processing system. The traversal client is operable to pass signaling packets bound for a terminal on the private side of the NAT/firewall from the network processing system.

Abstract: A redundancy architecture is described for network processing systems which allows the network to recover from failure of a network processing system without interruption in service. The redundancy architecture allows network processing systems that use state information to associate network traffic into discrete flows, to provide system level redundancy to prevent service outages, or loss of network traffic resulting from a failure in any single network processing system. The redundancy architecture includes an out-of-band network link between the redundant network processing systems. The out-of-band network link allows the network processing systems to exchange state and other data as necessary.

Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.

Abstract: A network processing system is described that is able to scan the entire contents of data packets passing through it, and to associate related data packets into discrete sessions, or flows. This ability allows the network processing system to learn characteristics of flows and events contained within those flows. Further, the network processing system can remember characteristics and events that have already been learned for use in processing future data packets. And finally, the network processing system can apply treatments to individual data packets and flows based on the characteristics and events learned, as well as previous state that has been maintained for that flow.

Abstract: A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison.

Abstract: A queue engine is described that is operable to reorder and reassemble data packets from network traffic into unfragmented and in order traffic flows for applications such as deep packet classification and quality of service determination. The queue engine stores incoming data packets in a packet memory that is controlled by a link list controller. A packet assembler extracts information from each data packet, particularly fields from the header information, and uses that information among other things, to determine if the data packet is fragmented or out of order, and to associate the data packet with a session id. If the packet is determined to be out of order, the queue engine includes a reordering unit which is able to modify links with the link list controller to reorder data packets. A fragment reassembly unit is also included which is capable of taking fragments and reassembling them into complete unfragmented data packets.

Abstract: A system and method for allowing bidirectional network traffic to pass through a network address translation (“NAT”)/firewall device thereby allowing bidirectional traffic to flow between the private side of the NAT/firewall device and the public side of the NAT/firewall device while maintaining security between the public side and the private side is described. A network processing system on the public side of the NAT/firewall device anchors network traffic to and from the private side of the NAT/firewall device. A traversal client resides on the private side of the NAT/firewall device and has a secure connection with the network processing system. The traversal client is operable to pass signaling packets bound for a terminal on the private side of the NAT/firewall from the network processing system.

Abstract: A content aware network device is described that is able to scan the contents of entire data packets including header and payload information. The network device includes a physical interface for converting analog network signal into bit streams and vise versa. The bit stream from the physical interface is sent to a traffic flow scanning processor that may be, but is not necessarily, divided into a header processor and a payload analyzer. The header processor scans the header information from each data packet, which is used to determine routing information and session identification. The payload analyzer scans the data packet's payload and matches the payload against a database of known strings. The payload analyzer is able to scan across packet boundaries and to scan for strings of variable and arbitrary length. Once the payload has been scanned the network device can operate on the data packet based on the results of the payload analyzer.

Abstract: A network processing system is described that functions as a policy gateway in order to enforce programmable network policies designed to provide quality of service in and across networks. The programmable network policies are converted into an image load file using a management interface at a remote server, and sent to the network processing system where the image is loaded into a processing engine. The network processing system includes line interfaces to take the data from the network and to send processed data back onto the network. Unidirectional processing engines take the data from the line interfaces, and associate each data packet with an identifier, which identifies the flow of which the data packet is a part. The flows are then compared to the database of programmable network policies and the processing engine determines a treatment based on the results of the comparison.

Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.

Abstract: A method is described that is operable to reorder and reassemble data packets from network traffic into unfragmented and in-order traffic flows for applications such as deep packet classification and quality of service determination. A queue engine stores incoming data packets in a packet memory that is controlled by a link list controller. A packet assembler extracts information from each data packet, particularly fields from the header information, and uses that information among other things, to determine if the data packet is fragmented or out of order, and to associate the data packet with a session id. If the packet is determined to be out of order, the queue engine includes a reordering unit, which is able to modify links with the link list controller to reorder data packets. A fragment reassembly unit is also included which is capable of taking fragments and reassembling them into complete unfragmented data packets.

Abstract: A content processor is described that is able to scan the contents of entire data packets including header and payload information. The content processor includes a queue engine operable to reorder out of order data packets and reassemble fragmented data packets. The queue engine sends the reordered and reassembled data packets to the context engine, which schedules the packets to be scanned. The packets are scanned by the content scanning engine using one or more string memories and one or more leaf string memories. The string memories are used by the content scanning engine to determine if there is a potential match between the data packet being scanned and any of the strings contained in database of known strings. If a potential match is identified, whether or not there is an exact match is determined using the leaf string memories and the leaf string compare engine. The scanning of the data packet results in a conclusion being generated by the content scanning engine.