SDN controller
First Claim
1. A software defined network (SDN) controller having a processor and addressable memory used in a private network constructed with an SDN, the SDN controller causes a computer to function as:
- an address information specifying processing unit having a processor and addressable memory configured to specify a local address which is a communication partner in a coincident communication by monitoring, based on a global address of an illegal attack server received from a threat detection system which is present outside the private network, communications in the private network controlled by the SDN controller, and correlating a global address in each communication and the received global address;
a terminal identification information specifying processing unit having a processor and addressable memory configured to specify terminal identification information on a client terminal to which the specified local address is assigned; and
a security processing unit having a processor and addressable memory configured to perform, based on the specified terminal identification information, for an edge network device of two or more edge network devices, a control instruction to perform predetermined control processing to interrupt communication of the client terminal;
wherein each edge network device of the two or more edge network devices comprises a respective rule table, wherein each rule table comprises one or more rules;
wherein processing of a packet from the client terminal having the terminal identification information is suspended if a rule to control the packet received from the client terminal having the terminal identification information is not in the rule table of the edge network device;
wherein the suspended packet is processed according to a control instruction from the SDN controller;
wherein the SDN controller writes, as the control processing, a rule to discard the packet from the client terminal having the terminal identification information in the rule table of the edge network device;
wherein the security processing unit notifies each edge network device of the two or more edge network devices to write the rule to discard the packet from the client terminal having the terminal identification information in the respective rule table of each edge network device;
wherein the packet from the client terminal having the terminal identification information is discarded according to the written rule when the rule is in the rule table of the edge network device without inquiring of the SDN controller; and
wherein when a fixed IP address is assigned by a user who uses the client terminal, the client terminal is controlled with the terminal identification information, wherein the terminal identification information includes at least a MAC address, and the edge network device disconnects or isolates communication of the client terminal.
1 Assignment
0 Petitions
Accused Products
Abstract
An SDN controller used in a network constructed with an SDN, the SDN controller causes a computer to function as an address information specifying processing unit which specifies, based on a global address of an illegal attack server received from a threat detection system, communication with the received global address among communication in the network, and specifies a local address of a communication partner of the global address in the specified communication, a terminal identification information specifying processing unit which specifies terminal identification information on a client terminal to which the specified local address is assigned, and a security processing unit which passes to an edge network device, based on the specified terminal identification information, a control instruction to perform predetermined control processing to communication of the client terminal.
-
Citations
6 Claims
-
1. A software defined network (SDN) controller having a processor and addressable memory used in a private network constructed with an SDN, the SDN controller causes a computer to function as:
-
an address information specifying processing unit having a processor and addressable memory configured to specify a local address which is a communication partner in a coincident communication by monitoring, based on a global address of an illegal attack server received from a threat detection system which is present outside the private network, communications in the private network controlled by the SDN controller, and correlating a global address in each communication and the received global address; a terminal identification information specifying processing unit having a processor and addressable memory configured to specify terminal identification information on a client terminal to which the specified local address is assigned; and a security processing unit having a processor and addressable memory configured to perform, based on the specified terminal identification information, for an edge network device of two or more edge network devices, a control instruction to perform predetermined control processing to interrupt communication of the client terminal; wherein each edge network device of the two or more edge network devices comprises a respective rule table, wherein each rule table comprises one or more rules; wherein processing of a packet from the client terminal having the terminal identification information is suspended if a rule to control the packet received from the client terminal having the terminal identification information is not in the rule table of the edge network device; wherein the suspended packet is processed according to a control instruction from the SDN controller; wherein the SDN controller writes, as the control processing, a rule to discard the packet from the client terminal having the terminal identification information in the rule table of the edge network device; wherein the security processing unit notifies each edge network device of the two or more edge network devices to write the rule to discard the packet from the client terminal having the terminal identification information in the respective rule table of each edge network device; wherein the packet from the client terminal having the terminal identification information is discarded according to the written rule when the rule is in the rule table of the edge network device without inquiring of the SDN controller; and wherein when a fixed IP address is assigned by a user who uses the client terminal, the client terminal is controlled with the terminal identification information, wherein the terminal identification information includes at least a MAC address, and the edge network device disconnects or isolates communication of the client terminal. - View Dependent Claims (2, 3)
-
-
4. A software defined network (SDN) controller having a processor and addressable memory used in a private network constructed with an SDN, the SDN controller causes a computer to function as:
-
a terminal identification information specifying processing unit having a processor and addressable memory configured to specify terminal identification information on a client terminal which is a transmission source in a coincident communication by monitoring, based on a global address of an illegal attack server received from a threat detection system which is present outside the private network, communications in the private network controlled by the SDN controller, and correlating a global address in each communication and the received global address; and a security processing unit having a processor and addressable memory configured to perform, based on the specified terminal identification information, relative to an edge network device of two or more edge network devices, a control instruction to perform predetermined control processing to interrupt communication of the client terminal; wherein each edge network device of the two or more edge network devices comprises a respective rule table, wherein each rule table comprises one or more rules; wherein processing of a packet from the client terminal having the terminal identification information is suspended if a rule to control the packet received from the client terminal having the terminal identification information is not in the rule table of the edge network device; wherein the suspended packet is processed according to a control instruction from the SDN controller; wherein the SDN controller writes, as the control processing, a rule to discard the packet from the client terminal having the terminal identification information in the rule table of the edge network device; wherein the security processing unit notifies each edge network device of the two or more edge network devices to write the rule to discard the packet from the client terminal having the terminal identification information in the respective rule table of each edge network device; wherein the packet from the client terminal having the terminal identification information is discarded according to the written rule when the rule is in the rule table of the edge network device without inquiring of the SDN controller; and wherein when a fixed IP address is assigned by a user who uses the client terminal, the client terminal is controlled with the terminal identification information, wherein the terminal identification information includes at least a MAC address, and the edge network device disconnects or isolates communication of the client terminal. - View Dependent Claims (5, 6)
-
Specification