APPARATUS AND METHOD FOR PROVIDING A FLUID SECURITY LAYER

US 20130305311A1
Filed: 05/11/2012
Published: 11/14/2013
Est. Priority Date: 05/11/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a processor and a memory communicatively connected to the processor, the processor configured to;

select a location for a security rule based on a policy associated with the security rule;

determine whether to migrate the security rule to the location selected for the security rule; and

initiate migration of the security rule to the location selected for the security rule based on a determination to migrate the security rule to the location selected for the security rule.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management capability enables migration of individual security rules between storage/application locations. The migration of a security rule may include selection of a location at which the security rule is to be applied and migration of the security rule to the selected location at which the security rule is to be applied. The selection of the location at which the security rule is to be applied may be performed based on security rule policies and/or security rule location selection information. The security rule is migrated from a current location (e.g., a location at which the security rule is currently applied, a management system, or the like) to the selected location at which the security rule is to be applied. In this manner, a fluid security layer may be provided. The fluid security layer may be optimized for one or more of security level, performance, cost, or the like.

Citations

21 Claims

1. An apparatus, comprising:
- a processor and a memory communicatively connected to the processor, the processor configured to;
  
  select a location for a security rule based on a policy associated with the security rule;
  
  determine whether to migrate the security rule to the location selected for the security rule; and
  
  initiate migration of the security rule to the location selected for the security rule based on a determination to migrate the security rule to the location selected for the security rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 17, 18, 19)
- - 2. The apparatus of claim 1, wherein the policy associated with the security rule is based on a latency associated with application of the security rule.
  - 3. The apparatus of claim 1, wherein the policy associated with the security rule is based on a latency associated with application of the security rule when the security rule is associated with an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS).
  - 4. The apparatus of claim 1, wherein the policy associated with the security rule is based on a cost associated with transporting data for which the security rule is to be applied and an amount of processing resources used for application of the security rule.
  - 5. The apparatus of claim 1, wherein the policy associated with the security rule is further based on a minimum level of performance to be provided when the security rule is applied.
  - 6. The apparatus of claim 1, wherein the processor is configured to select the location for the security rule based on at least one of hypervisor status information associated with one or more hypervisors, network congestion information, and user preference information.
  - 7. The apparatus of claim 1, wherein the policy associated with the security rule is dedicated for use only with the security rule.
  - 8. The apparatus of claim 1, wherein the policy associated with the security rule is associated with at least one other security rule.
  - 9. The apparatus of claim 1, wherein the security rule is stored at a current location, wherein to initiate migration of the security rule to the selected location the processor is configured to:
    - initiate migration of the security rule from the current location to the selected location.
  - 10. The apparatus of claim 9, wherein the current location comprises one of a hypervisor, a network device, or a controller.
  - 11. The apparatus of claim 9, wherein the selected location comprises one of a hypervisor or a network device.
  - 13. The apparatus of claim 1, wherein the security rule is configured to provide security for communication between a first communication element and a second communication element.
  - 14. The apparatus of claim 13, wherein the first communication element is a virtual machine, wherein the second communication element is a virtual machine or a network device.
  - 15. The apparatus of claim 1, wherein the security rule is configured to provide security for communication between a first virtual machine and a second virtual machine.
  - 16. The apparatus of claim 15, wherein the first and second virtual machines are located in a single datacenter.
  - 17. The apparatus of claim 16, wherein the selected location comprises a hypervisor of a host hosting the first virtual machine, a network device of a data center network of the data center, or a hypervisor of a host hosting the second virtual machine.
  - 18. The apparatus of claim 15, wherein the first virtual machine is located within a first data center and the second virtual machine is located within a second data center.
  - 19. The apparatus of claim 18, wherein the selected location comprises a hypervisor of a host hosting the first virtual machine, a network device of a data center network of the first data center, a network device of a communication network supporting communications between the first data center and the second data center, a network device of a data center network of the second data center, or a hypervisor of a host hosting the second virtual machine.

12. (canceled)

20. A method, comprising:
- using a processor and a memory for;
  
  selecting a location for a security rule based on a policy associated with the security rule;
  
  determining whether to migrate the security rule to the location selected for the security rule; and
  
  initiating migration of the security rule to the location selected for the security rule based on a determination to migrate the security rule to the location selected for the security rule.

21. A non-transitory computer-readable storage medium storing instructions which, when executed by a computer, cause the computer to perform a method, the method comprising:
- selecting a location for a security rule based on a policy associated with the security rule;
  
  determining whether to migrate the security rule to the location selected for the security rule; and
  
  initiating migration of the security rule to the location selected for the security rule based on a determination to migrate the security rule to the location selected for the security rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Puttaswamy Naga, Krishna P., Hao, Fang, Martin, Antony

Granted Patent

US 9,548,962 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

APPARATUS AND METHOD FOR PROVIDING A FLUID SECURITY LAYER

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR PROVIDING A FLUID SECURITY LAYER

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links