A network router includes a plurality of interfaces configured to send and receive packets, and a routing component comprising: (i) a routing engine that includes a control unit that executes a routing protocol to maintain routing information specifying routes through a network, and (ii) a forwarding plane configured by the routing engine to select next hops for the packets in accordance with the routing information. The forwarding plane comprises a switch fabric to forward the packets to the interfaces based on the selected next hops. The network router also includes a security plane configured to apply security functions to the packets. The security plane is integrated within the network router to share a streamlined forwarding plane of the routing component.

Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane

Methods and systems for operation upon one or more data processors for prioritizing transmission among a plurality of data streams based upon a classification associated with the data packets associated with each of the plurality of data streams, respectively. Systems and methods can operate to allocate bandwidth to priority data streams first and recursively allocate remaining bandwidth to lesser priority data streams based upon the priority associated with those respective lesser priority data streams.

Prioritizing network traffic

A survey on gaps, threat remediation challenges and some thoughts for proactive attack detection in cloud computing

A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.

Dynamic access control policy with port restrictions for a network security appliance

An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

Identifying applications for intrusion detection systems

This paper introduces a practical security model based on key security considerations by looking at a number of infrastructure aspects of Cloud Computing such as SaaS, Utility, Web, Platform and Managed Services, Service commerce platforms and Internet Integration which was introduced with a concise literature review. The purpose of this paper is to offer a macro level solution for identified common infrastructure security requirements. This model with a number of emerged patterns can be applied to infrastructure aspect of Cloud Computing as a proposed shared security approach in system development life cycle focusing on the plan-built-run scope.

A Layered Security Approach for Cloud Computing Infrastructure

System, method and program product for managing a security policy of a firewall. The firewall receives a message packet addressed to a specified port of a destination IP address and determines that the firewall does not have a message flow rule which permits passing of the message packet to the port. The port is tested to determine if the port is open. If so, an administrator is queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. If not, an administrator is not queried whether the firewall should have a message flow rule which permits passing of the message packet to the port. There may be first and second firewalls located between the source IP address and destination IP address. Before the port is tested, a central database is checked to learn if the central database has a record of whether the first firewall should have a message flow rule which permits passing of the message packet to the port. If not, and the port is found to be open, the central database is updated to indicate that both the first and second firewalls should have a message flow rule which permits passing of the message packet to the port. Also, the security policy of the first firewall is updated with a message flow rule which permits passing of the message packet to the port. The second firewall is not updated until it encounters a message packet addressed to the port.

System, method and program product to identify additional firewall rules that may be needed

A method for determining if a multiplicity of networks are authorized to communicate with each other and what IP protocol can be used for communication between each combination of two of the networks. For each network, a computer readable data base stores a record of (a) IP protocol(s) permitted to be used with said each network and (b) types of other networks permitted to communicate to said each network. For said each network, a computer readable data base stores a record of IP protocols and destination and source networks permitted by a respective firewall or router for said each network. For said each network, a computer readable data base stores a record of a type of said each network. Multiple combinations of the networks are automatically identified. Each of the combinations comprises a source network and a destination network. For each of the combinations, based on the records, it is automatically determined if each of the networks in the combination is permitted to communicate with the other network in the combination and what IP protocol(s) are common to both of the networks in the combination.

Security checking program for communication between networks

A method and system for determining whether to alter a firewall configuration. Message flow data associated with a message packet blocked by a firewall is received. The packet was blocked based on the firewall not having a message flow rule that permitted passage of the message packet. Risk values associated with a source network, destination network and destination port are identified by the message flow data. Based on the risk values, an electronic recommendation indicating whether to add to the firewall a message flow rule that permits the message flow to pass is determined and generated.

Method and system for determining whether to alter a firewall configuration

A method and system for utilizing an expert system to determine whether to alter a firewall configuration. The expert system receives message flow data associated with a message packet blocked by a firewall. The packet is blocked based on an associated message flow not being permitted by a set of rules. The expert system assigns predefined risk values to the message flow data so that each risk value is associated with a source network, destination network or destination port included in the message flow data. The expert system utilizes the assigned risk values to determine a total risk value associated with the message packet. Finally, the expert system generates a proposal based on the total risk value. The proposal is a recommendation for or against adding to the set of rules a message flow rule that permits the message flow.

Andrew J. Bernoth

Papers

A Layered Security Approach for Cloud Computing Infrastructure

System, method and program product to identify additional firewall rules that may be needed

Security checking program for communication between networks

Method and system for determining whether to alter a firewall configuration

Method and sysem for utilizing an expert system to determine whether to alter a firewall configuration