Method and Apparatus for Virtual Firewalling in a Wireless Communication Network

US 20150058966A1
Filed: 08/23/2013
Published: 02/26/2015
Est. Priority Date: 08/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method of virtual firewall management performed at a first control node in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN, said method comprising:

detecting a handover event involving handover of a wireless device from a first RAN node in the network to a second RAN node in the network, wherein an associated virtual firewall is maintained for the wireless device at the first RAN node; and

responsive to said detecting, initiating a migration of the associated virtual firewall from the first RAN node, said migration being a horizontal migration of the associated virtual firewall to the second RAN node, or being a vertical migration of the associated virtual firewall into the CN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides example details for apparatuses and methods that manage virtual firewalls in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN. The virtual firewalls process traffic for respective wireless devices supported by the network. For example, the virtual firewall associated with a given wireless device is maintained in the RAN at the RAN node supporting the device, and is migrated from that RAN node in response to detecting a handover event involving the device. Advantageously, migration may be “horizontal,” where the associated virtual firewall is moved between nodes in the RAN, or may be “vertical,” where the associated virtual firewall is moved from the RAN to the CN.

13 Citations

View as Search Results

26 Claims

1. A method of virtual firewall management performed at a first control node in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN, said method comprising:
- detecting a handover event involving handover of a wireless device from a first RAN node in the network to a second RAN node in the network, wherein an associated virtual firewall is maintained for the wireless device at the first RAN node; and
  
  responsive to said detecting, initiating a migration of the associated virtual firewall from the first RAN node, said migration being a horizontal migration of the associated virtual firewall to the second RAN node, or being a vertical migration of the associated virtual firewall into the CN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising selecting between horizontal migration or vertical migration of the associated virtual firewall based on evaluating at least one of mobility data for the wireless device and location data for the wireless device.
  - 3. The method of claim 2, wherein the method includes at least one of:
    - selecting vertical migration of the associated virtual firewall, if the mobility data indicates a rate or frequency of handover for the wireless device that is above a defined threshold, or indicates a speed of the wireless device that is above a defined threshold; and
      
      selecting vertical migration of the associated virtual firewall, if the location data corresponds to a service area where the network is configured to select vertical migration.
  - 4. The method of claim 2, further comprising, if vertical migration of the associated virtual firewall was selected, later determining whether to migrate the associated virtual firewall back into the RAN, based on evaluating at least one of subsequent mobility data for the wireless device and subsequent location data for the wireless device.
  - 5. The method of claim 1, further comprising selecting between horizontal migration or vertical migration of the associated virtual firewall, based on evaluating an indication of resource availability at the second RAN node.
  - 6. The method of claim 1, wherein the first control node is a first Serving Gateway, SGW, in the CN, and is configured for transferring traffic to and from wireless devices supported at least by the first RAN node.
  - 7. The method of claim 6, wherein, if the first and second RAN nodes are both associated with the first SGW, initiating horizontal migration for the associated virtual firewall comprises sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the second RAN node.
  - 8. The method of claim 7, further comprising, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node, temporarily tunneling post-handover traffic involving the wireless device through the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall, as retained at the first RAN node.
  - 9. The method of claim 1, wherein, if the first RAN node is associated with the first SGW and the second RAN node is associated with a second SGW as a second control node in the network, initiating horizontal migration of the associated virtual firewall comprises sending control signaling towards the first RAN node, indicating that the associated virtual firewall to be transferred to the first SGW, and then transferring the associated virtual firewall from the first SGW to the second SGW.
  - 10. The method of claim 9, further comprising, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node, temporarily tunneling post-handover traffic involving the wireless device through the first SGW and the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall as retained at the first SGW or at the first RAN node.
  - 11. The method of claim 1, deciding whether to initiate the migration as a horizontal migration or as a vertical migration based on one or more of:
    - mobility of the wireless device;
      
      resource usage at the RAN node that would be targeted in the horizontal migration; and
      
      resource usage at the CN node that would be targeted in the vertical migration.

12. A first control node configured for virtual firewall management in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN, said first control node comprising:
- a communication interface configured for communicating with a first RAN node in the network;
  
  a processing circuit that is operatively associated with the communication interface and configured to;
  
  detect a handover event involving handover of a wireless device from-the first RAN node in the network to a second RAN node in the network, wherein an associated virtual firewall is maintained for the wireless device at the first RAN node; and
  
  responsive to said detecting, initiate a migration of the associated virtual firewall from the first RAN node, said migration being a horizontal migration of the associated virtual firewall to the second RAN node, or being a vertical migration of the associated virtual firewall into-the CN.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The first control node of claim 12, wherein the processing circuit is configured to select between horizontal migration or vertical migration of the associated virtual firewall based on evaluating at least one of mobility data for the wireless device and location data for the wireless device.
  - 14. The first control node of claim 13, wherein the processing circuit is configured to perform at least one of the following operations:
    - select vertical migration of the associated virtual firewall, if the mobility data indicates a rate or frequency of handover for the wireless device that is above a defined threshold, or indicates a speed of the wireless device that is above a defined threshold; and
      
      select vertical migration of the associated virtual firewall, if the location data corresponds to a service area where the network is configured to select vertical migration.
  - 15. The first control node of claim 13, wherein, if vertical migration of the associated virtual firewall was-selected, the processing circuit is-configured to later determine whether to migrate the associated virtual firewall back-into the RAN, based on evaluating at least one of subsequent mobility data for the wireless device and subsequent location data for the wireless device.
  - 16. The first control node of claim 12, wherein the first control node is a first Serving Gateway, SGW, in the CN, and is configured for transferring traffic to and from wireless devices supported at least by the first RAN node.
  - 17. The first control node of claim 16, wherein, if the first and second RAN nodes are both associated with the first SGW, horizontal migration of the associated virtual firewall is initiated by the processing circuit by sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the second RAN node.
  - 18. The first control node of claim 16, wherein the processing circuit is configured to temporarily tunnel post-handover traffic involving the wireless device through the first SGW and the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall as retained at the first SGW or at the first RAN node, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node.
  - 19. The first control node of claim 12, wherein, for horizontal migration, if the first RAN node is associated with the first SGW and the second RAN node is associated with a second SGW as a second control node in the network, the processing circuit is-configured to initiate the horizontal migration by sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the first SGW, and to then transfer the associated virtual firewall from the first SGW to the second SGW.
  - 20. The first control node of claim 19, wherein the processing circuit is configured to temporarily tunnel post-handover traffic involving the wireless device through the first SGW and the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall as retained at the first SGW or at the first RAN node, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node.

21. A method of virtual firewall management performed at a first Radio Access Network, RAN, node operating in a RAN of a wireless communication network that further includes an associated Core Network, CN, said method comprising:
- maintaining an associated virtual firewall for a wireless device served by the first RAN node;
  
  receiving transfer initiation signaling from a control node in the network, indicating that the associated virtual firewall is to be migrated, said migration being horizontally to a second RAN node in the network, or vertically to the CN; and
  
  transferring the associated virtual firewall in accordance with the transfer initiation signaling.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein transferring the associated virtual firewall in accordance with the transfer initiation signaling comprises transferring a copy of the associated virtual firewall according to a then-existing state of the associated virtual firewall.
  - 23. The method of claim 21, further comprising continuing to apply the associated virtual firewall to post-handover traffic involving the wireless device that is tunneled between the second RAN node and the CN through the first RAN node, at least until receiving an indication that the associated virtual firewall is activated for the wireless device at the second RAN node.

24. A first Radio Access Network, RAN, node configured for virtual firewall management in a wireless communication network that further includes an associated Core Network, CN, said first RAN node comprising:
- a communication interface configured for communicating with a control node in the network and with a wireless device served by the first RAN node;
  
  a processing circuit that is operatively associated with the communication interface and configured to;
  
  maintain an associated virtual firewall for the wireless device;
  
  receive transfer initiation signaling from the control node in the network, indicating that the associated virtual firewall is to be migrated, said migration being horizontally to a second RAN node in the network, or vertically to the CN; and
  
  transfer the associated virtual firewall in accordance with the transfer initiation signaling.

25. A method of virtual firewall management performed at a second Radio Access Network, RAN, node operating in a RAN of a wireless communication network that-further includes an associated Core Network, CN, said method comprising:
- receiving an associated virtual firewall for a wireless device, from a first RAN node, or from an associated control node in the CN;
  
  the associated virtual firewall at the second RAN node for processing traffic for the wireless device according to the associated virtual firewall; and
  
  sending an indication of said activation to the first RAN node, or to the associated control node.
- View Dependent Claims (26)
- - 26. The method of claim 25, wherein the associated virtual firewall is received in conjunction with the wireless device being handed over from the first RAN node to the second RAN node, and wherein the method includes exchanging post-handover traffic between the wireless device and the CN via the first RAN node, at least until performing said steps of activating and sending.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Pourzandi, Makan, Zhu, Zhongwen

Granted Patent

US 9,882,874 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04W 12/088   using filters or firewalls

H04W 36/0038   of security context informa...

Method and Apparatus for Virtual Firewalling in a Wireless Communication Network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Virtual Firewalling in a Wireless Communication Network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links