Abstract: The present disclosure relates to scalable network security functions and handling of packet flows between network security zones in a communications network. Packets that are part of a bidirectional packet flow between the network security zones are received, and a determination is made as to an instance of a security application to which to assign the bidirectional packet flow for security processing. The determination is made based on relative loading of a plurality of identical instances of the security application running on a host machine. All of the received packets that are part of the bidirectional packet flow are directed for processing on the host machine by the one of the security application instances.

Abstract: A key is descriptive of a data packet, and a fingerprint hash function is applied to such a key to generate a fixed length fingerprint of the key. An index value is determined based on a portion of the fingerprint. A hash table could be populated by storing in a memory, at a memory location associated with the index value: a remainder of the fingerprint other than the portion of the fingerprint that was used to determine the index value, to indicate that data packets consistent with the key are to be handled in accordance with packet handling metadata. During packet processing, if a memory location associated with an index value stores a remainder of the fingerprint other than the portion of the fingerprint that was used to determine the index value, a data packet is handled according to packet handling metadata associated with the fingerprint.

Abstract: A packet sub-engine coupled to a packet buffer determines which of multiple look up tables (LUTs) is to be searched for a matching entry that matches a received data packet. Each LUT corresponds to a different type of packet handling action and includes multiple entries, each with a match field and a corresponding collection of one or more actions for handling packets that match the match field. The packet sub-engine searches the determined LUT for a matching entry, processes the received data packet according to the action(s) in the matching entry, and determines whether a further LUT is to be searched for a further matching entry. The processed data packet is provided as an output if no further LUT is to be searched, or otherwise the packet sub-engine searches the further LUT and further processes the processed packet according to the action(s) in the further matching entry.

Abstract: The present disclosure relates to scalable network security functions and handling of packet flows between network security zones in a communications network. Packets that are part of a bidirectional packet flow between the network security zones are received, and a determination is made as to an instance of a security application to which to assign the bidirectional packet flow for security processing. The determination is made based on relative loading of a plurality of identical instances of the security application running on a host machine. All of the received packets that are part of the bidirectional packet flow are directed for processing on the host machine by the one of the security application instances.

Abstract: The present disclosure relates to handling of packet flows between a pair of network security zones in a communications network. A packet that is sent from one of the network security zones toward the other of the network security zones is directed to a packet processing service chain, based on a packet handling classification of a packet flow of which the packet is a part. The service chain has multiple identical service chain instances to perform a service on packets, and the packet is directed to one of the service chain instances within the service chain. A packet that is processed by any of the service chain instances is transmitted to the other network security zone.

Abstract: A packet sub-engine coupled to a packet buffer determines which of multiple look up tables (LUTs) is to be searched for a matching entry that matches a received data packet. Each LUT corresponds to a different type of packet handling action and includes multiple entries, each with a match field and a corresponding collection of one or more actions for handling packets that match the match field. The packet sub-engine searches the determined LUT for a matching entry, processes the received data packet according to the action(s) in the matching entry, and determines whether a further LUT is to be searched for a further matching entry. The processed data packet is provided as an output if no further LUT is to be searched, or otherwise the packet sub-engine searches the further LUT and further processes the processed packet according to the action(s) in the further matching entry.

Abstract: A packet sub-engine coupled to a packet buffer determines which of multiple look up tables (LUTs) is to be searched for a matching entry that matches a received data packet. Each LUT corresponds to a different type of packet handling action and includes multiple entries, each with a match field and a corresponding collection of one or more actions for handling packets that match the match field. The packet sub-engine searches the determined LUT for a matching entry, processes the received data packet according to the action(s) in the matching entry, and determines whether a further LUT is to be searched for a further matching entry. The processed data packet is provided as an output if no further LUT is to be searched, or otherwise the packet sub-engine searches the further LUT and further processes the processed packet according to the action(s) in the further matching entry.

Abstract: The present disclosure relates to handling of packet flows between a pair of network security zones in a communications network. A packet that is sent from one of the network security zones toward the other of the network security zones is directed to a packet processing service chain, based on a packet handling classification of a packet flow of which the packet is a part. The service chain has multiple identical service chain instances to perform a service on packets, and the packet is directed to one of the service chain instances within the service chain. A packet that is processed by any of the service chain instances is transmitted to the other network security zone.

Abstract: An IP address of a received data packet is determined. An IP address map that stores set membership values indicative of whether an IP address is a member of a set of IP addresses, for every possible IP address within an IP address space of the IP address, is accessed to determine set membership for the IP address of the data packet. A further action to be performed on the packet is determined based on the set membership that is determined for the IP address of the data packet. Embodiments could be applied to source IP address filtering, destination IP address filtering, or both. Blacklist and whitelist embodiments, and associated further actions that could be applied to packets in such embodiments, are contemplated.

Abstract: A key is descriptive of a data packet, and a fingerprint hash function is applied to such a key to generate a fixed length fingerprint of the key. An index value is determined based on a portion of the fingerprint. A hash table could be populated by storing in a memory, at a memory location associated with the index value: a remainder of the fingerprint other than the portion of the fingerprint that was used to determine the index value, to indicate that data packets consistent with the key are to be handled in accordance with packet handling metadata. During packet processing, if a memory location associated with an index value stores a remainder of the fingerprint other than the portion of the fingerprint that was used to determine the index value, a data packet is handled according to packet handling metadata associated with the fingerprint.

Abstract: A packet sub-engine coupled to a packet buffer determines which of multiple look up tables (LUTs) is to be searched for a matching entry that matches a received data packet. Each LUT corresponds to a different type of packet handling action and includes multiple entries, each with a match field and a corresponding collection of one or more actions for handling packets that match the match field. The packet sub-engine searches the determined LUT for a matching entry, processes the received data packet according to the action(s) in the matching entry, and determines whether a further LUT is to be searched for a further matching entry. The processed data packet is provided as an output if no further LUT is to be searched, or otherwise the packet sub-engine searches the further LUT and further processes the processed packet according to the action(s) in the further matching entry.

Abstract: An IP address of a received data packet is determined. An IP address map that stores set membership values indicative of whether an IP address is a member of a set of IP addresses, for every possible IP address within an IP address space of the IP address, is accessed to determine set membership for the IP address of the data packet. A further action to be performed on the packet is determined based on the set membership that is determined for the IP address of the data packet. Embodiments could be applied to source IP address filtering, destination IP address filtering, or both. Blacklist and whitelist embodiments, and associated further actions that could be applied to packets in such embodiments, are contemplated.

Abstract: Data packets are received at a communication device that is coupled to a network node in a communication network, to a gateway router that is coupled to other network nodes in the communication network, and to a further communication network. For each received data packet, a determination is made as to whether the received data packet is to be routed toward a destination by the communication device instead of by the gateway router. The received data packet is routed toward the destination by the communication device based on determining that the received data packet is to be routed toward the destination by the communication device instead of by the gateway router. Otherwise, the received data packet is switched from the communication device to the gateway router to be routed by the gateway router toward the destination.

Abstract: Data packets are received at a communication device that is coupled to a network node in a communication network, to a gateway router that is coupled to other network nodes in the communication network, and to a further communication network. For each received data packet, a determination is made as to whether the received data packet is to be routed toward a destination by the communication device instead of by the gateway router. The received data packet is routed toward the destination by the communication device based on determining that the received data packet is to be routed toward the destination by the communication device instead of by the gateway router. Otherwise, the received data packet is switched from the communication device to the gateway router to be routed by the gateway router toward the destination.