Security mediation for dynamically programmable network

US 10,333,988 B2
Filed: 06/13/2017
Issued: 06/25/2019
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network;

creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network;

testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order;

stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined;

in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and

transmitting the candidate flow rule to the switch.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

30 Citations

View as Search Results

24 Claims

1. A computer-implemented method, comprising:
- receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network;
  
  creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network;
  
  testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order;
  
  stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined;
  
  in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and
  
  transmitting the candidate flow rule to the switch.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein the candidate flow rule conflicts with the currently active flow rule when an action associated with the candidate flow rule is different from an action associated with the currently active flow rule.
  - 3. The computer-implemented method of claim 1, wherein a flow rule is associated with an action, and wherein the candidate flow rule conflicts with the currently active flow rule when an action associated with the candidate flow rule differs from an action associated with the currently active flow rule.
  - 4. The computer-implemented method of claim 3, wherein the candidate flow rule conflicts with the currently active flow rule when a set of rules associated with the candidate flow rule intersects with a set of rules associated with the currently active flow rule.
  - 5. The computer-implemented method of claim 1, wherein a flow rule is associated with a role, wherein a role is associated with a priority, and wherein a priority is associated with a source of a flow rule.
  - 6. The computer-implemented method of claim 1, wherein a flow rule is associated with a role, wherein a role is associated with a capability, and wherein a capability is associated with a source of a flow rule.
  - 7. The computer-implemented method of claim 1, further comprising:
    - using a security policy to resolve the conflict between the candidate flow rule and the currently active flow rule when the priority associated with the candidate flow rule is equal to the priority associated with the currently active flow rule.
  - 8. The computer-implemented method of claim 1, wherein reprogramming the switch includes purging the currently active flow rule when the priority associated with the candidate flow rule is greater than the priority associated with the currently active flow rule.

9. A computing system on a network, comprising:
- one or more processors; and
  
  a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including;
  
  receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network;
  
  creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network;
  
  testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order;
  
  stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined;
  
  in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and
  
  transmitting the candidate flow rule to the switch.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing system of claim 9, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein the candidate flow rule conflicts with the currently active flow rule when an action associated with the candidate flow rule is different from an action associated with the currently active flow rule.
  - 11. The computing system of claim 9, wherein a flow rule is associated with an action, and wherein the candidate flow rule conflicts with the currently active flow rule when an action associated with the candidate flow rule differs from an action associated with the currently active flow rule.
  - 12. The computing system of claim 11, wherein the candidate flow rule conflicts with the currently active flow rule when a set of rules associated with the candidate flow rule intersects with a set of rules associated with the currently active flow rule.
  - 13. The computing system of claim 9, wherein a flow rule is associated with a role, wherein a role is associated with a priority.
  - 14. The computing system of claim 9, wherein a flow rule is associated with a role, wherein a role is associated with a capability, and wherein a capability is associated with a source of a flow rule.
  - 15. The computing system of claim 9, wherein the non-transitory computer-readable medium further includes instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including:
    - using a security policy to resolve the conflict between the candidate flow rule and the currently active flow rule when the priority associated with the candidate flow rule is equal to the priority associated with the currently active flow rule.
  - 16. The computing system of claim 9, wherein reprogramming the switch includes purging the currently active flow rule when the priority associated with the candidate flow rule is greater than the priority associated with the currently active flow rule.

17. A computer-program product embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
- receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network;
  
  creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network;
  
  testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order;
  
  stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined;
  
  in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and
  
  transmitting the candidate flow rule to the switch.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer-program product of claim 17, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein the candidate flow rule conflicts with the currently active flow rule when an action associated with the candidate flow rule is different from an action associated with the currently active flow rule.
  - 19. The computer-program product of claim 17, wherein a flow rule is associated with an action, and wherein the candidate flow rule conflicts with the currently active flow rule when an action associated with the candidate flow rule differs from an action associated with the currently active flow rule.
  - 20. The computer-program product of claim 19, wherein the candidate flow rule conflicts with the currently active flow rule when a set of rules associated with the candidate flow rule intersects with a set of rules associated with the currently active flow rule.
  - 21. The computer-program product of claim 17, wherein a flow rule is associated with a role, and wherein a role is associated with a priority of a flow rule.
  - 22. The computer-program product of claim 17, wherein a flow rule is associated with a role, wherein a role is associated with a capability, and wherein a capability is associated with a source of a flow rule.
  - 23. The computer-program product of claim 17, further including instructions that, when executed by the one or more processors, cause the one or more processors to:
    - use a security policy to resolve the conflict between the candidate flow rule and the currently active flow rule when the priority associated with the candidate flow rule is equal to the priority associated with the currently active flow rule.
  - 24. The computer-program product of claim 17, wherein reprogramming the switch includes purging the currently active flow rule when the priority associated with the candidate flow rule is greater than the priority associated with the currently active flow rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A., Fong, Martin W., Yegneswaran, Vinod
Primary Examiner(s)
Harris, Christopher C

Application Number

US15/621,774
Publication Number

US 20170346857A1
Time in Patent Office

742 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Security mediation for dynamically programmable network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Security mediation for dynamically programmable network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links