SYSTEM AND METHOD FOR NETWORK POLICY SIMULATION
First Claim
Patent Images
1. A method comprising:
- receiving a network traffic from a first endpoint group of a network destined for a second endpoint group of the network;
capturing first network flow data between the first endpoint group and the second endpoint group based at least in part by enforcing a first network policy of the network with respect to the network traffic;
receiving a request to simulate enforcement of a second network policy between the first endpoint group and the second endpoint group;
determining second network flow data between the first endpoint group and the second endpoint group by simulating enforcement of the second network policy with respect to the network traffic; and
providing an indication whether to enforce the second network policy based at least in part on the second network flow data.
1 Assignment
0 Petitions
Accused Products
Abstract
This disclosure generally relate to a method and system for network policy simulation in a distributed computing system. The present technology relates techniques that enable simulation of a new network policy with regard to its effects on the network data flow. By enabling a simulation data flow that is parallel and independent from the regular data flow, the present technology can provide optimized network security management with improved efficiency.
143 Citations
20 Claims
-
1. A method comprising:
-
receiving a network traffic from a first endpoint group of a network destined for a second endpoint group of the network; capturing first network flow data between the first endpoint group and the second endpoint group based at least in part by enforcing a first network policy of the network with respect to the network traffic; receiving a request to simulate enforcement of a second network policy between the first endpoint group and the second endpoint group; determining second network flow data between the first endpoint group and the second endpoint group by simulating enforcement of the second network policy with respect to the network traffic; and providing an indication whether to enforce the second network policy based at least in part on the second network flow data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
one or more processors; and memory including instructions that, upon being executed by the one or more processors, cause the system to;
p1 receive a network traffic from a first endpoint group of a network destined for a second endpoint group of the network;capture first network flow data between the first endpoint group and the second endpoint group based at least in part by enforcing a first network policy of the network with respect to the network traffic; receive a request to simulate enforcement of a second network policy between the first endpoint group and the second endpoint group; determine second network flow data between the first endpoint group and the second endpoint group by simulating enforcement of the second network policy with respect to the network traffic; and provide an indication whether to enforce the second network policy based at least in part on the second network flow data. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable storage medium having stored therein instructions that, upon being executed by a processor, cause the processor to:
-
receive a network traffic from a first endpoint group of a network destined for a second endpoint group of the network; capture first network flow data between the first endpoint group and the second endpoint group based at least in part by enforcing a first network policy of the network with respect to the network traffic;
p1 receive a request to simulate enforcement of a second network policy between the first endpoint group and the second endpoint group;determine second network flow data between the first endpoint group and the second endpoint group by simulating enforcement of the second network policy with respect to the network traffic; and provide an indication whether to enforce the second network policy based at least in part on the second network flow data. - View Dependent Claims (17, 18, 19, 20)
-
Specification