SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK

US 20140075519A1
Filed: 03/13/2013
Published: 03/13/2014
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A security mediation service to enforce a security policy at an interface to a network switch of a dynamically programmable computer network, the security mediation service embodied in a computing system coupled to the network, the security mediation service comprising:

a source authenticator to authenticate a source of a packet disposition directive that may be implemented by the network switch to control the flow of communications across the network, wherein the source comprises one of a network administrator and a software application; and

a conflict analyzer to determine whether to implement the packet disposition directive at the network switch based on one or more of a role associated with the source of the packet disposition directive and a capability associated with the source of the packet disposition directive.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

66 Citations

View as Search Results

31 Claims

1. A security mediation service to enforce a security policy at an interface to a network switch of a dynamically programmable computer network, the security mediation service embodied in a computing system coupled to the network, the security mediation service comprising:
- a source authenticator to authenticate a source of a packet disposition directive that may be implemented by the network switch to control the flow of communications across the network, wherein the source comprises one of a network administrator and a software application; and
  
  a conflict analyzer to determine whether to implement the packet disposition directive at the network switch based on one or more of a role associated with the source of the packet disposition directive and a capability associated with the source of the packet disposition directive.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The security mediation service of claim 1, wherein the conflict analyzer compares the role of the source of the packet disposition directive to roles that are associated with the sources of currently active packet disposition directives that currently control the flow of communications across the network, and determines whether the packet disposition directive should be implemented at the network switch based on whether the role of the source of the packet disposition directive has a higher priority than the roles of the sources of the currently active packet disposition directives.
  - 3. The security mediation service of claim 1, wherein the role is determined based at least in part on whether the source is a network administrator, a network security application, or another type of software application.
  - 4. The security mediation service of claim 1, wherein the capability is based at least in part on whether the packet disposition directive is signed with a digital signature.
  - 5. The security mediation service of claim 1, wherein the source authenticator uses a public key to authenticate the source of the packet disposition directive and the capability is based at least in part on whether the source of the packet disposition directive is authenticated.
  - 6. The security mediation service of claim 1, wherein the role is based at least in part on a communication channel used to communicate the packet disposition directive to the security mediation service.
  - 7. The security mediation service of claim 1, wherein the role is based at least in part on a process from which the packet disposition directive originated.
  - 8. The security mediation service of claim 1, wherein the security mediation service communicates the packet disposition directive to the network switch if the security mediation service determines that the packet disposition directive should be implemented at the network switch.
  - 9. The security mediation service of claim 8, wherein the network comprises a plurality of network switches and the security mediation service coordinates the communication of the packet disposition directive to the plurality of network switches.
  - 10. The security mediation service of claim 9, wherein the security mediation service communicates the packet disposition directive to all of the network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive.
  - 11. The security mediation service of claim 10, wherein each of the network switches has a local flow table and the security mediation service inserts the packet disposition directive in each of the local flow tables if the security mediation service determines that the packet disposition directive should be implemented at the network switches.
  - 12. The security mediation service of claim 1, comprising a security directive translator to prepare the packet disposition directive based on a network security policy associated with the source.
  - 13. The security mediation service of claim 1, comprising a state table manager to maintain consistency between an aggregate table of currently active packet disposition directives across a plurality of network switches including the network switch and a local table of flow rules resident at the network switch.
  - 14. The security mediation service of claim 13, comprising a switch manager to communicate messages relating to the status of the local table of flow rules to the security mediation service.
  - 15. The security mediation service of claim 1, wherein the conflict analyzer determines whether the packet disposition directive conflicts with one or more currently active packet disposition directives that currently control the flow of communications across the network.
  - 16. The security mediation service of claim 1, wherein the packet disposition directive comprises one or more of:
    - a directive to enable or disable one or more ports of the network switch, a directive to request the network switch to generate network traffic in response to a specified network condition, a flow rule to control network flows at the network switch, and another type of directive that may change the behavior or configuration of the network switch.
  - 17. A network controller embodied in one or more machine accessible storage media and configured to interface with software applications and with the network switch, the network controller comprising the security mediation service of claim 1.
  - 18. A network virtualization layer embodied in one or more machine accessible storage media and configured to interface with software applications and with the network switch, the network virtualization layer comprising the security mediation service of claim 1.

19. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
- receiving a packet disposition directive from the network, wherein the packet disposition directive may be implemented by the network switch to effect a change in the behavior or configuration of the network switch;
  
  determining a role associated with the packet disposition directive;
  
  determining whether the packet disposition directive conflicts with a currently active network security policy, wherein the currently active security policy currently controls the behavior and configuration of the network switch; and
  
  in response to determining that the packet disposition directive conflicts with the currently active network security policy, determining whether to implement the packet disposition directive at the network switch based on the role associated with the packet disposition directive.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, comprising determining whether a digital signature is associated with the packet disposition directive.
  - 21. The method of claim 19, comprising, in response to determining that a digital signature is associated with the packet disposition directive, analyzing the digital signature associated with the packet disposition directive and determining a capability associated with the packet disposition directive based on the analysis of the digital signature, wherein the capability determines whether the packet disposition directive may effect a change in the behavior or configuration of the network switch.
  - 22. The method of claim 19, comprising determining a communication channel associated with the packet disposition directive and determining the role based on the communication channel.
  - 23. The method of claim 19, comprising identifying a source of the packet disposition directive and determining the role based on the identity of the source.

24. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
- identifying a source of one or more packet disposition directives, wherein the packet disposition directives may be implemented by the network switch to effect changes in the behavior or configuration of the network switch;
  
  verifying the identity of the source using an authentication technique;
  
  assigning a role to the source based at least in part on whether the source is a network administrator or a software application, wherein the role comprises information that may be used to determine whether packet disposition directives produced by the source may be implemented by the network switch; and
  
  storing the role for use in evaluating packet disposition directives for implementation by the network switch.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The method of claim 24, comprising determining the role based on whether the source is a network administrator, a network security application, or another type of software application.
  - 26. The method of claim 25, wherein the role has a lower priority if the source is a network security software application than if the source is a network administrator.
  - 27. The method of claim 25, wherein the role has a higher priority if the source is a network security software application than if the source is another type of software application.
  - 28. The method of claim 24, wherein the role has a higher priority if the source has a digital signature.
  - 29. The method of claim 24, comprising determining a communication channel associated with the source and assigning the role based on the communication channel.
  - 30. The method of claim 24, comprising determining a process associated with the source and assigning the role based on the process.
  - 31. The method of claim 24, comprising assigning a capability to the source that allows the source to issue packet disposition directives to modify the configuration or behavior of the network switch, in response to authenticating the identity of the source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A., Fong, Martin W., Yegneswaran, Vinod

Granted Patent

US 9,444,842 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others