Security mediation for dynamically programmable network
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network;
creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network;
testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order;
stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined;
in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and
transmitting the candidate flow rule to the switch.
0 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.
-
Citations
24 Claims
-
1. A computer-implemented method, comprising:
-
receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network; creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network; testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order; stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined; in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and transmitting the candidate flow rule to the switch. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing system on a network, comprising:
-
one or more processors; and a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network; creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network; testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order; stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined; in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and transmitting the candidate flow rule to the switch. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-program product embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
-
receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during a live operation of the network, wherein a flow rule can be implemented to reprogram a switch on the network; creating, according to a priority, an ordered set of currently active flow rules that control a flow of communications across the network during the live operation of the network; testing the candidate flow rule against one or more currently active flow rules of the ordered set, in a priority order; stopping the testing when a conflict between the candidate flow rule and a currently active flow rule of the ordered set is determined; in response to stopping the testing, replacing the currently active flow rule of the ordered set with the candidate flow rule when a priority associated with the candidate flow rule is greater than a priority associated with the currently active flow rule of the ordered set; and transmitting the candidate flow rule to the switch. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification