Security in software defined network

US 10,666,689 B2
Filed: 06/30/2014
Issued: 05/26/2020
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, at a controller of a software defined network, at least one security policy from a policy creator; and

implementing, via the controller, the security policy in the software defined network based on one or more attributes stored in the controller, the one or more attributes specifying each of a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy;

wherein the method is performed by a processing device; and

wherein the characteristic of the security policy attribute describes whether the security policy is a real-time policy;

wherein when the characteristic of the security policy attribute indicates that the security policy is a real-time policy, the security policy is translated substantially without delay into one or more flow rules, updated in one or more flow tables, and synchronized with one or more software defined networking switches.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

At least one security policy is obtained from a policy creator at a controller in an SDN network. The security policy is implemented in the SDN network, via the controller, based on one or more attributes specifying a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy.

Citations

23 Claims

1. A method comprising:
- obtaining, at a controller of a software defined network, at least one security policy from a policy creator; and
  
  implementing, via the controller, the security policy in the software defined network based on one or more attributes stored in the controller, the one or more attributes specifying each of a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy;
  
  wherein the method is performed by a processing device; and
  
  wherein the characteristic of the security policy attribute describes whether the security policy is a real-time policy;
  
  wherein when the characteristic of the security policy attribute indicates that the security policy is a real-time policy, the security policy is translated substantially without delay into one or more flow rules, updated in one or more flow tables, and synchronized with one or more software defined networking switches.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the characteristic of the security policy specifies a manner in which the security policy is to be implemented in the software defined network.
  - 3. The method of claim 2, wherein the manner in which the security policy is to be implemented in the software defined network comprises a real-time implementation.
  - 4. The method of claim 2, wherein the manner in which the security policy is to be implemented in the software defined network comprises a periodic implementation.
  - 5. The method of claim 2, wherein the characteristic of the security policy is one of urgent, general, and default.
  - 6. The method of claim 1, wherein the role of the creator of the security policy specifies a network role assigned to the creator of the security policy.
  - 7. The method of claim 6, wherein the role of the creator of the security policy is one of a security administrator, a general administrator, a user, and a guest.
  - 8. The method of claim 1, wherein the security privilege level of the role of the creator of the security policy specifies a different hierarchical security privilege level for each different role assignable to the policy creator.
  - 9. The method of claim 8, wherein on the condition that the security privilege level assigned to a first role is hierarchically lower than that of the security privilege level assigned to a second role, the security policy associated with the second role takes implementation priority over the security policy associated with the first role.
  - 10. The method of claim 9, wherein on the condition that the security privilege level assigned to the first role is hierarchically higher than that of the security privilege level assigned to a second role, the security policy associated with the first role takes implementation priority over the security policy associated with the second role.
  - 11. The method of claim 1, wherein the obtaining at least one security policy from a policy creator further comprises the controller performing at least one of an authentication operation, an authorization operation, an integrity validation operation, and a confidentiality validation operation with the policy creator.
  - 12. The method of claim 11, wherein the obtaining at least one security policy from a policy creator further comprises the controller dropping the security policy on the condition that at least one of the authentication operation, the authorization operation, the integrity validation operation, and the confidentiality validation operation fans.
  - 13. The method of claim 1, wherein the implementing the security policy further comprises the controller translating the security policy into at least one flow rule based on the one or more attributes specifying a characteristic of the security policy, a rule of the creator of the security policy, and a security privilege level of the role of the creator of the security policy.
  - 14. The method of claim 13, wherein the implementing the security policy further comprises the controller determining whether there is a conflict between the flow rule translated from the security policy and an existing flow rule in a flow table.
  - 15. The method of claim 14, wherein the implementing the security policy further comprises the controller resolving a conflict between the flow rule translated from the security policy and the existing flow rule in the flow table based on the security privilege level of the role of the creator of the security policy.
  - 16. The method of claim 13, wherein the implementing the security policy further comprises the controller updating the flow table with the flow rule translated from the security policy.
  - 17. The method of claim 13, wherein the implementing the security policy further comprises the controller distributing the flow rule translated from the security policy to one or more switches in the software defined network such that the one or more switches can effectuate data flow in the software defined network hi accordance with the flow rule.
  - 18. The method of claim 17, wherein the implementing the security policy further comprises the controller performing at least one of an authentication operation, an integrity validation operation, and a confidentiality validation operation with the one or more switches before distributing the flow rule to one or more switches.
  - 19. The method of claim 1, wherein the obtained security policy is a security policy developed in response to a new security threat detected by a security appliance of the software defined network.
  - 20. The method of claim 1, wherein the obtained security policy comprises a packet scan detection instruction.
  - 21. The method of claim 20, wherein the implementing the security policy further comprises the controller translating the security policy with the packet scan detection instruction into a flow rule based on a data flow condition and a packet scan pattern such that one or more switches in the software defined network to which the translated flow rule is distributed are instructed to forward one or more specified packets passing there through to a security appliance in the software defined network.

22. An article of manufacture comprising a processor-readable storage medium having embodied therein executable program code that when executed by the processing device causes the processing device to perform:
- obtaining, at a controller of a software defined network, at least one security policy from a policy creator; and
  
  implementing, via the controller, the security policy in the software defined network based on one or more attributes stored in the controller, the one or more attributes specifying each of a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy;
  
  wherein the characteristic of the security policy attribute describes whether the security policy is a real-time policy;
  
  wherein when the characteristic of the security policy attribute indicates that the security policy is a real-time policy, the security policy is translated substantially without delay into one or more flow rules updated in one or more flow tables, and synchronized with one or more software defined networking switches.

23. An apparatus comprising:
- a memory; and
  
  a processor operatively coupled to the memory to form a controller of a software defined network, the controller being configured to;
  
  obtain at least one security policy from a policy creator; and
  
  implement the security policy in the software defined network based on one or more attributes stored hi the controller, the one or more attributes specifying each of a characteristic of the security policy, a role of the creator of the security policy, and a security privilege level of the role of the creator of the security policy;
  
  wherein the characteristic of the security policy attribute describes whether the security policy is a real-time policy;
  
  wherein when the characteristic of the security policy attribute indicates that the security policy is a real-time policy, the security policy is translated substantially without delay into one or more flow rules, updated in one or more flow tables, and synchronized with one or more software defined networking switches.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Hu, Zhiyuan, Yan, Xueqiang, Luo, Zhigang
Primary Examiner(s)
Lagor, Alexander

Application Number

US15/319,464
Publication Number

US 20170324781A1
Time in Patent Office

2,157 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/16   Implementing security featu...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/40   Network security protocols

Security in software defined network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Security in software defined network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links