公开(公告)号：US20130291088A1

公开(公告)日：2013-10-31

申请号：US13860408

申请日：2013-04-10

申请人： Choung-Yaw Michael Shieh ,  Meng Xu ,  Yi Sun ,  Jia-Jyi Roger Lian

发明人： Choung-Yaw Michael Shieh ,  Meng Xu ,  Yi Sun ,  Jia-Jyi Roger Lian

IPC分类号： H04L29/06

CPC分类号： H04L63/0218 ,  H04L63/0227 ,  H04L63/0263

摘要： A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.

摘要翻译： 网络系统包括安全设备和网络接入设备。 网络接入设备是从目的地节点的源节点接收分组，并检查由网络接入设备维护的数据结构，以确定数据结构是否存储具有预定值的数据成员，数据成员指示 是否应该进行安全处理。 如果数据成员与预定值相匹配，则将分组发送到与网络接入设备相关联的安全设备，以允许安全设备执行内容检查，并且响应于从安全设备接收到的响应，将分组路由到 目标节点取决于响应。 分组被路由到目的地节点，而不将分组转发到安全设备。

公开(公告)号：US09258275B2

公开(公告)日：2016-02-09

申请号：US13861220

申请日：2013-04-11

申请人： Yi Sun ,  Meng Xu ,  Jia-Jyi Roger Lian ,  Choung-Yaw Michael Shieh

发明人： Yi Sun ,  Meng Xu ,  Jia-Jyi Roger Lian ,  Choung-Yaw Michael Shieh

IPC分类号： G06F9/00 ,  G06F15/16 ,  G06F17/00 ,  H04L29/06 ,  H04L12/725 ,  H04L12/64 ,  H04L29/08 ,  H04L12/721 ,  H04L12/701

CPC分类号： H04L63/0227 ,  H04L12/6418 ,  H04L45/00 ,  H04L45/306 ,  H04L45/44 ,  H04L67/327

摘要： A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.

摘要翻译： 描述了用于动态安全插入到虚拟网络中的方法和装置。 该方法可以包括在网络设备处从第二网络设备接收从数据分组提取的数据分组和应用数据。 该方法还可以包括至少部分地基于应用数据生成与数据分组相关联的网络连接的路由决定。 此外，该方法可以包括将用于数据分组的路由决定发送到第二设备以使第二设备基于路由决定来路由数据。

公开(公告)号：US08955093B2

公开(公告)日：2015-02-10

申请号：US13860408

申请日：2013-04-10

申请人： Choung-Yaw Michael Shieh ,  Meng Xu ,  Yi Sun ,  Jia-Jyi Roger Lian

发明人： Choung-Yaw Michael Shieh ,  Meng Xu ,  Yi Sun ,  Jia-Jyi Roger Lian

IPC分类号： H04L29/06

CPC分类号： H04L63/0218 ,  H04L63/0227 ,  H04L63/0263

摘要： A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.

摘要翻译： 网络系统包括安全设备和网络接入设备。 网络接入设备是从目的地节点的源节点接收分组，并检查由网络接入设备维护的数据结构，以确定数据结构是否存储具有预定值的数据成员，数据成员指示 是否应该进行安全处理。 如果数据成员与预定值相匹配，则将分组发送到与网络接入设备相关联的安全设备，以允许安全设备执行内容检查，并且响应于从安全设备接收到的响应，将分组路由到 目标节点取决于响应。 分组被路由到目的地节点，而不将分组转发到安全设备。

公开(公告)号：US08813169B2

公开(公告)日：2014-08-19

申请号：US13288872

申请日：2011-11-03

申请人： Choung-Yaw Michael Shieh ,  Jia-Jyi Roger Lian

发明人： Choung-Yaw Michael Shieh ,  Jia-Jyi Roger Lian

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/0209 ,  H04L63/0272 ,  H04L63/104

摘要： A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.

摘要翻译： 本文公开了一种使用虚拟安全边界的方法和装置。 在一个实施例中，该方法包括在虚拟机已经从网络中的第一物理位置移动到网络中的第二物理位置之后从虚拟机接收信息，其中信息将虚拟机标识为先前分配给 安全边界; 确定在所述安全网关允许对所述第一物理位置处的所述虚拟机的访问; 将所述第二物理位置处的所述虚拟机分配到所述安全边界，以及将与所述安全边界相关联的安全策略应用于所述第二物理位置处的所述网络和所述虚拟机之间的通信。

公开(公告)号：US20130276092A1

公开(公告)日：2013-10-17

申请号：US13861220

申请日：2013-04-11

申请人： Yi SUN ,  Meng XU ,  Jia-Jyi Roger LIAN ,  Choung-Yaw Michael SHIEH

发明人： Yi SUN ,  Meng XU ,  Jia-Jyi Roger LIAN ,  Choung-Yaw Michael SHIEH

IPC分类号： G06F15/16

CPC分类号： H04L63/0227 ,  H04L12/6418 ,  H04L45/00 ,  H04L45/306 ,  H04L45/44 ,  H04L67/327

摘要： A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.

摘要翻译： 描述了用于动态安全插入到虚拟网络中的方法和装置。 该方法可以包括在网络设备处从第二网络设备接收从数据分组提取的数据分组和应用数据。 该方法还可以包括至少部分地基于应用数据来生成与数据分组相关联的网络连接的路由决定。 此外，该方法可以包括将用于数据分组的路由决定发送到第二设备以使第二设备基于路由决定来路由数据。

公开(公告)号：US20130117801A1

公开(公告)日：2013-05-09

申请号：US13288872

申请日：2011-11-03

申请人： Choung-Yaw Michael Shieh ,  Jia-Jyi Roger Lian

发明人： Choung-Yaw Michael Shieh ,  Jia-Jyi Roger Lian

IPC分类号： G06F17/00

CPC分类号： H04L63/0209 ,  H04L63/0272 ,  H04L63/104

摘要： A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.

摘要翻译： 本文公开了一种使用虚拟安全边界的方法和装置。 在一个实施例中，该方法包括在虚拟机已经从网络中的第一物理位置移动到网络中的第二物理位置之后从虚拟机接收信息，其中信息将虚拟机标识为先前分配给 安全边界; 确定在所述安全网关允许对所述第一物理位置处的所述虚拟机的访问; 将所述第二物理位置处的所述虚拟机分配到所述安全边界，以及将与所述安全边界相关联的安全策略应用于所述第二物理位置处的所述网络和所述虚拟机之间的通信。