公开(公告)号：US07095716B1

公开(公告)日：2006-08-22

申请号：US10112924

申请日：2002-03-28

申请人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

发明人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

IPC分类号： H04J1/16

CPC分类号： H04L63/0236 ,  H04L63/0272 ,  H04L63/1416

摘要： Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

摘要翻译： 方法和装置，包括计算机程序产品，用于处理数据包的实现和使用技术。 输入端口接收数据包，交换板对数据包进行分类，确定是否接受数据包，如果数据包是会话中的第一个数据包，则将数据包切换到管理板， 处理板，如果数据包不是会话中的第一个数据包。 管理板从交换板接收数据包，检查数据包，并将数据包转发到其中一个处理板。 一个或多个处理板从交换板和来自管理板的数据分组接收非第一数据分组并处理数据分组。 还描述了防火墙和具有用于处理数据分组的防火墙和虚拟专用网络功能的安全网关。

公开(公告)号：US08068487B1

公开(公告)日：2011-11-29

申请号：US12551034

申请日：2009-08-31

申请人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

发明人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

IPC分类号： H04L12/28

CPC分类号： H04L63/0236 ,  H04L63/0272 ,  H04L63/1416

摘要： A device described herein may include an input port operable to receive data packets; a switching board operable to classify the data packets, determine whether the data packets should be accepted by the device, and determine whether received data packets are first data packets in a session; a management board operable to receive the data packets from the switching board that were determined by the switching board to be the first data packets in a session; and one or more processing boards operable to receive data packets from the switching board that were determined by the switching board to not be the first data packets in a session and to process the received data packets.

摘要翻译： 本文描述的设备可以包括可操作以接收数据分组的输入端口; 切换板，用于对数据分组进行分类，确定数据分组是否应该被设备接受，并确定接收的数据分组是否是会话中的第一数据分组; 管理板，其可操作以从交换板接收由交换板确定为会话中的第一数据分组的数据分组; 以及一个或多个处理板，其可操作以从交换板接收由交换板确定的不是会话中的第一数据分组的数据分组，并处理接收到的数据分组。

公开(公告)号：US07602775B1

公开(公告)日：2009-10-13

申请号：US11428235

申请日：2006-06-30

申请人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

发明人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

IPC分类号： H04Q11/00

CPC分类号： H04L63/0236 ,  H04L63/0272 ,  H04L63/1416

摘要： A device described herein may include an input port operable to receive data packets; a switching board operable to classify the data packets, determine whether the data packets should be accepted by the device, and determine whether received data packets are first data packets in a session; a management board operable to receive the data packets from the switching board that were determined by the switching board to be the first data packets in a session; and one or more processing boards operable to receive data packets from the switching board that were determined by the switching board to not be the first data packets in a session and to process the received data packets.

摘要翻译： 本文描述的设备可以包括可操作以接收数据分组的输入端口; 切换板，用于对数据分组进行分类，确定数据分组是否应该被设备接受，并确定接收的数据分组是否是会话中的第一数据分组; 管理板，其可操作以从交换板接收由交换板确定为会话中的第一数据分组的数据分组; 以及一个或多个处理板，其可操作以从交换板接收由交换板确定的不是会话中的第一数据分组的数据分组，并处理接收到的数据分组。

公开(公告)号：US08654779B1

公开(公告)日：2014-02-18

申请号：US13302808

申请日：2011-11-22

申请人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

发明人： Yan Ke ,  Yuming Mao ,  Jian Tong ,  Guangsong Huang

IPC分类号： H04L12/28

CPC分类号： H04L63/0236 ,  H04L63/0272 ,  H04L63/1416

摘要： Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

摘要翻译： 方法和装置，包括计算机程序产品，用于处理数据包的实现和使用技术。 输入端口接收数据包，交换板对数据包进行分类，确定是否接受数据包，如果数据包是会话中的第一个数据包，则将数据包切换到管理板， 处理板，如果数据包不是会话中的第一个数据包。 管理板从交换板接收数据包，检查数据包，并将数据包转发到其中一个处理板。 一个或多个处理板从交换板和来自管理板的数据分组接收非第一数据分组并处理数据分组。 还描述了防火墙和具有用于处理数据分组的防火墙和虚拟专用网络功能的安全网关。

公开(公告)号：US07093280B2

公开(公告)日：2006-08-15

申请号：US09967893

申请日：2001-09-27

申请人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

发明人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

IPC分类号： H04L9/32 ,  G06F17/00

CPC分类号： H04L63/02 ,  H04L12/4641 ,  H04L12/4645 ,  H04L12/467 ,  H04L49/25 ,  H04L49/351 ,  H04L49/354 ,  H04L63/0209 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/20

摘要： Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.

公开(公告)号：US07774836B1

公开(公告)日：2010-08-10

申请号：US11461798

申请日：2006-08-02

申请人： Ken Xie ,  Yan Ke ,  Yuming Mao

发明人： Ken Xie ,  Yan Ke ,  Yuming Mao

IPC分类号： G06F9/00 ,  G06F17/00

CPC分类号： H04L12/66 ,  H04L63/0263

摘要： An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

摘要翻译： 描述了用于提供网络安全性的改进的防火墙。 改进的防火墙提供动态规则生成，以及使用传统的固定规则。 提供这种改进而不显着增加大多数分组所需的处理时间。 此外，改进的防火墙提供了防火墙和内部网络之间的IP地址转换。

公开(公告)号：US07107612B1

公开(公告)日：2006-09-12

申请号：US10893283

申请日：2004-07-19

申请人： Ken Xie ,  Yan Ke ,  Yuming Mao

发明人： Ken Xie ,  Yan Ke ,  Yuming Mao

IPC分类号： G06F7/04 ,  G06F9/00

CPC分类号： H04L12/66 ,  H04L63/0263

摘要： An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

摘要翻译： 描述了用于提供网络安全性的改进的防火墙。 改进的防火墙提供动态规则生成，以及使用传统的固定规则。 提供这种改进而不显着增加大多数分组所需的处理时间。 此外，改进的防火墙提供了防火墙和内部网络之间的IP地址转换。

公开(公告)号：US07823195B1

公开(公告)日：2010-10-26

申请号：US11842018

申请日：2007-08-20

申请人： Ken Xie ,  Yan Ke ,  Yuming Mao

发明人： Ken Xie ,  Yan Ke ,  Yuming Mao

IPC分类号： H04L29/06 ,  G06F17/00 ,  G06F15/16

CPC分类号： H04L12/66 ,  H04L63/0263

摘要： An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

公开(公告)号：US06772347B1

公开(公告)日：2004-08-03

申请号：US09525369

申请日：2000-03-15

申请人： Ken Xie ,  Yan Ke ,  Yuming Mao

发明人： Ken Xie ,  Yan Ke ,  Yuming Mao

IPC分类号： G06F1300

CPC分类号： H04L49/901 ,  H04L29/06 ,  H04L49/90 ,  H04L49/9057 ,  H04L63/02 ,  H04L69/16 ,  H04L69/22

摘要： Systems and methods for network security including a firewall. One firewall includes a firewall engine. The firewall engine includes a first engine including a first set of rules for sorting incoming IP packets into initially allowed packets and initially denied packets. The firewall engine also includes a filter including a second set of rules for receiving and further sorting the initially denied packets into allowed packets and denied packets.

摘要翻译： 网络安全的系统和方法，包括防火墙。 一个防火墙包括防火墙引擎。 防火墙引擎包括第一引擎，其包括用于将进入的IP分组分类为最初允许的分组并且最初拒绝分组的第一组规则。 防火墙引擎还包括一个过滤器，该过滤器包括第二组规则，用于接收并进一步将最初被拒绝的包分类为允许的包和被拒绝的包。

公开(公告)号：US09185075B2

公开(公告)日：2015-11-10

申请号：US11422477

申请日：2006-06-06

申请人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

发明人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

IPC分类号： H04L29/06 ,  H04L12/46 ,  H04L12/931 ,  H04L12/947

CPC分类号： H04L63/02 ,  H04L12/4641 ,  H04L12/4645 ,  H04L12/467 ,  H04L49/25 ,  H04L49/351 ,  H04L49/354 ,  H04L63/0209 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/20

摘要： Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.