U.S. patent application number 15/463881 was filed with the patent office on 2017-07-06 for distributed service processing of network gateways using virtual machines.
The applicant listed for this patent is vArmour Networks, Inc.. Invention is credited to Choung-Yaw Shieh.
Application Number | 20170195454 15/463881 |
Document ID | / |
Family ID | 46636843 |
Filed Date | 2017-07-06 |
United States Patent
Application |
20170195454 |
Kind Code |
A1 |
Shieh; Choung-Yaw |
July 6, 2017 |
Distributed Service Processing of Network Gateways Using Virtual
Machines
Abstract
A network gateway device includes an ingress interface, an
egress interface, and a load balancing module coupled to the
ingress and egress interfaces. The load balancing module configured
to receive a packet from the ingress interface, determine a set of
a plurality of processes corresponding to a connections session
associated with the packet based on a policy. For each of the
identified processes, the load balancing module is to identify a
service processing module executed by a virtual machine that is
capable of handling the identified process, and to send the packet
to the identified service processing module to perform the
identified process on the packet. The packet is then transmitted to
the egress interface of the gateway device to be forwarded to a
destination.
Inventors: |
Shieh; Choung-Yaw; (Palo
Alto, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
vArmour Networks, Inc. |
Mountain View |
CA |
US |
|
|
Family ID: |
46636843 |
Appl. No.: |
15/463881 |
Filed: |
March 20, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14877836 |
Oct 7, 2015 |
9609083 |
|
|
15463881 |
|
|
|
|
13363082 |
Jan 31, 2012 |
9191327 |
|
|
14877836 |
|
|
|
|
61462980 |
Feb 10, 2011 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 9/45533 20130101;
H04L 47/20 20130101; H04L 67/14 20130101; H04L 67/10 20130101; H04W
28/20 20130101; H04L 41/0896 20130101; G06F 9/45558 20130101; H04L
65/1033 20130101; G06F 2009/45595 20130101; H04L 63/0209 20130101;
H04L 67/32 20130101; H04L 47/125 20130101 |
International
Class: |
H04L 29/08 20060101
H04L029/08; G06F 9/455 20060101 G06F009/455; H04L 29/06 20060101
H04L029/06; H04L 12/24 20060101 H04L012/24; H04L 12/803 20060101
H04L012/803; H04L 12/813 20060101 H04L012/813 |
Claims
1. A computer-implemented method, comprising: receiving a packet at
an ingress interface of a gateway device communicatively coupled to
a local area network (LAN) and an external network; determining a
first service and a second service corresponding to a connections
session, the first service and the second service determined using
a policy; identifying a first service processing module associated
with the first service, the first service processing module
executed by a first virtual machine capable of handling the first
service; sending the packet to the first service processing module,
the first service processing module performing the first service on
the packet to produce a first processed packet; identifying a
second service processing module associated with the second
service, the second service processing module executed by a second
virtual machine capable of handling the second service; sending the
first processed packet to the second service processing module, the
second service processing module performing the second service on
the first processed packet to produce a second processed packet;
and forwarding the second processed packet to an egress interface
of the gateway device to a destination.
2. The method of claim 1, wherein at least one of the first service
processing module and the second service processing module is
located external to the gateway device and communicatively coupled
to the gateway device.
3. The method of claim 1, wherein at least one of the first service
processing module and the second service processing module is
located in a public cloud associated with the external network.
4. The method of claim 1, wherein the first service includes at
least one of a network address translation (NAT) process, a virtual
private network (VPN) process, and a deep packet inspection (DPI)
process.
5. The method of claim 1, further comprising: determining whether
the first service processing module has sufficient bandwidth to
handle the first service.
6. The method of claim 5, further comprising: in response to the
first service processing module not having sufficient bandwidth to
perform the first service on the packet: allocating and launching a
third service processing module; and alternatively sending the
packet to the third service processing module, the third service
processing module performing the first service on the packet to
produce the first processed packet.
7. The method of claim 1, further comprising: determining whether
the second service processing module has sufficient bandwidth to
handle the second service.
8. A non-transitory computer-readable storage medium having
embodied thereon a program, the program being executable by a
processor to perform a method, the method comprising: receiving a
packet at an ingress interface of a gateway device communicatively
coupled to a local area network (LAN) and an external network;
determining a first service and a second service corresponding to a
connections session, the first service and the second service
determined using a policy; identifying a first service processing
module associated with the first service, the first service
processing module executed by a first virtual machine capable of
handling the first service; sending the packet to the first service
processing module, the first service processing module performing
the first service on the packet to produce a first processed
packet; identifying a second service processing module associated
with the second service, the second service processing module
executed by a second virtual machine capable of handling the second
service; sending the first processed packet to the second service
processing module, the second service processing module performing
the second service on the first processed packet to produce a
second processed packet; and forwarding the second processed packet
to an egress interface of the gateway device to a destination.
9. The non-transitory computer-readable storage medium of claim 8,
wherein at least one of the first service processing module and the
second service processing module is located external to the gateway
device and communicatively coupled to the gateway device.
10. The non-transitory computer-readable storage medium of claim 8,
wherein at least one of the first service processing module and the
second service processing module is located in a public cloud
associated with the external network.
11. The non-transitory computer-readable storage medium of claim 8,
wherein the first service includes at least one of a network
address translation (NAT) service, a virtual private network (VPN)
service, and a deep packet inspection (DPI) service.
12. The non-transitory computer-readable storage medium of claim 8,
further comprising: determining whether the first service
processing module has sufficient bandwidth to handle the first
service.
13. The non-transitory computer-readable storage medium of claim
12, further comprising: in response to the first service processing
module not having sufficient bandwidth to perform the first service
on the packet: allocating and launching a third service processing
module; and alternatively sending the packet to the third service
processing module, the third service processing module performing
the first service on the packet to produce the first processed
packet.
14. The non-transitory computer-readable storage medium of claim 8,
wherein the method further comprises: determining whether the
second service processing module has sufficient bandwidth to handle
the second service.
15. A gateway device, comprising: an ingress interface; an egress
interface; and a load balancing module coupled to the ingress and
egress interfaces, the load balancing module comprising: at least
one processor; and a memory coupled to the at least one processor,
the memory storing instructions executable by the at least one
processor to perform a method comprising: receiving a packet from
the ingress interface, determining a first service and a second
service corresponding to a connections session, the first service
and the second service determined using a policy, identifying a
first service processing module associated with the first service,
the first service processing module executed by a first virtual
machine capable of handling the first service; sending the packet
to the first service processing module, the first service
processing module performing the first service on the packet to
produce a first processed packet; identifying a second service
processing module associated with the second service, the second
service processing module executed by a second virtual machine
capable of handling the second service; sending the first processed
packet to the second service processing module, the second service
processing module performing the second service on the first
processed packet to produce a second processed packet; and
forwarding the second processed packet to the egress interface of
the gateway device to a destination.
16. The gateway device of claim 15, wherein at least one of the
first service processing module and the second service processing
module is located external to the gateway device and
communicatively coupled to the gateway device.
17. The gateway device of claim 15, wherein at least one of the
first service processing module and the second service processing
module is located in a public cloud associated with an external
network.
18. The gateway device of claim 15, wherein the first service
includes at least one of a network address translation (NAT)
service, a virtual private network (VPN) service, and a deep packet
inspection (DPI) service.
19. The gateway device of claim 15, wherein the method further
comprises: determining whether the first service processing module
has sufficient bandwidth to handle the first service.
20. The gateway device of claim 19, wherein the method further
comprises: in response to the first service processing module not
having sufficient bandwidth to perform the first service on the
packet: allocating and launching a third service processing module;
and alternatively sending the packet to the third service
processing module, the third service processing module performing
the first service on the packet to produce the first processed
packet.
21. The gateway device of claim 15, further comprising: determining
whether the second service processing module has sufficient
bandwidth to handle the second service.
Description
RELATED APPLICATIONS
[0001] The present application is a continuation that claims the
benefit of U.S. Non-Provisional patent application Ser. No.
14/877,836, filed Oct. 7, 2015, which is a continuation that claims
the benefit of U.S. Non-Provisional patent application Ser. No.
13/363,082, filed Jan. 31, 2012, now U.S. Pat. No. 9,191,327, which
claims the benefit of U.S. Provisional Patent Application No.
61/462,980, filed Feb. 10, 2011, which are all hereby incorporated
by reference in their entirety including all references cited
therein.
FIELD OF THE INVENTION
[0002] Embodiments of the present invention relate generally to
network security. More particularly, embodiments of the invention
relate to distributed service processing of network gateways using
virtual machines.
BACKGROUND
[0003] A network gateway handles all network traffic that comes in
and goes out of a network it protects. As the attacks get more
sophisticated, there are more and more security and network
services running on the network gateway to support the additional
security functions. However, these additional services consume
memory and central processing unit (CPU) resources of the gateway
and limit the network throughput that the network gateway can
support. Besides, if a network service must run on a particular
operating system, e.g., Microsoft Server 2008, but the underlying
operating system of the network gateway is different, then the
gateway cannot support this network service. This limitation
hinders what services the network gateway can support.
[0004] FIG. 1 is a block diagram illustrating a conventional
network processing scheme in a gateway device (also referred to as
a network gateway). Referring to FIG. 1, packets go through several
network service processing stages in the network gateway, before
being forwarded to next hop hosts. Typically, the packets get a
sanity check (e.g., checksum, data corruption, etc.) at block 101
and then at block 102, they are processed by a packet classifier to
identify the associated connection. The packets then go through
multiple network services 103-105 of the identified connection,
before they are forwarded out of the network gateway at block
106.
[0005] Some of the network services may need to parse the packet
payload or search for patterns through the entire payload. These
processes take time and memory to operate and consume valuable CPU
resources otherwise could be used to process other packets. When
there is a large amount of traffic and the packets go through
computation-intensive services, the network gateway may slow down
and cannot keep up with the traffic.
SUMMARY
[0006] A method and apparatus is disclosed herein for distributed
service processing using virtual machines. In one embodiment, the
method comprises receiving a packet at an ingress interface of a
gateway device interfacing a local area network (LAN) and an
external network; determining a set of a plurality of processes
corresponding a connections session associated with the packet
based on a policy; for each of the identified processes,
identifying a service processing module executed by a virtual
machine that is capable of handling the identified process, and
sending the packet to the identified service processing module to
perform the identified process on the packet; and transmitting the
packet to an egress interface of the gateway device to be forwarded
to a destination.
BRIEF DESCRIPTION OF THE DRAWINGS
[0007] Embodiments of the invention are illustrated by way of
example and not limitation in the figures of the accompanying
drawings in which like references indicate similar elements.
[0008] FIG. 1 is a block diagram illustrating traditional service
processing in a gateway device.
[0009] FIG. 2 is a block diagram illustrating an example of a
network configuration according to one embodiment of the
invention.
[0010] FIG. 3 is a block diagram illustrating an example of
distributed service processing according to one embodiment of the
invention.
[0011] FIG. 4 is a block diagram illustrating an example of a data
processing system which may be used as an embodiment of the
invention.
[0012] FIG. 5 is a block diagram illustrating an architecture of a
processing module according to one embodiment of the invention.
[0013] FIG. 6 is a flow diagram illustrating a method for
performing distributed services according to one embodiment of the
invention.
[0014] FIG. 7 illustrates a set of code (e.g., programs) and data
that is stored in memory of one embodiment of a gateway according
to one embodiment.
[0015] FIG. 8 illustrates a set of code (e.g., programs) and data
that is stored in memory according to one embodiment.
DETAILED DESCRIPTION
[0016] Various embodiments and aspects of the inventions will be
described with reference to details discussed below, and the
accompanying drawings will illustrate the various embodiments. The
following description and drawings are illustrative of the
invention and are not to be construed as limiting the invention.
Numerous specific details are described to provide a thorough
understanding of various embodiments of the present invention.
However, in certain instances, well-known or conventional details
are not described in order to provide a concise discussion of
embodiments of the present inventions.
[0017] Reference in the specification to "one embodiment" or "an
embodiment" means that a particular feature, structure, or
characteristic described in conjunction with the embodiment can be
included in at least one embodiment of the invention. The
appearances of the phrase "in one embodiment" in various places in
the specification do not necessarily all refer to the same
embodiment.
[0018] According to some embodiments, a new design is provided to
create distributed service processing in a network gateway to
support the increasing system load and to support third party
services on different operating systems. An embodiment of the
present invention moves at least some of these computation
intensive network services into virtual machines. The virtual
machines may host one or more of the network services, where the
virtual machines may be hosted within the gateway or external to
the gateway. Packets are forwarded to the virtual machines then
forwarded back to the network gateway after the processing. The
network gateway can use a load balancing mechanism to forward the
packets to multiple virtual machines. Each virtual machine supports
one or more network services of different connections. The load
balancing to virtual machines provides a great flexibility and
scalability to support a large scale of networks.
[0019] FIG. 2 is a block diagram illustrating an example of network
configuration according to one embodiment of the invention.
Referring to FIG. 2, gateway device 204 (also referred to as a
network element, a router, a network access device, or an access
point, etc.) provides an interface between network 203 and network
205. Network 203 may be an external network such as a wide area
network (WAN) (e.g., Internet) while network 205 represents a local
area network (LAN). Nodes 206-207 have to go through gateway device
204 in order to reach nodes 201-202, or vice versa. Any of nodes
201-202 and 206-207 may be a client device (e.g., a desktop,
laptop, Smartphone, gaming device, etc.) or a server.
[0020] According to one embodiment, gateway device 204 is
associated with various service processing modules 208-209, each
being executed within a virtual machine (VM). Each service
processing module is responsible for handling one or more services.
Examples of the services to be performed for gateway device 204
include, but are not limited to, network address translation (NAT),
virtual private network (VPN), deep packet inspection (DPI), and/or
anti-virus, etc. Some of the service processing modules are located
within gateway device 204 (e.g., service processing modules 208)
and some are located external to gateway device 204 (e.g., service
processing modules 209 maintained by service processing node(s)
211). All of the service processing modules 208-209 are managed by
load balancing module 210, which may be located within gateway
device 204, in a public cloud associated with network 203, or in a
private cloud associated with network 205. In one embodiment, load
balancing module 210 and service processing modules 208-209
collectively may represent a distributed firewall of gateway device
204. Further detailed information concerning a distributed firewall
can be found in a co-pending U.S. patent application Ser. No.
13/363,088, entitled "Distributed Firewall Architecture using
Virtual Machines," filed Jan. 31, 2012, now U.S. Pat. No.
8,612,744, which is incorporated by reference herein in its
entirety.
[0021] A virtual machine represents a completely isolated operating
environment with a dedicated set of resources associated therewith.
A virtual machine may be installed or launched as a guest operating
system (OS) hosted by a host OS. Typically, a host OS represents a
virtual machine monitor (VMM) (also referred to as a hypervisor in
one embodiment) for managing the hosted virtual machines. A guest
OS may be of the same or different types with respect to the host
OS. For example, a guest OS may be a Windows.TM. operating system
and a host OS may be a LINUX operating system. In addition, the
guest OSes running on a host can be of the same or different types.
A virtual machine can be any type of virtual machine, such as, for
example, hardware emulation, full virtualization,
para-virtualization, and an operating system-level virtualization
virtual machine. Different virtual machines hosted by a server may
have the same or different privilege levels for accessing different
resources.
[0022] FIG. 3 is a block diagram illustrating an example of a
distributed service scheme according to one embodiment of the
invention. Processing flow 300 may be performed by gateway device
204 of FIG. 2. Referring to FIG. 3, network service processing is
shown distributed to multiple virtual machines. The network
services of the gateway device may be moved to external virtual
machines such as virtual machines 301-302. When the packets are
processed through the network service chaining in a network
gateway, if the next network service is at an external virtual
machine, the network gateway uses a load balancing mechanism to
identify the virtual machine and then forwards the packets to the
virtual machine. The load balancing algorithm may be based on
round-robin, least connections, or any other well-known load
balancing algorithms. The packets are sent back to the network
gateway once they are processed by the virtual machine.
[0023] In one embodiment, virtual machines 301-302 can be on the
same device as the network gateway, or they can reside on different
devices which connect to the network gateway through network
connections. There are multiple possible communication protocols
between the network gateway and virtual machines 301-302 that may
be used. If the network gateway and virtual machines 301-302 are in
the same layer-2 network, the packet can be forwarded through a
layer-2 protocol, such as, for example, the Ethernet protocol. In
this case, the original IP packets are encapsulated with an
Ethernet header of media access control (MAC) address of both
sides. The recipient then de-encapsulates the Ethernet header and
retrieves the original IP packets. The communication protocol can
also be a layer-3 protocol, such as the IP protocol. The original
packets are encapsulated with another IP header with the IP address
of both sides. The encapsulation of the outer IP header would
ensure the packets are sent and received between the virtual
machine and the network gateway.
[0024] In another embodiment, the network services can be running
on virtual machines or physical hosts. Running on virtual machines
provides an additional benefit that additional virtual machines can
be added dynamically in case of heavy traffic. Initially the
network gateway may have only one virtual machine for a particular
network service. When network traffic increases and the virtual
machine reaches its capacity, the network gateway can utilize more
virtual machines to add more system capacity. New connections are
forwarded to different virtual machines for load balancing. This
increases system availability and scalability.
[0025] The virtual machines 301-302 running the network services
can be distributed on different networks, or at different
locations, as long as the virtual machines can communicate with the
network gateway. One of the examples is to put the virtual machines
in a public cloud, and keep the network gateway in a data center.
This provides the flexibility to add more computing resources at a
lower cost, while maintaining the control of the network gateway in
enterprise's premises.
[0026] FIG. 5 is a block diagram illustrating virtual machine
architecture according to one embodiment of the invention.
Referring FIG. 5, virtual machine 500 may be used to host any of
service processing modules described above. In one embodiment,
virtual machine 500 includes a virtual network adapter 501. There
are at least two main functions for virtual network adapter 501.
The first function is to intercept the packets coming from the
network gateway, de-encapsulate the outer IP header if it uses IP
protocol, then forward the packets to the applications 502-504. If
there are packets being sent back to the network gateway, the
virtual network adapter 501 encapsulates the destination IP address
if it uses the IP protocol and then sends it to the underlying
network via VM Ethernet interface 505 and VM Ethernet driver 506.
This function ensures that the packets are forwarded between both
sides regardless the original IP addresses of the packets.
[0027] The second function of virtual network adapter 501 is to
separate the IP address of VM Ethernet interface 505 from the IP
address "seen" by the applications 502-504 of virtual machine 500.
As any IP address can be assigned to virtual network adapter 501,
applications 502-504 on virtual machine 500 can use this IP address
for application process, regardless the real IP address of VM
Ethernet interface 505. The use of the separate IP address will
ensure that the user-space application inserts the correct IP
address in the packet payload of the application.
[0028] In further detail, according to one embodiment, virtual
network adapter 501 logically creates an overlay network for
virtual machine 500. The applications 502-504 of virtual machine
500 assume the virtual IP address is the interface IP address,
while the real IP address of virtual machine Ethernet interface 505
is used to transmit the data between virtual machine 500 and the
network gateway. One can create as many as virtual network adapters
on virtual machine 500 to simulate the target network environment,
and to support a wide variety of the network topologies. The
virtual machines can use any operating system, as long as the VM
Ethernet driver 506 supports the operating system. Thus, the
services can be supported on any operating system which may be
different from the operating system the network gateway runs.
[0029] As a result, the network gateway can employ a significantly
large amount of CPU and memory resources for service processing as
long as it utilizes more virtual machines to support the service
processing. This makes it possible that network gateway can support
line rate processing, even with most computation-intensive network
services. An embodiment of the invention also allows different
operating systems of the virtual machines from the one running on
network gateway, which enables users to run network services on any
operating systems.
[0030] In summary, an embodiment of the invention is to enable
running many network services on the gateway without performance
degradation. These network services may be running on an overlay
network, with the freedom to have their own forwarding scenarios.
Embodiments of the invention can tap the cheap resources of public
cloud to run virtual machines to support a large amount of traffic
without much IT investment, and provide a great scalability and
system availability.
[0031] FIG. 6 is a flow diagram illustrating a method for
performing distributed services according to one embodiment of the
invention. Method 600 may be performed by processing logic that may
include software, hardware, or a combination of both. For example,
method 600 may be performed by gateway device 204 of FIG. 2.
Referring to FIG. 6, at block 601, a packet is received at an
ingress interface of a gateway device coupling a LAN to an external
network such as the Internet. At block 602, a set of one or more
sequential processes (e.g., security processes) is determined to be
performed on the packet based on a policy (e.g., security policy).
For each of the identified processes, at block 603, a service
processing module running within a virtual machine that is capable
of performing the process is identified. For example, an existing
service processing module corresponding to the process to be
performed having sufficient bandwidth may be invoked.
Alternatively, a new virtual machine having a new service
processing module may be dynamically allocated and launched. At
block 604, the packet is transmitted to the identified service
processing module for processing, where the service processing
module may be located external to the gateway device and
communicatively coupled to the gateway via a variety of
communications protocols (e.g., Ethernet or IP protocol). The above
operations involved in blocks 603-604 may be iteratively performed
for each of the identified processes in the chain, as indicated by
decision block 605. Once all of the processes have been performed,
at block 606, the packet is then transmitted to an egress interface
of the gateway to be forwarded to the destination.
[0032] FIG. 4 is a block diagram illustrating an example of a data
processing system which may be used as an embodiment of the
invention. For example, data processing system 410 may be
implemented as part of gateway device 204 or alternatively, data
processing system 410 may be implemented as part of a client or
server device. In one embodiment, data processing system 410, which
may operate as a gateway device, includes a memory, an interface to
receive one or more packets from the one or more virtual machines,
and one or more processors. Referring to FIG. 4, data processing
system 410 includes a bus 412 to interconnect subsystems of data
processing system 410, such as a central processor 414, a system
memory 417 (e.g., Random-Access Memory (RAM), Read-Only Memory
(ROM), etc.), an input/output controller 418, an external device,
such as a display screen 424 via display adapter 426, serial ports
428 and 430, a keyboard 432 (interfaced with a keyboard controller
433), a storage interface 434, a floppy disk unit 437 operative to
receive a floppy disk, a host bus adapter (HBA) interface card 435A
operative to connect with a Fibre Channel network 490, a host bus
adapter (HBA) interface card 435B operative to connect to a small
computer system interface (SCSI) bus 439, and an optical disk drive
440. Also included are a mouse 446 (or other point-and-click
device, coupled to bus 412 via serial port 428), a modem 447
(coupled to bus 412 via serial port 430), and a network interface
448 (coupled directly to bus 412).
[0033] Bus 412 allows data communication between central processor
414 and system memory 417. System memory 417 (e.g., RAM) may be
generally the main memory into which the operating system and
application programs are loaded. The ROM or flash memory can
contain, among other code, the Basic Input-Output system (BIOS)
which controls basic hardware operation such as the interaction
with peripheral components. Applications resident with data
processing system 410 are generally stored on and accessed via a
computer readable medium, such as a hard disk drive (e.g., fixed
disk 444), an optical drive (e.g., optical disk drive 440), a
floppy disk unit 437, or other storage medium.
[0034] Storage interface 434, as with the other storage interfaces
of data processing system 410, can connect to a standard computer
readable medium for storage and/or retrieval of information, such
as a fixed disk 444. Fixed disk 444 may be a part of data
processing system 410 or may be separate and accessed through other
interface systems.
[0035] Modem 447 may provide a direct connection to a remote server
via a telephone link or to the Internet via an internet service
provider (ISP). Network interface 448 may provide a direct
connection to a remote server. Network interface 448 may provide a
direct connection to a remote server via a direct network link to
the Internet via a POP (point of presence). Network interface 448
may provide such connection using wireless techniques, including
digital cellular telephone connection, a packet connection, digital
satellite data connection or the like.
[0036] Many other devices or subsystems (not shown) may be
connected in a similar manner (e.g., document scanners, digital
cameras and so on). Conversely, all of the devices shown in FIG. 4
need not be present to practice the techniques described herein.
The devices and subsystems can be interconnected in different ways
from that shown in FIG. 4. The operation of a computer system such
as that shown in FIG. 4 is readily known in the art and is not
discussed in detail in this application.
[0037] Code to implement the gateway operations described herein
can be stored in computer-readable storage media such as one or
more of system memory 417, fixed disk 444, optical disk via optical
disk drive 442, or floppy disk via floppy disk drive 438. The
operating system provided on computer system 410 may be
MS-DOS.RTM., MS-WINDOWS.RTM., OS/2.RTM., UNIX.RTM., Linux.RTM., or
another known operating system.
[0038] FIG. 7 illustrates a set of code (e.g., programs) and data
that is stored in memory of one embodiment of a gateway, such as a
gateway implemented using a system such as depicted in FIG. 4. The
gateway uses the code, in conjunction with a processor, to
implement the necessary operations (e.g., logic operations)
described herein. Referring to FIG. 7, the memory 460 includes a
monitoring module 701 which when executed by a processor is
responsible for performing traffic monitoring of traffic from the
VMs as described above. Monitoring module 701 may be implemented as
part of a load balancing module. Memory 460 also stores one or more
service processing modules 702-703 which, when executed by a
processor, perform any processes on the packets such as security
processes. The memory 460 also includes a network communication
module 705 used to perform network communication and communication
with the other devices (e.g., servers, clients, etc.). For example,
any of service processing modules 702-703 may be implemented as any
of IO modules and security processing modules of a distributed
firewall as described in the above incorporated patent
application.
[0039] As described above, the servers in FIG. 1 may be implemented
using a computer system. In one embodiment, one or more of the
servers is implemented using a system such as depicted in FIG. 4 as
well, except using different code to implement the techniques and
operations performed by such servers and their VMs as described
above. The code is stored in computer-readable storage medium such
as system memory 417, fixed disk 444, optical disk via optical disk
drive 442 or floppy disk via floppy disk drive 438.
[0040] FIG. 8 illustrates a set of code (e.g., programs) and data
that is stored in one of those memories. In one embodiment of the
server, such as implemented using the system shown in FIG. 4. The
server uses the code, in conjunction with the processor, to
implement the necessary operations to implement the process
depicted above, such as, for example, the operation set forth in
FIG. 6. Referring to FIG. 8, the memory 800 includes virtual
machine creator 801 which when executed by a processor is
responsible for creating a virtual machine on the server in a
manner well-known in the art. Memory 800 also includes one or more
virtual machines 802 which may be created by virtual machine
creator 801. Virtual machine 802 includes a processing module 803
executed therein, which can be one or more of an IO module, a
security processing module, and/or a service processing module
(e.g., NAT, VPN, DPI, anti-virus processes). Memory 800 further
includes virtual machine monitor (VMM) 804 responsible for managing
virtual machines 802. Memory 800 also includes communication
interface module 805 used for performing communication with other
devices (e.g., security gateway, servers, clients, etc.).
[0041] Some portions of the preceding detailed descriptions have
been presented in terms of algorithms and symbolic representations
of operations on data bits within a computer memory. These
algorithmic descriptions and representations are the ways used by
those skilled in the data processing arts to most effectively
convey the substance of their work to others skilled in the art. An
algorithm is here, and generally, conceived to be a self-consistent
sequence of operations leading to a desired result. The operations
are those requiring physical manipulations of physical
quantities.
[0042] It should be borne in mind, however, that all of these and
similar terms are to be associated with the appropriate physical
quantities and are merely convenient labels applied to these
quantities. Unless specifically stated otherwise as apparent from
the above discussion, it is appreciated that throughout the
description, discussions utilizing terms such as those set forth in
the claims below, refer to the action and processes of a computer
system, or similar electronic computing device, that manipulates
and transforms data represented as physical (electronic) quantities
within the computer system's registers and memories into other data
similarly represented as physical quantities within the computer
system memories or registers or other such information storage,
transmission or display devices.
[0043] The techniques shown in the figures can be implemented using
code and data stored and executed on one or more electronic
devices. Such electronic devices store and communicate (internally
and/or with other electronic devices over a network) code and data
using computer-readable media, such as non-transitory
computer-readable storage media (e.g., magnetic disks; optical
disks; random access memory; read only memory; flash memory
devices; phase-change memory) and transitory computer-readable
transmission media (e.g., electrical, optical, acoustical or other
form of propagated signals--such as carrier waves, infrared
signals, digital signals).
[0044] The processes or methods depicted in the preceding figures
may be performed by processing logic that comprises hardware (e.g.,
circuitry, dedicated logic, etc.), firmware, software (e.g.,
embodied on a non-transitory computer readable medium), or a
combination of both. Although the processes or methods are
described above in terms of some sequential operations, it should
be appreciated that some of the operations described may be
performed in a different order. Moreover, some operations may be
performed in parallel rather than sequentially.
[0045] In the foregoing specification, embodiments of the invention
have been described with reference to specific exemplary
embodiments thereof. It will be evident that various modifications
may be made thereto without departing from the broader spirit and
scope of the invention as set forth in the following claims. The
specification and drawings are, accordingly, to be regarded in an
illustrative sense rather than a restrictive sense.
* * * * *