Providing a fast path between two entities
First Claim
1. At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform operations comprising:
- providing control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance;
receiving one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance;
in response to receiving the one or more security policies, reconfiguring the control logic using the one or more SDN controllers according to the one or more security policies to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance;
providing an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers;
(1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; and
adding an offset based on Transport Control Protocol (TCP) information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.
9 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure combines Software Defined Networks (SDN) concepts with Security concepts. The coordination between SDN and Security provides a myriad of advantageous use cases. One exemplary use case involves providing a fast path at network speeds using SDN by routing network traffic to bypass a security appliance once the security appliance determines that the security appliance no longer needs to inspect the network traffic. Another exemplary use case involves remote provisioning of security zones.
-
Citations
20 Claims
-
1. At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform operations comprising:
-
providing control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance; receiving one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance; in response to receiving the one or more security policies, reconfiguring the control logic using the one or more SDN controllers according to the one or more security policies to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance; providing an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers;
(1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; andadding an offset based on Transport Control Protocol (TCP) information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. At least one machine-readable, non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions when executed by at least one processor cause the at least one processor to perform operations comprising:
-
receiving one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers; in response to receiving the one or more flow table entries, reconfiguring the one or more flow tables according to the flow table entries in accordance with one or more security policies, wherein the one or more security policies specify one or more of the following;
security zone(s), network access right(s), data access right(s), insertion of a security appliance, or removal of the security appliance;routing or switching the network traffic, based on the one or more flow tables; receiving, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for a data flow; and adding an offset based on the TCP information to TCP Sequence and TCP Ack numbers as packets are passed through the SDN switch. - View Dependent Claims (14, 15, 16, 17)
-
-
18. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising:
-
at least one memory element; at least one processor coupled to the at least one memory element; and one or more SDN controllers that, when executed by the at least one processor, are configured to provide control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the control logic configures a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance; receive one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance; in response to receiving the one or more security policies, reconfigure the control logic using the one or more SDN controllers according to the one or more security policies, to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance; provide an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers;
(1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; andadd an offset based on Transport Control Protocol information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.
-
-
19. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising:
-
at least one memory element; at least one processor coupled to the at least one memory element; and a SDN switching module that, when executed by the at least one processor, is configured to receive one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers; in response to receiving the one or more flow table entries, reconfigure the one or more flow tables according to the flow table entries in accordance with one or more security policies, wherein the one or more security policies specify one or more of the following;
security zone(s), network access right(s), data access right(s), insertion of a security appliance, or removal of the security appliance;route or switch the network traffic, based on the one or more flow tables; receive, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for a data flow; and add an offset based on the TCP information to TCP Sequence and TCP Ack numbers as packets are passed through the SDN switch. - View Dependent Claims (20)
-
Specification