GUI and high-level API wrapper for software defined networking and software defined access for controlling network routing and rules
First Claim
Patent Images
1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- obtaining, with one or more processors, with a network controller, a current state of a network, wherein;
the network has a plurality of computing devices accessed by a plurality of users;
the private network is configured to provide network connectivity defined by a network graph;
the network graph includes vertices corresponding to users or computing devices;
the network graph includes edges between respective pairs of the vertices and specifying permitted network communications between the users or computing devices corresponding to the respective part of vertices; and
the network controller is operative to effectuate changes to the network graph by enforcing and removing or adding permitted pair-wise connections between users or computing devices;
causing, with one or more processors, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph;
receiving, with one or more processors, with the network controller, a request input via the graphical user interface to modify the network graph; and
in response to the request, modifying, with one or more processors, with the network controller, the network graph and enforcing the modification,wherein;
prior to the request, the network graph specifies that a given pair of computing devices are prohibited from communicating with one another via the network;
the request specifies that the given pair of computing devices are to be permitted to communicate with one another via the network;
modifying the network graph comprises adding an edge or modifying an attribute of an edge between a vertex representing one of the given pair of computing devices and another vertex representing another one of the given pair of computing devices; and
enforcing the modification comprises sending an instruction that causes a network switch to modify an IPTable, means for process a subset of relays handled by the network, or a forwarding table to permit the given pair of computing devices to communicate;
enforcing the modification or one of a set of other modifications comprises modifying, or causing modifying of, a rule of the IPTable, or of the means for processing the subset of relays handled by the network, on a virtual-private network (VPN) server through which network traffic flows to the extent permitted by the network graph between computing devices corresponding to at least two vertices;
enforcing the modification or one of the set of other modifications comprises configuring a rule applied to network traffic by a userspace program registered in an operating system to make packet routing decisions as an NFQUEUE controller;
the operating system is an operating system of a virtual private network server;
enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a forwarding table by which a virtual-private network local area network service (VPLS) communicates at least some packets;
enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a Multiprotocol Label Switching (MPLS) setting that specifies a path between computing devices;
the operations comprise;
storing the modification in a cryptographically tamper-evident, immutable data store;
determining that a user or computing device corresponding to a vertex is attempting to access another vertex for which access is prohibited by the network graph; and
in response, prevent the attempted access and logging the attempt to a cryptographically tamper-evident, immutable data store; and
the graphical user interface include inputs by which a user selects a vertex, selects another vertex, and interacts with the user interface to indicate an edge between the vertex and the other vertex in the network graph is to be modified;
the graphical user interface is configured to receiving inputs that indicate network connections are to be permitted and inputs that indicate network connections are to be prohibited; and
the graphical user interface is a graphical user interface by which software defined networking settings or software defined access for controlling network routing and rules are configured.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a process including: obtaining, with a network controller, a current state of a network; causing, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph; receiving, with the network controller, a request input to modify the network graph; and modifying, with the network controller, the network graph and enforcing the modification.
33 Citations
20 Claims
-
1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
-
obtaining, with one or more processors, with a network controller, a current state of a network, wherein; the network has a plurality of computing devices accessed by a plurality of users; the private network is configured to provide network connectivity defined by a network graph; the network graph includes vertices corresponding to users or computing devices; the network graph includes edges between respective pairs of the vertices and specifying permitted network communications between the users or computing devices corresponding to the respective part of vertices; and the network controller is operative to effectuate changes to the network graph by enforcing and removing or adding permitted pair-wise connections between users or computing devices; causing, with one or more processors, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph; receiving, with one or more processors, with the network controller, a request input via the graphical user interface to modify the network graph; and in response to the request, modifying, with one or more processors, with the network controller, the network graph and enforcing the modification, wherein; prior to the request, the network graph specifies that a given pair of computing devices are prohibited from communicating with one another via the network; the request specifies that the given pair of computing devices are to be permitted to communicate with one another via the network; modifying the network graph comprises adding an edge or modifying an attribute of an edge between a vertex representing one of the given pair of computing devices and another vertex representing another one of the given pair of computing devices; and enforcing the modification comprises sending an instruction that causes a network switch to modify an IPTable, means for process a subset of relays handled by the network, or a forwarding table to permit the given pair of computing devices to communicate; enforcing the modification or one of a set of other modifications comprises modifying, or causing modifying of, a rule of the IPTable, or of the means for processing the subset of relays handled by the network, on a virtual-private network (VPN) server through which network traffic flows to the extent permitted by the network graph between computing devices corresponding to at least two vertices; enforcing the modification or one of the set of other modifications comprises configuring a rule applied to network traffic by a userspace program registered in an operating system to make packet routing decisions as an NFQUEUE controller; the operating system is an operating system of a virtual private network server; enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a forwarding table by which a virtual-private network local area network service (VPLS) communicates at least some packets; enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a Multiprotocol Label Switching (MPLS) setting that specifies a path between computing devices; the operations comprise; storing the modification in a cryptographically tamper-evident, immutable data store; determining that a user or computing device corresponding to a vertex is attempting to access another vertex for which access is prohibited by the network graph; and in response, prevent the attempted access and logging the attempt to a cryptographically tamper-evident, immutable data store; and the graphical user interface include inputs by which a user selects a vertex, selects another vertex, and interacts with the user interface to indicate an edge between the vertex and the other vertex in the network graph is to be modified; the graphical user interface is configured to receiving inputs that indicate network connections are to be permitted and inputs that indicate network connections are to be prohibited; and the graphical user interface is a graphical user interface by which software defined networking settings or software defined access for controlling network routing and rules are configured. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method, comprising:
-
obtaining, with one or more processors, with a network controller, a current state of a network, wherein; the network has a plurality of computing devices accessed by a plurality of users; the private network is configured to provide network connectivity defined by a network graph; the network graph includes vertices corresponding to users or computing devices; the network graph includes edges between respective pairs of the vertices and specifying permitted network communications between the users or computing devices corresponding to the respective part of vertices; and the network controller is operative to effectuate changes to the network graph by enforcing and removing or adding permitted pair-wise connections between users or computing devices; causing, with one or more processors, with the network controller, a graphical user interface to be presented that depicts at least part of the network graph and includes user-inputs by which a user requests changes to the network graph; receiving, with one or more processors, with the network controller, a request input via the graphical user interface to modify the network graph; and in response to the request, modifying, with one or more processors, with the network controller, the network graph and enforcing the modification, wherein; prior to the request, the network graph specifies that a given pair of computing devices are prohibited from communicating with one another via the network; the request specifies that the given pair of computing devices are to be permitted to communicate with one another via the network; modifying the network graph comprises adding an edge or modifying an attribute of an edge between a vertex representing one of the given pair of computing devices and another vertex representing another one of the given pair of computing devices; and enforcing the modification comprises sending an instruction that causes a network switch to modify an IPTable, means for process a subset of relays handled by the network, or a forwarding table to permit the given pair of computing devices to communicate; enforcing the modification or one of a set of other modifications comprises modifying, or causing modifying of, a rule of the IPTable, or of the means for processing the subset of relays handled by the network, on a virtual-private network (VPN) server through which network traffic flows to the extent permitted by the network graph between computing devices corresponding to at least two vertices; enforcing the modification or one of the set of other modifications comprises configuring a rule applied to network traffic by a userspace program registered in an operating system to make packet routing decisions as an NFQUEUE controller; the operating system is an operating system of a virtual private network server; enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a forwarding table by which a virtual-private network local area network service (VPLS) communicates at least some packets; enforcing the modification or one of the set of other modifications comprises modifying, or causing modifying of, a Multiprotocol Label Switching (MPLS) setting that specifies a path between computing devices; the operations comprise; storing the modification in a cryptographically tamper-evident, immutable data store; determining that a user or computing device corresponding to a vertex is attempting to access another vertex for which access is prohibited by the network graph; and in response, prevent the attempted access and logging the attempt to a cryptographically tamper-evident, immutable data store; and the graphical user interface include inputs by which a user selects a vertex, selects another vertex, and interacts with the user interface to indicate an edge between the vertex and the other vertex in the network graph is to be modified; the graphical user interface is configured to receiving inputs that indicate network connections are to be permitted and inputs that indicate network connections are to be prohibited; and the graphical user interface is a graphical user interface by which software defined networking settings or software defined access for controlling network routing and rules are configured. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification