TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES IN SOFTWARE DEFINED NETWORKS

US 20130283374A1
Filed: 01/17/2013
Published: 10/24/2013
Est. Priority Date: 04/18/2012
Status: Active Grant

First Claim

Patent Images

1. A method for separation of traffic processing in a software defined network (SDN), wherein the method is performed by a central controller of the SDN, comprising:

allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone;

assigning the computing resources in the first group with a first address and the computing resources in the second group with a second address, wherein only the second address is advertised;

triggering a zoning mode in the computing frame to mitigate a potential cyber-attack;

causing at least one network element in the SDN to divert an incoming traffic to the first group and the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element, wherein the plurality of zoning rules are determined by the central controller and determine that the traffic from a trusted client is directed to the first group of computing resources and the traffic from an un-trusted client is directed to the second group of computing resources, thereby providing guaranteed SLA to trusted clients.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for separation of traffic processing in a software defined network (SDN). The method comprises allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone; assigning the computing resources in the first group to a first ADC and the computing resources in the second group with a second ADC; triggering a zoning mode in the computing frame to mitigate a potential cyber-attack; and causing at least one network element in the SDN to divert traffic from a trusted client to the first group of computing resources and traffic from an un-trusted client to the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element.

166 Citations

32 Claims

1. A method for separation of traffic processing in a software defined network (SDN), wherein the method is performed by a central controller of the SDN, comprising:
- allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone;
  
  assigning the computing resources in the first group with a first address and the computing resources in the second group with a second address, wherein only the second address is advertised;
  
  triggering a zoning mode in the computing frame to mitigate a potential cyber-attack;
  
  causing at least one network element in the SDN to divert an incoming traffic to the first group and the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element, wherein the plurality of zoning rules are determined by the central controller and determine that the traffic from a trusted client is directed to the first group of computing resources and the traffic from an un-trusted client is directed to the second group of computing resources, thereby providing guaranteed SLA to trusted clients.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the plurality of zoning rules defines at least a list of trusted clients, an action to be performed when the traffic is received from each trusted client, and an action to be performed when a traffic is sent back to each trusted client.
  - 3. The method of claim 2, wherein the plurality of zoning rules further defines at least one action for handling traffic received from suspicious clients.
  - 4. The method of claim 3, wherein each trusted client in the list of trusted clients is identified by at least its IP address or a range of IP addresses.
  - 5. The method of claim 4, wherein the plurality of zoning rules include:
    - matching a source address of the traffic received from a client against the IP addresses listed in the trusted list and changing the destination address of the traffic received from the client to designate the first address when a match exists;
      
      matching a destination address of traffic directed to a client against the IP addresses listed in the trusted list and replacing the source address of the traffic directed to the client from the first address to the second address when a match exists; and
      
      matching a destination address of traffic received from clients against the first address and dropping the traffic when a match exists.
  - 6. The method of claim 1, wherein the trusted clients are determined based on a plurality of security risk indication parameters.
  - 7. The method of claim 1, further comprising:
    - computing a threat level value for each client accessing the computing farm;
      
      comparing the computed threat level value to a predefined threshold; and
      
      determining a client to be a trusted client based on the comparing of the computed threat level value and the predefined threshold.
  - 8. The method of claim 7, wherein computing the threat level value includes:
    - assigning a score to each parameter, wherein the score determines how the parameters are applicable for the client; and
      
      calculating the threat level value as a weighted average of scores assigned to the parameters.
  - 9. The method of claim 1, wherein the computing resources are dynamically allocated to the first group.
  - 10. The method of claim 1, wherein the computing resources are connected to an application delivery controller (ADC), wherein the traffic from a trusted client is directed to the first group of computing resources over a secured path established through the at least one network element and the ADC.
  - 11. The method of claim 10, wherein the ADC is a virtual appliance that includes at least two virtual instances of ADCs, wherein the traffic to the first group of computing resources are directed through a first virtual instance and the traffic to the second group of computing resources are directed through a second virtual instance of the at least two virtual instances of the ADC, wherein each one of the at least two virtual instances is addressed by at least one of:
    - a port number, a MAC address, and a VLAN ID, and an IP address.
  - 12. The method of claim 1, wherein the traffic diversion is transparent to an application protocol utilized by the clients.
  - 13. The method of claim 1, wherein triggering the zoning mode is performed based on a plurality zoning trigger parameters indicating a potential risk that a cyber-attack is about to take place against the computing farm or that the computing farm is currently under a cyber-attack.
  - 14. A computer software product embedded in a non-transient computer readable medium containing instructions that when executed on the computer perform the method of claim 1.

15. A method for creating at least one zoning rule that allows for separation of traffic processing in a software defined network (SDN), the method is performed by a central controller of the SDN, comprising:
- determining a trusted client based on a plurality of security risk indication parameters for each client accessing a computing farm;
  
  generating a list of trusted clients that includes an identifier of each client determined to be a trusted client;
  
  defining at least one action for traffic received from trusted clients, wherein the at least one zoning rule includes the list of trusted clients and actions defined for the trusted clients; and
  
  conveying the plurality of zoning rules to at least one network element in the SDN.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, further comprising:
    - defining at least one action for traffic directed to trusted clients; and
      
      defining at least one action for handling traffic received from any one of suspicious clients and trusted clients.
  - 17. The method of claim 16, wherein the determination if a client is a trusted client further comprising:
    - computing a threat level value for each client accessing the computing farm;
      
      comparing the computed threat level value to a predefined threshold; and
      
      determining a client to be trusted client based on the comparing of the computed threat level value and the predefined threshold.
  - 18. The method of claim 17, wherein computing the threat level value includes:
    - assigning a score to each parameter, wherein the score determines how the parameters are applicable for the client; and
      
      calculating the threat level value as an average of scores assigned to the parameters.
  - 19. The method of claim 18, wherein the client identifier is at least an IP address of the client.
  - 20. The method of claim 19, wherein the at least one zoning rule includes at least one of:
    - matching a source address of the traffic received from a client against the IP addresses listed in the trusted list and changing the destination address of the traffic received from the client to designate a first address when a match exists;
      
      matching a destination address of traffic directed to a client against the IP addresses listed in the trusted list and replacing the source address of the traffic directed to the client to from a first address to a second address when a match exists, wherein only the second address is advertised; and
      
      matching a destination address of traffic received from clients against the first address and dropping the traffic when a match exists.
  - 21. The method of claim 20, wherein the first address is of computing resources in a trusted zone and the second address is of computing resources in an un-trusted zone, wherein only the second address is advertised.
  - 22. The method of claim 19, wherein the at least one zoning rule includes:
    - matching a source address of the traffic received from a client against the IP addresses listed in the trusted list; and
      
      directing the traffic received from the client to a designated network appliance connected to a trusted zone, wherein the network appliance is addressed by at least one of;
      
      a port number, a MAC Address, a VLAN ID, and an IP address.
  - 23. The method of claim 16, wherein the network appliance is a virtual appliance that includes at least two virtual instances, each virtual instance is assigned to a different group of computing resources and is addressed by at least one of:
    - a port number, a MAC address, a VLAN ID, and, an IP address.

24. A software defined network (SDN), comprising:
- at least one network element being connected to a plurality of clients through a computer network and to at least one application delivery controller (ADC); and
  
  a central controller for generating a plurality of zoning rules and instructing the at least one network element to implement the plurality of zoning rules, thereby enabling separation of traffic processing by a computing farm connected to the at least one ADC, wherein the separation of traffic processing is performed in a zoning mode being triggered based on an indication that a potential risk that a cyber-attack is about to take place against the computing farm or that the computing farm is currently under a cyber-attack.
- View Dependent Claims (25, 26)
- - 25. The software defined network of claim 24, wherein the central controller and the at least one network element communicates using a SDN-based provisioning protocol.
  - 26. The software defined network of claim 24, wherein the central controller is further connected to at least one external system to receive a plurality of security risk indication parameters allowing the central controller to determine if a client is trusted, and a plurality of zoning trigger parameters allowing the central controller to determine if a zoning mode should be triggered, wherein the at least one external system includes at least one of:
    - an attack detection device and a security management system.

27. A central controller operable in a software defined network (SDN), comprising:
- a SDN interface for communicating with at least one network element in the SDN;
  
  an external system interface for receiving at least a plurality of security risk indication parameters and a plurality of zoning trigger parameters;
  
  a zoning module for determining if a zoning mode is required and for creating at least one zoning rule to be executed by the at least one network element, wherein the at least one zoning rule allows for separation of traffic processing in the SDN during the zoning mode, wherein the zoning mode is triggered based on an indication that a potential risk that a cyber-attack is about to take place against the computing farm or that the computing farm is currently under a cyber-attack.
- View Dependent Claims (28)
- - 28. The software defined network of claim 27, wherein the central controller and the at least one network element communicates using a SDN-based protocol.

29. A method for separation of traffic processing in a software defined network (SDN) wherein the method is performed by a central controller of the SDN, comprising:
- allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone;
  
  assigning the computing resources in the first group to a first application delivery controller (ADC) and the computing resources in the second group with a second ADC;
  
  triggering a zoning mode in the computing frame to mitigate a potential cyber-attack; and
  
  causing at least one network element in the SDN to divert a traffic addressed to a single address of the computing farm to the first group and the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element, wherein the plurality of zoning rules determine that the traffic from a trusted client is directed to the first ADC and the traffic from an un-trusted client is directed to the second ADC, thereby providing a guaranteed SLA to trusted clients.
- View Dependent Claims (30, 31, 32)
- - 30. The method of claim 29, wherein the at least one zoning rule includes:
    - matching a source address of the traffic received from a client against the IP addresses listed in the trusted list; and
      
      directing the traffic received from the client to a designated network appliance connected to a trusted zone, wherein the network appliance is identified by at least one of;
      
      a port number, a MAC address, a VLAN ID, and an IP address.
  - 31. The method of claim 29, wherein the traffic from the trusted client is directed to the first group of computing resources over a secured path established through the at least one network element and the ADC.
  - 32. The method of claim 29, wherein the traffic diversion is transparent to an application protocol utilized by the clients.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
ZISAPEL, Yehuda, CHESLA, Avi, DORON, Ehud, NAEH, Shay, AVIV, David

Granted Patent

US 9,210,180 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES IN SOFTWARE DEFINED NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

166 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES IN SOFTWARE DEFINED NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others