公开(公告)号：US09935879B2

公开(公告)日：2018-04-03

申请号：US13730985

申请日：2012-12-29

Applicant: Roelof Nico du Toit ,  Jacques Fourie ,  Peter Liudmilov Djalaliev

Inventor： Roelof Nico du Toit ,  Jacques Fourie ,  Peter Liudmilov Djalaliev

IPC: G06F15/173 ,  H04L12/801 ,  H04L29/06

CPC classification number: H04L47/10 ,  H04L29/06 ,  H04L63/0281 ,  H04L63/0464 ,  H04L63/0823 ,  H04L63/166 ,  H04L69/163

Abstract: A TCP connection is established between a client and a server, such that packets communicated across the TCP connection pass through a proxy. Based at least in part on a result of monitoring packets flowing across the TCP connection, the proxy determines whether to split the TCP control loop into two TCP control loops so that packets can be inspected more thoroughly. If the TCP control loop is split, then a first TCP control loop manages flow between the client the proxy and a second TCP control loop manages flow between the proxy and the server. Due to the two control loops, packets can be held on the proxy long enough to be analyzed. In some circumstances, a decision is then made to stop inspecting. The two TCP control loops are merged into a single TCP control loop, and thereafter the proxy passes packets of the TCP connection through unmodified.

公开(公告)号：US09098373B2

公开(公告)日：2015-08-04

申请号：US13741310

申请日：2013-01-14

Applicant: Roelof Nico du Toit ,  Noah Zev Robbin ,  Jason Scott McMullan

Inventor： Roelof Nico du Toit ,  Noah Zev Robbin ,  Jason Scott McMullan

IPC: G06F15/177 ,  G06F15/173 ,  G06F9/00 ,  G06F9/24 ,  G06F9/44 ,  G06F9/445 ,  G06F7/04

CPC classification number: G06F8/65 ,  H04L67/1095 ,  H04L67/1097

Abstract: Software update information is communicated to a network appliance either across a network or from a local memory device. The software update information includes kernel data, application data, or indicator data. The network appliance includes a first storage device, a second storage device, an operating memory, a central processing unit (CPU), and a network adapter. First and second storage devices are persistent storage devices. In a first example, both kernel data and application data are updated in the network appliance in response to receiving the software update information. In a second example, only the kernel data is updated in the network appliance in response to receiving the software update information. In a third example, only the application data is updated in the network appliance in response to receiving the software update information. Indicator data included in the software update information determines the data to be updated in the network appliance.

Abstract translation: 软件更新信息通过网络或本地存储设备传送到网络设备。 软件更新信息包括内核数据，应用程序数据或指示符数据。 网络设备包括第一存储设备，第二存储设备，操作存储器，中央处理单元（CPU）和网络适配器。 第一和第二存储设备是持久存储设备。 在第一示例中，响应于接收到软件更新信息，在网络设备中更新内核数据和应用数据。 在第二个例子中，响应于接收到软件更新信息，仅在网络设备中更新内核数据。 在第三示例中，响应于接收到软件更新信息，仅在网络设备中更新应用数据。 包含在软件更新信息中的指示符数据确定要在网络设备中更新的数据。

公开(公告)号：US20140201728A1

公开(公告)日：2014-07-17

申请号：US13741310

申请日：2013-01-14

Applicant: ROELOF NICO DU TOIT ,  NOAH ZEV ROBBIN ,  JASON SCOTT MCMULLAN

Inventor： ROELOF NICO DU TOIT ,  NOAH ZEV ROBBIN ,  JASON SCOTT MCMULLAN

IPC: G06F9/445

CPC classification number: G06F8/65 ,  H04L67/1095 ,  H04L67/1097

Abstract: Software update information is communicated to a network appliance either across a network or from a local memory device. The software update information includes kernel data, application data, or indicator data. The network appliance includes a first storage device, a second storage device, an operating memory, a central processing unit (CPU), and a network adapter. First and second storage devices are persistent storage devices. In a first example, both kernel data and application data are updated in the network appliance in response to receiving the software update information. In a second example, only the kernel data is updated in the network appliance in response to receiving the software update information. In a third example, only the application data is updated in the network appliance in response to receiving the software update information. Indicator data included in the software update information determines the data to be updated in the network appliance.

Abstract translation: 软件更新信息通过网络或本地存储设备传送到网络设备。 软件更新信息包括内核数据，应用程序数据或指示符数据。 网络设备包括第一存储设备，第二存储设备，操作存储器，中央处理单元（CPU）和网络适配器。 第一和第二存储设备是持久存储设备。 在第一示例中，响应于接收到软件更新信息，在网络设备中更新内核数据和应用数据。 在第二个例子中，响应于接收到软件更新信息，仅在网络设备中更新内核数据。 在第三示例中，响应于接收到软件更新信息，仅在网络设备中更新应用数据。 包含在软件更新信息中的指示符数据确定要在网络设备中更新的数据。

公开(公告)号：US20140195797A1

公开(公告)日：2014-07-10

申请号：US13737907

申请日：2013-01-09

Applicant: Roelof Nico du Toit

Inventor： Roelof Nico du Toit

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L63/168

Abstract: A network device receives TCP segments of a flow via a first SSL session and transmits TCP segments via a second SSL session. Once a TCP segment has been transmitted, the TCP payload need no longer be stored on the network device. Substantial memory resources are conserved, because the device may have to handle many retransmit TCP segments at a given time. If the device receives a retransmit segment, then the device regenerates the retransmit segment to be transmitted. A data structure of entries is stored, with each entry including a decrypt state and an encrypt state for an associated SSL byte position. The device uses the decrypt state to initialize a decrypt engine, decrypts an SSL payload of the retransmit TCP segment received, uses the encrypt state to initialize an encrypt engine, re-encrypts the SSL payload, and then incorporates the re-encrypted SSL payload into the regenerated retransmit TCP segment.

Abstract translation: 网络设备经由第一SSL会话接收流的TCP片段，并经由第二SSL会话传输TCP片段。 一旦TCP片段被传输，TCP有效载荷就不再需要存储在网络设备上。 大量的内存资源是保守的，因为设备可能必须在给定时间处理许多重传TCP段。 如果设备收到重传段，则设备重新生成要发送的重传段。 存储条目的数据结构，每个条目包括用于相关联的SSL字节位置的解密状态和加密状态。 该设备使用解密状态来初始化解密引擎，解密所接收的重传TCP片段的SSL有效载荷，使用加密状态初始化加密引擎，重新加密SSL有效载荷，然后将重新加密的SSL有效载荷合并到 再生的重传TCP段。

公开(公告)号：US20140189093A1

公开(公告)日：2014-07-03

申请号：US13730985

申请日：2012-12-29

Applicant: Roelof Nico du Toit ,  Jacques Fourie ,  Peter Liudmilov Djalaliev

Inventor： Roelof Nico du Toit ,  Jacques Fourie ,  Peter Liudmilov Djalaliev

IPC: H04L12/56 ,  H04L29/06

CPC classification number: H04L47/10 ,  H04L29/06 ,  H04L63/0281 ,  H04L63/0464 ,  H04L63/0823 ,  H04L63/166 ,  H04L69/163

Abstract: A TCP connection is established between a client and a server, such that packets communicated across the TCP connection pass through a proxy. Based at least in part on a result of monitoring packets flowing across the TCP connection, the proxy determines whether to split the TCP control loop into two TCP control loops so that packets can be inspected more thoroughly. If the TCP control loop is split, then a first TCP control loop manages flow between the client the proxy and a second TCP control loop manages flow between the proxy and the server. Due to the two control loops, packets can be held on the proxy long enough to be analyzed. In some circumstances, a decision is then made to stop inspecting. The two TCP control loops are merged into a single TCP control loop, and thereafter the proxy passes packets of the TCP connection through unmodified.

Abstract translation: 在客户端和服务器之间建立TCP连接，使得跨TCP连接传递的数据包通过代理。 至少部分地基于监视跨越TCP连接的数据包的结果，代理确定是否将TCP控制环分为两个TCP控制环，以便更彻底地检查数据包。 如果TCP控制循环被拆分，则第一个TCP控制循环管理客户端代理之间的流程，第二个TCP控制循环管理代理服务器和服务器之间的流程。 由于两个控制环路，数据包可以在代理上保存足够长的时间进行分析。 在某些情况下，决定停止检查。 两个TCP控制循环被合并到单个TCP控制环路中，之后代理通过未修改的方式传递TCP连接的数据包。

公开(公告)号：US09154468B2

公开(公告)日：2015-10-06

申请号：US13737907

申请日：2013-01-09

Applicant: Roelof Nico du Toit

Inventor： Roelof Nico du Toit

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L63/168

Abstract: A network device receives TCP segments of a flow via a first SSL session and transmits TCP segments via a second SSL session. Once a TCP segment has been transmitted, the TCP payload need no longer be stored on the network device. Substantial memory resources are conserved, because the device may have to handle many retransmit TCP segments at a given time. If the device receives a retransmit segment, then the device regenerates the retransmit segment to be transmitted. A data structure of entries is stored, with each entry including a decrypt state and an encrypt state for an associated SSL byte position. The device uses the decrypt state to initialize a decrypt engine, decrypts an SSL payload of the retransmit TCP segment received, uses the encrypt state to initialize an encrypt engine, re-encrypts the SSL payload, and then incorporates the re-encrypted SSL payload into the regenerated retransmit TCP segment.

Abstract translation: 网络设备经由第一SSL会话接收流的TCP片段，并经由第二SSL会话传输TCP片段。 一旦TCP片段被传输，TCP有效载荷就不再需要存储在网络设备上。 大量的内存资源是保守的，因为设备可能必须在给定时间处理许多重传TCP段。 如果设备收到重传段，则设备重新生成要发送的重传段。 存储条目的数据结构，每个条目包括用于相关联的SSL字节位置的解密状态和加密状态。 该设备使用解密状态来初始化解密引擎，解密所接收的重传TCP片段的SSL有效载荷，使用加密状态初始化加密引擎，重新加密SSL有效载荷，然后将重新加密的SSL有效载荷合并到 再生的重传TCP段。

公开(公告)号：US08918868B2

公开(公告)日：2014-12-23

申请号：US13742311

申请日：2013-01-15

Applicant: Jason Scott McMullan ,  Trevor William Patrie ,  Peter Liudmilov Djalaliev ,  Roelof Nico du Toit

Inventor： Jason Scott McMullan ,  Trevor William Patrie ,  Peter Liudmilov Djalaliev ,  Roelof Nico du Toit

IPC: H04L29/06 ,  G06F9/455 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC classification number: H04L41/0806 ,  G06F9/455 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L12/6418 ,  H04L63/0807 ,  H04L67/025

Abstract: A device has physical network interface port through which a user can monitor and configure the device. A backend process and a virtual machine (VM) execute on a host operating system (OS). A front end user interface process executes on the VM, and is therefore compartmentalized in the VM. There is no front end user interface executing on the host OS outside the VM. The only management access channel into the device is via a first communication path through the physical network interface port, to the VM, up the VM's stack, and to the front end process. If the backend process is to be instructed to take an action, then the front end process forwards an application layer instruction to the backend process via a second communication path. The instruction passes down the VM stack, across a virtual secure network link, up the host stack, and to the backend process.

Abstract translation: 设备具有物理网络接口端口，用户可以通过该端口监视和配置设备。 后台进程和虚拟机（VM）在主机操作系统（OS）上执行。 前端用户界面进程在VM上执行，因此在虚拟机中进行分区。 在VM外部的主机操作系统上没有执行前端用户界面。 设备中唯一的管理访问通道是通过物理网络接口端口，VM，VM堆栈以及前端进程的第一个通信路径。 如果要指示后端进程采取行动，则前端进程通过第二通信路径将应用层指令转发到后端进程。 该指令通过虚拟机堆栈，跨虚拟安全网络链接，主机堆栈以及后端进程传递。

公开(公告)号：US20140201734A1

公开(公告)日：2014-07-17

申请号：US13742311

申请日：2013-01-15

Applicant: Jason Scott McMullan ,  Trevor William Patrie ,  Peter Liudmilov Djalaliev ,  Roelof Nico du Toit

Inventor： Jason Scott McMullan ,  Trevor William Patrie ,  Peter Liudmilov Djalaliev ,  Roelof Nico du Toit

IPC: G06F9/455

CPC classification number: H04L41/0806 ,  G06F9/455 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L12/6418 ,  H04L63/0807 ,  H04L67/025

Abstract: A device has physical network interface port through which a user can monitor and configure the device. A backend process and a virtual machine (VM) execute on a host operating system (OS). A front end user interface process executes on the VM, and is therefore compartmentalized in the VM. There is no front end user interface executing on the host OS outside the VM. The only management access channel into the device is via a first communication path through the physical network interface port, to the VM, up the VM's stack, and to the front end process. If the backend process is to be instructed to take an action, then the front end process forwards an application layer instruction to the backend process via a second communication path. The instruction passes down the VM stack, across a virtual secure network link, up the host stack, and to the backend process.

Abstract translation: 设备具有物理网络接口端口，用户可以通过该端口监视和配置设备。 后台进程和虚拟机（VM）在主机操作系统（OS）上执行。 前端用户界面进程在VM上执行，因此在虚拟机中进行分区。 在VM外部的主机操作系统上没有执行前端用户界面。 设备中唯一的管理访问通道是通过物理网络接口端口，VM，VM堆栈以及前端进程的第一个通信路径。 如果要指示后端进程采取行动，则前端进程通过第二通信路径将应用层指令转发到后端进程。 该指令通过虚拟机堆栈，跨虚拟安全网络链接，主机堆栈以及后端进程传递。