PROVIDING A FAST PATH BETWEEN TWO ENTITIES

US 20160205071A1
Filed: 12/10/2013
Published: 07/14/2016
Est. Priority Date: 09/23/2013
Status: Active Grant

First Claim

Patent Images

1-25. -25. (canceled)

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure combines Software Defined Networks (SDN) concepts with Security concepts. The coordination between SDN and Security provides a myriad of advantageous use cases. One exemplary use case involves providing a fast path at network speeds using SDN by routing network traffic to bypass a security appliance once the security appliance determines that the security appliance no longer needs to inspect the network traffic. Another exemplary use case involves remote provisioning of security zones.

128 Citations

49 Claims

1-25. -25. (canceled)

26. At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions when executed by at least one processor cause the at least one processor to perform the following operations:
- providing control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic;
  
  receiving one or more security policies for the SDN environment from a security appliance at the one or more SDN controllers, wherein the one or more security policies specify one or more of the following;
  
  security zone(s), network access right(s), data access right(s), insertion of a security appliance, and removal of a security appliance; and
  
  in response to receiving the one or more security policies, reconfiguring the control logic using the one or more SDN controllers according to the one or more security policies received from the security appliance.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 27. The at least one machine readable storage medium of claim 26, wherein:
    - providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, wherein the first route traverses through the security appliance for scanning the network traffic;
      
      the one or more security policies comprises information indicating that the data flow no longer requires scanning by the security appliance; and
      
      reconfiguring the control logic for the SDN environment comprises providing, using the one or more SDN controllers, a second route between the first node and the second node, wherein the second route bypasses the security appliance.
  - 28. The at least one machine readable storage medium of claim 27, wherein the second route is better than the first route according to one or more metrics.
  - 29. The at least one machine readable storage medium of claim 26, wherein:
    - the one or more security policies comprises information indicating that a data flow between a first node and a second node requires scanning by a security appliance; and
      
      reconfiguring the control logic for the SDN environment comprises providing, using the SDN controller, a route between the first node and the second node, wherein the route traverses through the security appliance for added security in response to receiving the one or more security policies.
  - 30. The at least one machine readable storage medium of claim 26, wherein the security appliance is configured to packet(s) in the data flow at one or more of the following layers:
    - (1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, and (7) application layer.
  - 31. The at least one machine readable storage medium of claim 26, wherein:
    - the control logic by the one or more SDN controllers comprises logic for determining one or more flow table entries for configuring flow table(s) of the one or more SDN switches.
  - 32. The at least one machine readable storage medium of claim 26, wherein:
    - the security appliance is integrated with the one or more SDN controllers; and
      
      the SDN controller is integrated with or communicably connected to the one or more SDN switches.
  - 33. The at least one machine readable storage medium of claim 26, wherein:
    - the security appliance is communicably connected to the one or more SDN controllers remote from the security appliance; and
      
      the one or more SDN controllers is integrated with or communicably connected to the one or more SDN switches.
  - 34. The at least one machine readable storage medium of claim 26, wherein at least one of the one or more SDN switches is configured to rewrite one or more fields of packets of the network traffic to indicate to the security appliance the switch port or security zone the packet was originally received and/or to direct the packets to bypass the security appliance.
  - 35. The at least one machine readable storage medium of claim 26, wherein:
    - providing the control logic comprises configuring a first route between a client and a server in the SDN environment for carrying network traffic of a data flow between the client and the server, wherein the first route traverses through the security appliance, and the security appliance comprises a proxy that terminates the data flow;
      
      the one or more security policies comprises information indicating that the data flow is allowed and/or the data flow no longer needs to traverse through the proxy; and
      
      reconfiguring the control logic for the SDN environment comprises providing, using the one or more SDN controller, a second route between the client and the server though a particular one of the one or more SDN switches in the SDN environment, wherein the second route bypasses the proxy.
  - 36. The at least one machine readable storage medium of claim 26, wherein the operations further comprise:
    - transmitting, by the one or more SDN controllers to the particular one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow in response to receiving the information indicating that the data flow is allowed, wherein the TCP information comprises one or more of the following;
      
      (a) TCP Sequence of client flow;
      
      (b) TCP Ack of client flow;
      
      (c) TCP Sequence of server flow; and
      
      (d) TCP Ack of server flow.
  - 37. The at least one machine readable storage medium of claim 26, wherein:
    - the particular one of the one or more SDN switches, is configured to calculate an offset based on the TCP information provided by the one or more SDN controllers and to add the offset to TCP Sequence and TCP Ack numbers as packets are passed through the particular one of the one or more SDN switches.
  - 38. The at least one machine readable storage medium of claim 26, wherein:
    - the one or more security policies for the SDN environment from the security appliance indicates a particular amount of network data can bypass the security appliance or the particular amount of network traffic must traverse the security appliance;
      
      the particular amount of network data is measurable by a particular number of units of data, a particular number of bytes, or a particular number of protocol data units as measured at any one of the Open Systems Interconnection layers; and
      
      one or more SDN switches in the SDN environment is configured to (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance, or (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed.
  - 39. The at least one machine readable storage medium of claim 26, wherein:
    - providing the control logic comprises configuring security zones in the SDN environment for carrying network traffic, wherein the security zones provide different levels of security for network and data access;
      
      the one or more security policies comprises information which adds, removes, and/or modifies the security zones; and
      
      reconfiguring the control logic for the SDN environment comprises reconfiguring, using the one or more SDN controllers, the security zones according to the one or more security policies.
  - 40. The at least one machine readable storage medium of claim 26, wherein:
    - the one or more security policies comprises information indicating that a host belongs to a particular security zone; and
      
      reconfiguring the control logic for the SDN environment comprises (1) adding, using the one or more SDN controllers, the particular security zone to the SDN environment, and/or (2) adding, using the one or more SDN controllers, the host to the particular security zone, in response to receiving the one or more security policies.

41. At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions when executed by at least one processor cause the at least one processor to perform the following operations:
- receiving one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers, wherein the one or more SDN controllers are configured with control logic which controls routing of network traffic through one or more SDN switches in the SDN environment using the one or more flow table entries, wherein the control logic is configured to implement one or more security policies for the SDN environment provided by a security appliance to the one or more SDN controllers, and wherein the one or more security policies specify one or more of the following;
  
  security zone(s), network access right(s), data access right(s), insertion of a security appliance, and removal of a security appliance; and
  
  in response to receiving the one or more flow table entries, reconfiguring the one or more flow tables according to the flow entries received from the SDN controller in accordance with the one or more security policies.
- View Dependent Claims (42, 43, 44, 45)
- - 42. The at least one machine readable non-transitory storage medium of claim 41, wherein the operations further comprise:
    - rewriting one or more fields of packets of the network traffic to indicate to the security appliance the switch port or security zone the packet was originally received and/or to direct the packets to bypass the security appliance according to the one or more flow tables.
  - 43. The at least one machine readable non-transitory storage medium of claim 41, wherein the operations further comprise:
    - receiving, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for the data flow in response to receiving the information indicating that the data flow is allowed, wherein the TCP information comprises one or more of the following;
      
      (e) TCP Sequence of client flow;
      
      (f) TCP Ack of client flow;
      
      (g) TCP Sequence of server flow; and
      
      (h) TCP Ack of server flow.
  - 44. The at least one machine readable storage medium of claim 41, wherein the operations further comprise:
    - calculating an offset based on the TCP information provided by the one or more SDN controllers and to add the offset to TCP Sequence and TCP Ack numbers as packets are passed through the particular one of the one or more SDN switches.
  - 45. The at least one machine readable storage medium of claim 41, wherein:
    - the one or more security policies for the SDN environment from the security appliance indicates network traffic for a particular number of bytes of network traffic can bypass the security appliance or the particular number of bytes of network traffic must traverse the security appliance; and
      
      the operations further comprises;
      
      receiving from the SDN controller one or more flow entries conditioned on the particular number of bytes of network traffic or a number of units of data as measured at any one of the Open Systems Interconnection layers; and
      
      routing network traffic, after the particular number of bytes of network traffic has bypassed the security appliance, back to the security appliance.

46. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising:
- at least one memory element;
  
  at least one processor coupled to the at least one memory element;
  
  one or more SDN controllers that when executed by the at least one processor is configured to;
  
  provide control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic;
  
  receive one or more security policies for the SDN environment from a security appliance at the one or more SDN controllers, wherein the one or more security policies specify one or more of the following;
  
  security zone(s), network access right(s), data access right(s), insertion of a security appliance, and removal of a security appliance; and
  
  in response to receiving the one or more security policies, reconfigure the control logic using the one or more SDN controllers according to the one or more security policies received from the security appliance.
- View Dependent Claims (47)
- - 47. The apparatus of claim 46, wherein:
    - providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, wherein the first route traverses through the security appliance for scanning the network traffic;
      
      the one or more security policies comprises information indicating that the data flow no longer requires scanning by the security appliance; and
      
      reconfiguring the control logic for the SDN environment comprises providing, using the one or more SDN controllers, a second route between the first node and the second node, wherein the second route bypasses the security appliance.

48. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising:
- at least one memory element;
  
  at least one processor coupled to the at least one memory element; and
  
  a SDN switching module that when executed by the at least one processor is configured to;
  
  receive one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers, wherein the one or more SDN controllers are configured with control logic which controls routing of network traffic through one or more SDN switches in the SDN environment using the one or more flow table entries, wherein the control logic is configured to implement one or more security policies for the SDN environment provided by a security appliance to the one or more SDN controllers, and wherein the one or more security policies specify one or more of the following;
  
  security zone(s), network access right(s), data access right(s), insertion of a security appliance, and removal of a security appliance; and
  
  in response to receiving the one or more flow table entries, reconfigure the one or more flow tables according to the flow entries received from the SDN controller in accordance with the one or more security policies.
- View Dependent Claims (49)
- - 49. The apparatus of claim 48, wherein the operations further comprise:
    - rewriting one or more fields of packets of the network traffic to indicate to the security appliance the switch port or security zone the packet was originally received and/or to direct the packets to bypass the security appliance according to the one or more flow tables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
COOPER, Geoffrey Howard, GUZIK, John Richard

Granted Patent

US 10,587,576 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/6418   Hybrid transport

H04L 49/3009   Header conversion, routing ...

H04L 49/70   Virtual switches

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

PROVIDING A FAST PATH BETWEEN TWO ENTITIES

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

49 Claims

Specification

Use Cases

Quick Links

Others

PROVIDING A FAST PATH BETWEEN TWO ENTITIES

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

49 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others