METHODS AND APPARATUS TO PROVIDE A DISTRIBUTED FIREWALL IN A NETWORK

US 20150326532A1
Filed: 05/06/2014
Published: 11/12/2015
Est. Priority Date: 05/06/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying, at a control plane, a network traffic rule to implement in a network;

determining, at the control plane, a distributed firewall for a first firewall in the network to enforce the network traffic rule;

instructing, using the control plane, a first software-defined networking node to instantiate the first firewall of the distributed firewall;

configuring a second software-defined networking node to route network traffic through the first firewall; and

instructing the first software-defined networking node to enforce the network traffic rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus to provide a distributed firewall in a network are disclosed. An example method includes identifying, at a control plane, a network traffic rule to implement in a network; determining, at the control plane, a distributed firewall for a first firewall in the network to enforce the network traffic rule; instructing, using the control plane, a first software-defined networking node to instantiate the first firewall of the distributed firewall; configuring a second software-defined networking node to route network traffic through the first firewall; and instructing the first software-defined networking node to enforce the network traffic rule.

Citations

20 Claims

1. A method, comprising:
- identifying, at a control plane, a network traffic rule to implement in a network;
  
  determining, at the control plane, a distributed firewall for a first firewall in the network to enforce the network traffic rule;
  
  instructing, using the control plane, a first software-defined networking node to instantiate the first firewall of the distributed firewall;
  
  configuring a second software-defined networking node to route network traffic through the first firewall; and
  
  instructing the first software-defined networking node to enforce the network traffic rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as defined in claim 1, wherein instructing the first software-defined networking node to instantiate the first firewall comprises instructing the first software-defined networking node to instantiate a virtual machine to implement a firewall software application.
  - 3. The method as defined in claim 2, further comprising instructing a third software-defined networking node to modify a first firewall policy of a second firewall at the third software-defined networking node to enforce the network traffic rule.
  - 4. The method as defined in claim 3, wherein instructing the third software-defined networking node comprises instructing the third software-defined networking node to execute the second firewall using the first firewall policy, and instructing the first software-defined networking node to enforce the network traffic rule comprises instructing the first software-defined networking node to execute the first firewall using a second firewall policy, the first firewall policy being independent from the second firewall policy.
  - 5. The method as defined in claim 3, wherein the first and second firewalls are part of the distributed firewall.
  - 6. The method as defined in claim 1, further comprising:
    - identifying, at the control plane, a change to the network traffic rule to implement in the network;
      
      identifying, at the control plane, a set of software-defined networking nodes on which firewalls of the distributed firewall are implemented; and
      
      transmitting instructions from the control plane to the set of software-defined networking nodes to cause the firewalls to implement the change to the network traffic rule, the instructions to the software-defined networking nodes in the set being respectively customized for the firewall to which the instructions are transmitted.
  - 7. The method as defined in claim 1, wherein determining the distributed firewall for the network to enforce the network traffic rule comprises:
    - determining, at the control plane, a portion of the network to which the network traffic rule is to be applied;
      
      identifying, at the control plane, software-defined networking nodes in the network to serve the portion of the network;
      
      transmitting instructions to a first portion of the identified software-defined networking nodes to cause the first portion of the identified software-defined networking nodes to instantiate respective firewall software applications; and
      
      transmitting instructions to the identified software-defined networking nodes to cause the identified software-defined networking nodes to implement the traffic rule via respective firewall software applications.

8. A software-defined networking node, comprising:
- a processor; and
  
  a memory comprising computer readable instructions which, when executed, cause the processor to perform operations, the operations comprising;
  
  identifying a network traffic rule to implement in a network;
  
  determining a distributed firewall for a first firewall in the network to enforce the network traffic rule;
  
  instructing a first software-defined networking node to instantiate the first firewall of the distributed firewall;
  
  configuring a second software-defined networking node to route network traffic through the first firewall; and
  
  instructing the first software-defined networking node to enforce the network traffic rule.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The networking node as defined in claim 8, wherein the instructions are to cause the processor to instruct the first software-defined networking node to instantiate the first firewall comprises instructing the first software-defined networking node to instantiate a virtual machine to implement a firewall software application.
  - 10. The networking node as defined in claim 9, wherein the instructions are further to cause the processor to instruct a third software-defined networking node to modify a first firewall policy of a second firewall at the third software-defined networking node to enforce the network traffic rule.
  - 11. The networking node as defined in claim 10, wherein instructing the third software-defined networking node comprises instructing the third software-defined networking node to execute the second firewall using the first firewall policy, and instructing the first software-defined networking node to enforce the network traffic rule comprises instructing the first software-defined networking node to execute the first firewall using a second firewall policy, the first firewall policy being independent from the second firewall policy.
  - 12. The networking node as defined in claim 8, wherein instructing the first software-defined networking node comprises instructing an edge network node.
  - 13. The networking node as defined in claim 8, wherein the instructions are further to cause the processor to:
    - identify a change to the network traffic rule to implement in the network;
      
      identify a set of software-defined networking nodes on which firewalls of the distributed firewall are implemented; and
      
      transmit instructions to the set of software-defined networking nodes to cause the firewalls to implement the change to the network traffic rule, the instructions to the software-defined networking nodes in the set being respectively customized for the firewall to which the instructions are transmitted.
  - 14. The networking node as defined in claim 8, wherein the instructions are to cause the processor to determine the distributed firewall for the network to enforce the network traffic rule by:
    - determining a portion of the network to which the network traffic rule is to be applied;
      
      identifying software-defined networking nodes in the network to serve the portion of the network;
      
      transmitting instructions to a first portion of the identified software-defined networking nodes to cause the first portion of the identified software-defined networking nodes to instantiate respective firewall software applications; and
      
      transmitting instructions to the identified software-defined networking nodes to cause the identified software-defined networking nodes to implement the traffic rule via respective firewall software applications.

15. A computer readable storage medium comprising computer readable instructions which, when executed, cause a processor of a software-defined networking node to perform operations comprising:
- identifying a network traffic rule to implement in a network;
  
  determining a distributed firewall for a first firewall in the network to enforce the network traffic rule;
  
  instructing a first software-defined networking node to instantiate the first firewall of the distributed firewall;
  
  configuring a second software-defined networking node to route network traffic through the first firewall; and
  
  instructing the first software-defined networking node to enforce the network traffic rule.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The storage medium as defined in claim 15, wherein the instructions are to cause the processor to instruct the first software-defined networking node to instantiate the first firewall comprises instructing the first software-defined networking node to instantiate a virtual machine to implement a firewall software application.
  - 17. The storage medium as defined in claim 16, wherein the instructions are further to cause the processor to instruct a third software-defined networking node to modify a first firewall policy of a second firewall at the third software-defined networking node to enforce the network traffic rule.
  - 18. The storage medium as defined in claim 17, wherein instructing the third software-defined networking node comprises instructing the third software-defined networking node to execute the second firewall using the first firewall policy, and instructing the first software-defined networking node to enforce the network traffic rule comprises instructing the first software-defined networking node to execute the first firewall using a second firewall policy, the first firewall policy being independent from the second firewall policy.
  - 19. The storage medium as defined in claim 15, wherein the instructions are further to cause the processor to:
    - identify a change to the network traffic rule to implement in the network;
      
      identify a set of software-defined networking nodes on which firewalls of the distributed firewall are implemented; and
      
      transmit instructions to the set of software-defined networking nodes to cause the firewalls to implement the change to the network traffic rule, the instructions to the software-defined networking nodes in the set being respectively customized for the firewall to which the instructions are transmitted.
  - 20. The storage medium as defined in claim 15, wherein the instructions are to cause the processor to determine the distributed firewall for the network to enforce the network traffic rule by:
    - determining a portion of the network to which the network traffic rule is to be applied;
      
      identifying software-defined networking nodes in the network to serve the portion of the network;
      
      transmitting instructions to a first portion of the identified software-defined networking nodes to cause the first portion of the identified software-defined networking nodes to instantiate respective firewall software applications; and
      
      transmitting instructions to the identified software-defined networking nodes to cause the identified software-defined networking nodes to implement the traffic rule via respective firewall software applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Grant, Dustin, Gupta, Sandeep, Satterlee, Michael J., Narahari, Sridhar

Granted Patent

US 9,674,147 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

METHODS AND APPARATUS TO PROVIDE A DISTRIBUTED FIREWALL IN A NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS TO PROVIDE A DISTRIBUTED FIREWALL IN A NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links