SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK

US 20140075498A1
Filed: 03/13/2013
Published: 03/13/2014
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:

receiving a packet disposition directive from the network, the packet disposition directive comprising a candidate flow rule that may be implemented by the network switch to control the flow of communications across the network;

determining whether the candidate flow rule conflicts with one or more flow rules in a set of currently active flow rules, wherein the currently active flow rules currently control the flow of communications across the network; and

in response to determining that the candidate flow rule does not conflict with any of the currently active flow rules, adding the candidate flow rule to the set of currently active flow rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

Citations

31 Claims

1. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
- receiving a packet disposition directive from the network, the packet disposition directive comprising a candidate flow rule that may be implemented by the network switch to control the flow of communications across the network;
  
  determining whether the candidate flow rule conflicts with one or more flow rules in a set of currently active flow rules, wherein the currently active flow rules currently control the flow of communications across the network; and
  
  in response to determining that the candidate flow rule does not conflict with any of the currently active flow rules, adding the candidate flow rule to the set of currently active flow rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, comprising comparing the candidate flow rule to each of the flow rules in the set of currently active flow rules before the candidate flow rule is communicated to the network switch.
  - 3. The method of claim 1, wherein the candidate flow rule and each of the currently active flow rules comprises an action that determines how communications to which the rule applies are disposed of by the network switch, and the method comprises, for each of the currently active flow rules:
    - comparing the action specified by the candidate flow rule to the action specified by the currently active flow rule, and if the action specified by the candidate flow rule is the same as the action specified by the currently active flow rule, determining that the candidate flow rule does not conflict with the currently active flow rule.
  - 4. The method of claim 1, comprising determining whether the candidate flow rule comprises a set action, wherein the set action modifies communications to which it applies.
  - 5. The method of claim 4, comprising, in response to determining that the candidate flow rule comprises a set action, expanding the candidate flow rule to include the modifications permitted by the set action.
  - 6. The method of claim 5, wherein each of the currently active flow rules has a priority, and the method comprises comparing the expanded candidate flow rule to the currently active flow rules in order of decreasing priority.
  - 7. The method of claim 6, comprising determining that the candidate flow rule conflicts with the set of currently active flow rules if the expanded candidate flow rule conflicts with any of the currently active flow rules.

8. A security mediation service to enforce a security policy at an interface to a network switch of a dynamically programmable computer network, the security mediation service embodied in a computing system coupled to the network, the security mediation service comprising:
- a flow rule state manager to manage data relating to a set of currently active flow rules, wherein the currently active flow rules currently control the flow of communications across the network; and
  
  a conflict analyzer to determine whether a candidate flow rule conflicts with any of the currently active flow rules, and add the candidate flow rule to the set of currently active flow rules if the candidate flow rule does not conflict with any of the currently active flow rules.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The security mediation service of claim 8, wherein the candidate flow rule and each of the currently active flow rules comprise an action that determines how a communication is to be disposed of by the network switch if the rule applies to the communication, and wherein the conflict analyzer compares the action specified by the candidate flow rule to the action specified by each of the currently active flow rules.
  - 10. The security mediation service of claim 8, wherein the candidate flow rule and each of the currently active flow rules comprise a plurality of match fields each including a value that determines whether the candidate flow rule applies to a communication, and wherein the conflict analyzer compares the match fields of the candidate flow rule to the corresponding match fields of each of the currently active flow rules.
  - 11. The security mediation service of claim 10, wherein if the candidate flow rule permits another value to be substituted for the value of a match field of the candidate flow rule, the conflict analyzer expands the candidate flow rule to include the value and the other value that may be substituted for the value of the match field, and compares the expanded candidate flow rule to each of the currently active flow rules.
  - 12. The security mediation service of claim 11, wherein, for each of the currently active flow rules, the conflict analyzer expands the currently active flow rule to include any values that may be substituted for the values of the match fields of the currently active flow rule, and compares the expanded candidate flow rule to each of the expanded currently active flow rules.
  - 13. The security mediation service of claim 12, wherein the security mediation service updates the set of currently active flow rules to include the expanded candidate flow rule if the expanded candidate flow rule does not conflict with any of the expanded currently active flow rules.
  - 14. The security mediation service of claim 8, wherein the security mediation service communicates the candidate flow rule to the network switch if the candidate flow rule does not conflict with any of the currently active flow rules.
  - 15. The security mediation service of claim 8, comprising:
    - a source authenticator to authenticate a source of the candidate flow rule, wherein the source comprises one of a network administrator and a software application; and
      
      a conflict analyzer to determine whether to implement the candidate flow rule at the network switch based on a role associated with the source of the candidate flow rule.
  - 16. A network controller embodied in one or more machine accessible storage media and configured to interface with software applications and with the network switch, the network controller comprising the security mediation service of claim 8.
  - 17. A network virtualization layer embodied in one or more machine accessible storage media and configured to interface with software applications and with the network switch, the network virtualization layer comprising the security mediation service of claim 8.

18. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
- receiving a candidate flow rule from the network, wherein the candidate flow rule may be implemented by the network switch to control the flow of communications across the network, and the candidate flow rule comprises match criteria having values that determine whether the candidate flow rule applies to a communication;
  
  determining whether the candidate flow rule permits other values to be substituted for any of the values of the match criteria; and
  
  deriving an expanded candidate flow rule from the candidate flow rule, wherein the expanded candidate flow rule includes the values of the match criteria and the other values.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The method of claim 18, wherein the match criteria comprises a plurality of match fields, and the expanding comprises, for each of the match fields, deriving an alias set comprising the value of the match field and the other values that may be substituted for the value of the match field.
  - 20. The method of claim 18, comprising:
    - determining whether the expanded candidate flow rule conflicts with a set of currently active flow rules, wherein the set of currently active flow rules currently controls the flow of communications across the network; and
      
      in response to determining that the expanded candidate flow rule does not conflict with any of the currently active flow rules, adding the expanded candidate flow rule to the set of currently active flow rules.
  - 21. The method of claim 20, wherein each of the currently active flow rules is associated with a role, and the method comprises comparing the candidate flow rule to the set of currently active flow rules in a priority order based on the roles assigned to the currently active flow rules.
  - 22. The method of claim 20, comprising, for each of the match fields, determining whether the alias set intersects with a corresponding match field of each of the currently active flow rules.
  - 23. The method of claim 20, wherein each of the currently active flow rules comprises match criteria having values that determine whether the currently active flow rule applies to a communication, and the method comprises expanding each of the currently active flow rules to include the values of the match criteria and any values that may be substituted for the values of the match criteria.
  - 24. The method of claim 23, comprising comparing the expanded candidate flow rule to each of the expanded currently active flow rules.
  - 25. The method of claim 23, wherein the match criteria of each of the currently active flow rules comprises a plurality of match fields, and the expanding comprises, for each of the match fields of each of the currently active flow rules, deriving an alias set comprising the value of the match field of the currently active flow rule and the other values that may be substituted for the value of the match field of the currently active flow rule.
  - 26. The method of claim 25, wherein the match fields of the candidate flow rules and the match fields of each of the currently active flow rules comprise a source field and a destination field, and the method comprises determining whether the alias set of the source field of the candidate flow rule intersects with the alias set of the source field of any of the currently active flow rules and determining whether the alias set of the destination field of the candidate flow rule intersects with the alias set of the destination field of any of the currently active flow rules.
  - 27. The method of claim 26, comprising updating the alias sets of each of the currently active flow rules if the expanded candidate flow rule is added to the set of currently active flow rules.

28. A method for enforcing a security policy for a dynamically programmable network, the method comprising, on the network:
- maintaining a set of currently active packet disposition directives, wherein the set of currently active packet disposition directives changes over time, and the currently active packet disposition directives are implemented at network switches to control one or more of the behavior and the configuration of the network switches at a current point in time;
  
  receiving, from a source of packet disposition directives, a candidate packet disposition directive that is not part of the set of currently active packet disposition directives;
  
  determining whether the candidate packet disposition directive violates the security policy; and
  
  in response to determining that the candidate packet disposition directive does not violate the current security policy, implementing the packet disposition directive at the network switches.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, comprising determining a role associated with the source of the candidate packet disposition directive to determine whether the candidate packet disposition directive violates the security policy, wherein the role comprises one of a network administrator and a software application.
  - 30. The method of claim 28, comprising determining a capability associated with the source of the candidate packet disposition directive to determine whether the candidate packet disposition directive violates the security policy, wherein the capability indicates whether the source can change the behavior and/or configuration of the network switches.
  - 31. The method of claim 28, comprising determining whether the candidate packet disposition directive conflicts with any of the currently active packet disposition directives to determine whether the candidate disposition directive violates the security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A., Yegneswaran, Vinod, Fong, Martin W.

Granted Patent

US 9,705,918 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links