	US 12,273,320 B2
	Physical hardware controller for provisioning security services on processing devices
Victor Fong, Melrose, MA (US); and Kenneth Durazzo, Morgan Hill, CA (US)
Assigned to Dell Products L.P., Round Rock, TX (US)
Filed by Dell Products L.P., Round Rock, TX (US)
Filed on Feb. 21, 2022, as Appl. No. 17/676,598.
Prior Publication US 2023/0269225 A1, Aug. 24, 2023
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/0236 (2013.01) [H04L 63/101 (2013.01); H04L 63/1416 (2013.01)]

20 Claims

1. An apparatus comprising:

a first processing device comprising a physical hardware controller;

the first processing device being configured for coupling with a second processing device;

the physical hardware controller being configured to perform steps of:

identifying one or more remote security service instances attached to the second processing device;

initiating, at the first processing device, one or more network emulation modules for the one or more remote security service instances attached to the second processing device, the one or more network emulation modules emulating one or more physical network interface devices configured for attachment to the second processing device; and

provisioning the one or more remote security service instances to the second processing device by utilizing hardware resources of the physical hardware controller, instead of hardware resources of the second processing device, to analyze network traffic associated with the second processing device, to modify at least a portion of the network traffic based at least in part on the analysis, and to provide the modified network traffic to the second processing device via the emulated one or more physical network interface devices;

wherein analyzing the network traffic associated with the second processing device comprises utilizing a data structure distributed across two or more levels of a multi-level hierarchy, at least a first portion of the data structure providing a first one of the two or more levels of the multi-level hierarchy being stored by the first processing device and at least a second portion of the data structure providing a second one of the two or more levels of the multi-level hierarchy being stored in one or more computing sites remote from the first processing device and the second processing device, the first and second portions of the data structure comprising disjoint subsets of network information utilized for modifying said at least a portion of the network traffic, the second portion of the data structure being larger than the first portion of the data structure;

wherein analyzing the network traffic associated with second processing device comprises, for a given portion of the network traffic associated with the second processing device;

querying, by the physical hardware controller, the first portion of the data structure to determine whether one or more network addresses associated with the given portion of the network traffic are present in the first portion of the data structure; and

responsive to determining that at least one of the one or more network addresses associated with the given portion of the network traffic is not present in the first portion of the data structure, (i) sending, from the physical hardware controller to at least one of the one or more remote computing sites, a request to query the second portion of the data structure and (ii) receiving, at the physical hardware controller from said at least one of the one or more remote computing sites, a result of the query to the second portion of the data structure.