SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK
First Claim
1. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
- receiving a packet disposition directive from the network, the packet disposition directive comprising a candidate flow rule that may be implemented by the network switch to control the flow of communications across the network;
determining whether the candidate flow rule conflicts with one or more flow rules in a set of currently active flow rules, wherein the currently active flow rules currently control the flow of communications across the network; and
in response to determining that the candidate flow rule does not conflict with any of the currently active flow rules, adding the candidate flow rule to the set of currently active flow rules.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.
-
Citations
31 Claims
-
1. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
-
receiving a packet disposition directive from the network, the packet disposition directive comprising a candidate flow rule that may be implemented by the network switch to control the flow of communications across the network; determining whether the candidate flow rule conflicts with one or more flow rules in a set of currently active flow rules, wherein the currently active flow rules currently control the flow of communications across the network; and in response to determining that the candidate flow rule does not conflict with any of the currently active flow rules, adding the candidate flow rule to the set of currently active flow rules. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A security mediation service to enforce a security policy at an interface to a network switch of a dynamically programmable computer network, the security mediation service embodied in a computing system coupled to the network, the security mediation service comprising:
-
a flow rule state manager to manage data relating to a set of currently active flow rules, wherein the currently active flow rules currently control the flow of communications across the network; and a conflict analyzer to determine whether a candidate flow rule conflicts with any of the currently active flow rules, and add the candidate flow rule to the set of currently active flow rules if the candidate flow rule does not conflict with any of the currently active flow rules. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
-
receiving a candidate flow rule from the network, wherein the candidate flow rule may be implemented by the network switch to control the flow of communications across the network, and the candidate flow rule comprises match criteria having values that determine whether the candidate flow rule applies to a communication; determining whether the candidate flow rule permits other values to be substituted for any of the values of the match criteria; and deriving an expanded candidate flow rule from the candidate flow rule, wherein the expanded candidate flow rule includes the values of the match criteria and the other values. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method for enforcing a security policy for a dynamically programmable network, the method comprising, on the network:
-
maintaining a set of currently active packet disposition directives, wherein the set of currently active packet disposition directives changes over time, and the currently active packet disposition directives are implemented at network switches to control one or more of the behavior and the configuration of the network switches at a current point in time; receiving, from a source of packet disposition directives, a candidate packet disposition directive that is not part of the set of currently active packet disposition directives; determining whether the candidate packet disposition directive violates the security policy; and in response to determining that the candidate packet disposition directive does not violate the current security policy, implementing the packet disposition directive at the network switches. - View Dependent Claims (29, 30, 31)
-
Specification