SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK
First Claim
1. A security mediation service to enforce a security policy at an interface to a network switch of a dynamically programmable computer network, the security mediation service embodied in a computing system coupled to the network, the security mediation service comprising:
- a source authenticator to authenticate a source of a packet disposition directive that may be implemented by the network switch to control the flow of communications across the network, wherein the source comprises one of a network administrator and a software application; and
a conflict analyzer to determine whether to implement the packet disposition directive at the network switch based on one or more of a role associated with the source of the packet disposition directive and a capability associated with the source of the packet disposition directive.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.
66 Citations
31 Claims
-
1. A security mediation service to enforce a security policy at an interface to a network switch of a dynamically programmable computer network, the security mediation service embodied in a computing system coupled to the network, the security mediation service comprising:
-
a source authenticator to authenticate a source of a packet disposition directive that may be implemented by the network switch to control the flow of communications across the network, wherein the source comprises one of a network administrator and a software application; and a conflict analyzer to determine whether to implement the packet disposition directive at the network switch based on one or more of a role associated with the source of the packet disposition directive and a capability associated with the source of the packet disposition directive. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
-
receiving a packet disposition directive from the network, wherein the packet disposition directive may be implemented by the network switch to effect a change in the behavior or configuration of the network switch; determining a role associated with the packet disposition directive; determining whether the packet disposition directive conflicts with a currently active network security policy, wherein the currently active security policy currently controls the behavior and configuration of the network switch; and in response to determining that the packet disposition directive conflicts with the currently active network security policy, determining whether to implement the packet disposition directive at the network switch based on the role associated with the packet disposition directive. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A method for enforcing a security policy at an interface to a network switch of a dynamically programmable computer network, the method comprising, with a computing system coupled to the network:
-
identifying a source of one or more packet disposition directives, wherein the packet disposition directives may be implemented by the network switch to effect changes in the behavior or configuration of the network switch; verifying the identity of the source using an authentication technique; assigning a role to the source based at least in part on whether the source is a network administrator or a software application, wherein the role comprises information that may be used to determine whether packet disposition directives produced by the source may be implemented by the network switch; and storing the role for use in evaluating packet disposition directives for implementation by the network switch. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
-
Specification