Elastic Enforcement Layer for Cloud Security Using SDN
First Claim
1. A method performed by a controller in a split architecture network to control network connectivity for a cloud computing environment, the split architecture network including a plurality of switches coupled to the controller, wherein the controller manages policy enforcement for network security for a plurality of virtual machines (VMs) including a source VM and a destination VM that execute applications in the cloud computing environment and exchange data via the split architecture network, the method comprising the steps of:
- receiving by the controller a packet originating from the source VM;
extracting by the controller an application identifier from the received packet, the application identifier identifying an application running on the source VM;
determining by the controller a chain of middlebox types based on the application identifier;
mapping by the controller one or more of the middlebox types in the chain to corresponding one or more middlebox instances based on current availability of resources in the cloud computing environment, wherein one or more of the middlebox instances perform network security operations on the packet; and
adding by the controller a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the one or more middlebox instances to thereby enforce network security in the cloud computing environment.
2 Assignments
0 Petitions
Accused Products
Abstract
An efficient elastic enforcement layer (EEL) for realizing security policies is deployed in a cloud computing environment based on a split architecture framework. The split architecture network includes a controller coupled to switches. When the controller receives a packet originating from a source VM, it extracts an application identifier from the received packet that identifies an application running on the source VM. Based on the application identifier, the controller determines a chain of middlebox types. The controller further determines middlebox instances based on current availability of resources. The controller then adds a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the middlebox instances.
-
Citations
20 Claims
-
1. A method performed by a controller in a split architecture network to control network connectivity for a cloud computing environment, the split architecture network including a plurality of switches coupled to the controller, wherein the controller manages policy enforcement for network security for a plurality of virtual machines (VMs) including a source VM and a destination VM that execute applications in the cloud computing environment and exchange data via the split architecture network, the method comprising the steps of:
-
receiving by the controller a packet originating from the source VM; extracting by the controller an application identifier from the received packet, the application identifier identifying an application running on the source VM; determining by the controller a chain of middlebox types based on the application identifier; mapping by the controller one or more of the middlebox types in the chain to corresponding one or more middlebox instances based on current availability of resources in the cloud computing environment, wherein one or more of the middlebox instances perform network security operations on the packet; and adding by the controller a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the one or more middlebox instances to thereby enforce network security in the cloud computing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network node functioning as a controller in a split architecture network to control network connectivity for a cloud computing environment, the split architecture network including a plurality of switches coupled to the controller, wherein the controller manages policy enforcement for network security for a plurality of virtual machines (VMs) including a source VM and a destination VM that execute applications in the cloud computing environment and exchange data via the split architecture network, the controller comprising:
-
receiver circuitry configured to receive a packet originating from the source VM; and a processor coupled to the receiver circuitry and the memory, the processor further comprising an elastic enforcement module, which is configured to extract an application identifier from the received packet, the application identifier identifying an application running on the source VM; determine a chain of middlebox types based on the application identifier; and map one or more of the middlebox types in the chain to corresponding one or more middlebox instances based on current availability of resources in the cloud computing environment, wherein one or more of the middlebox instances perform network security operations on the packet; and transmitter circuitry coupled to the processor, the transmitter circuitry configured to send a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the one or more middlebox instances to thereby enforce network security in the cloud computing environment. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification