Lee Chen

US Patent:

7389359, Jun 17, 2008

Filed:

Oct 19, 2001

Appl. No.:

09/982106

Inventors:

Nitin Jain - Saratoga CA, US
Lee Chen - Saratoga CA, US
Earl Ferguson - Los Altos Hills CA, US
Min Zhu - San Jose CA, US

Assignee:

Foundry Networks, Inc. - Santa Clara CA

International Classification:

G06F 15/173

US Classification:

709238, 709223, 709227, 709242, 709249, 370471

Abstract:

A routing system utilizes a layer switch interconnecting several routers to intelligently forward multicast packets throughout an internet exchange carrying multicast content. The layer switch performs protocol snooping to extract a lookup key that is based on network layer protocol information. The lookup key is uniquely formulated to support either shared or explicit source distribution trees. The lookup key is used to query a forwarding memory that returns an outgoing port index. The outgoing port index points to one or more outgoing ports that are eligible to receive the multicast packet. The outgoing ports are also connected to the neighboring device(s) that are designated to receive the multicast packet. The routing system also supports real time maintenance and updating of the forwarding memory based on the periodic exchange of control messages. The routing system is configured to support PIM routers operating in PIM SM or PIM SSM modes.

US Patent:

7552126, Jun 23, 2009

Filed:

Jun 2, 2006

Appl. No.:

11/446028

Inventors:

Lee Chen - Saratoga CA, US
John Chiong - San Jose CA, US
Phillip Kwan - San Jose CA, US

Assignee:

A10 Networks, Inc. - San Jose CA

International Classification:

G06F 17/30

US Classification:

707 10, 707200

Abstract:

Systems and methods of managing access records of user access to a secure data network include an access record gateway and an access record datastore; the access record gateway being in communication with an access server of the secure data network; and the access record datastore being in communication with the access record gateway. The access record gateway acquires user access information, such as time information; records the user access information in at least one access record; and stores the at least one access record in the access record datastore. The access record gateway also acquires user access activity information, such as user access termination information, and updates previously recorded user access information with the user access activity information. The at least one access record includes a plurality of sub-records, selected from a list including a user information sub-record, a network information sub-record, and a time information sub-record. The system may include a security application in communication with the access record gateway to query for an access record satisfying the security query parameter(s).

US Patent:

7647635, Jan 12, 2010

Filed:

Nov 2, 2006

Appl. No.:

11/592473

Inventors:

Lee Chen - Saratoga CA, US
John Chiong - San Jose CA, US
Philip Kwan - San Jose CA, US

Assignee:

A10 Networks, Inc. - San Jose CA

International Classification:

G06F 11/30
G06F 15/173

US Classification:

726 23, 726 25, 709 24

Abstract:

A system and method for resolving an identity includes a security console, which displays security information regarding a secure network. The security information includes at least a first identity used to access the secure network. An operator selects the first identity, and the security console sends it to a resolver. The resolver connects with an identity server to find an access session record with an identity matching the first identity. A second identity is extracted from this record, and the resolver returns a result that includes the second identity. The security console displays the second identity; The first identity can be a user identity of a user, where the second identity is corresponding host identity, or vise versa. In this manner, an efficient interface to security information is provided to an operator, where the operator may resolve a user/host identity to a host/user identity interactively.

US Patent:

7675854, Mar 9, 2010

Filed:

Feb 21, 2006

Appl. No.:

11/358245

Inventors:

Lee Chen - Saratoga CA, US
Ronald Wai Lun Szeto - Pleasanton CA, US
Shih-Tsung Hwang - San Jose CA, US

Assignee:

A10 Networks, Inc. - San Jose CA

International Classification:

G01R 31/08

US Classification:

3702301, 726 3, 726 6, 726 22, 709227, 709228

Abstract:

Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

US Patent:

7716378, May 11, 2010

Filed:

Oct 17, 2006

Appl. No.:

11/582613

Inventors:

Lee Chen - Saratoga CA, US
John Chiong - San Jose CA, US
Xin Wang - Fremont CA, US

Assignee:

A10 Networks, Inc. - San Jose CA

International Classification:

G06F 15/16
G06F 15/173
H04W 4/00

US Classification:

709249, 709223, 709226, 4554351, 455433

Abstract:

The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

US Patent:

7877508, Jan 25, 2011

Filed:

May 14, 2008

Appl. No.:

12/152617

Inventors:

Nitin Jain - Saratoga CA, US
Lee Chen - Saratoga CA, US
Earl Ferguson - Los Altos Hills CA, US
Min Zhu - San Jose CA, US

Assignee:

Foundry Networks, LLC - San Jose CA

International Classification:

G06F 15/173

US Classification:

709238, 709242, 709243

Abstract:

A routing system utilizes a layer 2 switch interconnecting several routers to intelligently forward multicast packets throughout an internet exchange carrying multicast content. The layer 2 switch performs protocol snooping to extract a lookup key that is based on network layer protocol information. The lookup key is uniquely formulated to support either shared or explicit source distribution trees. The lookup key is used to query a forwarding memory that returns an outgoing port index. The outgoing port index points to one or more outgoing ports that are eligible to receive the multicast packet. The outgoing ports are also connected to the neighboring device(s) that are designated to receive the multicast packet. The routing system also supports real time maintenance and updating of the forwarding memory based on the periodic exchange of control messages. The routing system is configured to support PIM routers operating in PIM SM or PIM SSM modes.

US Patent:

7979585, Jul 12, 2011

Filed:

Apr 30, 2010

Appl. No.:

12/771491

Inventors:

Lee Chen - Saratoga CA, US
John Chiong - San Jose CA, US
Xin Wang - Fremont CA, US

Assignee:

A10 Networks, Inc. - San Jose CA

International Classification:

G06F 15/16
G06F 15/173
H04W 4/00

US Classification:

709249, 709223, 709226, 455433, 4554351

Abstract:

The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

US Patent:

8079077, Dec 13, 2011

Filed:

Nov 29, 2007

Appl. No.:

11/947755

Inventors:

Lee Chen - Saratoga CA, US
Ronald Wai Lun Szeto - Pleasanton CA, US

Assignee:

A10 Networks, Inc. - San Jose CA

International Classification:

G06F 9/00
G06F 7/04
G06F 15/16
H04L 29/06
H04F 11/30

US Classification:

726 12, 726 4, 713153, 713189, 709227

Abstract:

A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.