System and method for securing virtualized networks

US 8,931,046 B2
Filed: 03/15/2013
Issued: 01/06/2015
Est. Priority Date: 10/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method of securing a dynamic virtualized network, the method comprising:

learning, with a network automation device, a current network policy of the dynamic virtualized network by analyzing membership requests communicated to the dynamic virtualized network, wherein a membership request is selected from the group consisting of a request to join the dynamic virtualized network and a request to drop from the dynamic virtualized network, the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network, the current network policy includes a first plurality of network policy elements, each of the first plurality of network policy elements identifies an authorized endpoint in the dynamic virtualized network, and the layer 3 physical network includes a plurality of network access devices;

determining a network security policy for the dynamic virtualized network from the current network policy, wherein the network security policy includes one or more second network policy elements that is a different network policy element than one of the plurality of first network policy elements of the current network policy, and each of the one or more second network policy network elements adds an additional policy on how network traffic in the dynamic virtualized network is processed by a port of one of the plurality of network access devices; and

applying the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy. In addition, each of the one or more second network policy network elements adds an additional policy on how network traffic is processed in the dynamic virtualized network by a port of one of the plurality of network access devices. The device further applies the network security policy to each network access device that is affected by the network security policy.

Citations

31 Claims

1. A method of securing a dynamic virtualized network, the method comprising:
- learning, with a network automation device, a current network policy of the dynamic virtualized network by analyzing membership requests communicated to the dynamic virtualized network, wherein a membership request is selected from the group consisting of a request to join the dynamic virtualized network and a request to drop from the dynamic virtualized network, the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network, the current network policy includes a first plurality of network policy elements, each of the first plurality of network policy elements identifies an authorized endpoint in the dynamic virtualized network, and the layer 3 physical network includes a plurality of network access devices;
  
  determining a network security policy for the dynamic virtualized network from the current network policy, wherein the network security policy includes one or more second network policy elements that is a different network policy element than one of the plurality of first network policy elements of the current network policy, and each of the one or more second network policy network elements adds an additional policy on how network traffic in the dynamic virtualized network is processed by a port of one of the plurality of network access devices; and
  
  applying the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the dynamic virtualized network is a Virtual eXtensible Local Area Network.
  - 3. The method of claim 1, wherein the network security policy is further determined from a topology of dynamic virtualized network.
  - 4. The method of claim 1, wherein the additional policy is a multicast join filter that passes a multicast join request on a port of a network access device that has an authorized endpoint associated with that port.
  - 5. The method of claim 1, wherein the additional policy is a multicast join filter that drops a multicast join request on a port of a network access device that does not have an authorized endpoint associated with that port.
  - 6. The method of claim 1, wherein the additional policy is an access control list on a port of a network access device that that has an authorized endpoint associated with that port, the access control list to pass network traffic that includes an identification associated with the authorized endpoint.
  - 7. The method of claim 6, wherein the identification is a Virtual eXtensible Local Area Network Network Identifier.
  - 8. The method of claim 1, wherein the additional policy is an access control list on a port of a network access device that has an authorized endpoint associated with that port, the access control list to drop network traffic that does not include an identification associated with the authorized endpoint.
  - 9. The method of claim 1, wherein the additional policy is an access control list on a port of a network access device that does not have an authorized endpoint with that port, the access control list to drop network traffic that is encapsulated for the dynamic virtualized network.
  - 10. The method of claim 1, wherein a network access device is selected from the group consisting of a switch and a router.

11. A non-transitory machine-readable medium having executable instructions to cause one or more processing units to perform a method to test a network policy of a dynamic virtualized network, the method comprising:
- learning a network policy of the dynamic virtualized network by analyzing membership request communicated to the dynamic virtualized network, wherein a membership request is selected from the group consisting of a request to join the dynamic virtualized network and a request to drop from the dynamic virtualized network, the dynamic virtualized network is a virtualized layer 2 network that is overlaid over a layer 3 physical network, the network policy includes a first plurality of network policy elements, each of the first plurality of network policy elements identifies an authorized endpoint in the dynamic virtualized network, and the layer 3 physical network includes a plurality of network access devices;
  
  injecting test traffic at one of the plurality of network access devices, the test traffic configured to test a security of the dynamic virtualized network by being communicated in the dynamic virtualized network;
  
  detecting an appearance of the test traffic at different one of the plurality of network access devices; and
  
  determining if the appearance of the test traffic at the different one of the plurality of network access devices is in violation of the network policy.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory machine-readable medium of claim 11, wherein the dynamic virtualized network is a Virtual eXtensible Local Area Network (VXLAN).
  - 13. The non-transitory machine-readable medium of claim 12, wherein the test traffic is VXLAN encapsulated traffic.
  - 14. The non-transitory machine-readable medium of claim 13, wherein the test traffic includes a VXLAN network identifier, wherein the VXLAN network identifier for the test traffic is one that the one of the plurality of network access devices is configured to forward.
  - 15. The non-transitory machine-readable medium of claim 13, wherein the test traffic includes a VXLAN network identifier, wherein the VXLAN network identifier for the test traffic is one that the one of the plurality of network access devices is configured to not forward.
  - 16. The non-transitory machine-readable medium of claim 11, wherein the network security policy is further determined from a topology of dynamic virtualized network.

17. A non-transitory machine-readable medium having executable instructions to cause one or more processing units to perform a method of securing a dynamic virtualized network, the method comprising:
- learning a current network policy of the dynamic virtualized network by analyzing membership request communicated to the dynamic virtualized network, wherein a membership request is selected form the group consisting of a request to join the dynamic virtualized network and a request to drop from the dynamic virtualized network, the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network, the current network policy includes a first plurality of network policy elements, each of the first plurality of network policy elements identifies an authorized endpoint in the dynamic virtualized network, and the layer 3 physical network includes a plurality of network access devices;
  
  determining a network security policy for the dynamic virtualized network from the current network policy, wherein the network security policy includes one or more second network policy elements that is a different network policy element than one of the plurality of first network policy elements of the current network policy, and each of the one or more second network policy network elements adds an additional policy on how network traffic in the dynamic virtualized network is processed by a port of one of the plurality of network access devices; and
  
  applying the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 31)
- - 18. The non-transitory machine-readable medium of claim 17, wherein the dynamic virtualized network is a Virtual eXtensible Local Area Network.
  - 19. The non-transitory machine-readable medium of claim 17, wherein the network security policy is further determined from a topology of dynamic virtualized network.
  - 20. The non-transitory machine-readable medium of claim 17, wherein the additional policy is a multicast join filter that passes a multicast join request on a port of a network access device that has an authorized endpoint associated with that port.
  - 21. The non-transitory machine-readable medium of claim 17, wherein the additional policy is a multicast join filter that drops a multicast join request on a port of a network access device that does not have an authorized endpoint associated with that port.
  - 22. The non-transitory machine-readable medium of claim 17, wherein the additional policy is an access control list on a port of a network access device that that has an authorized endpoint associated with that port, the access control list to pass network traffic that includes an identification associated with the authorized endpoint.
  - 23. The non-transitory machine-readable medium of claim 22, wherein the identification is a Virtual eXtensible Local Area Network Network Identifier.
  - 24. The non-transitory machine-readable medium of claim 17, wherein the additional policy is an access control list on a port of a network access device that does not have an authorized endpoint with that port, the access control list to drop network traffic that is encapsulated for the dynamic virtualized network.
  - 25. The non-transitory machine-readable medium of claim 17, wherein a network access device is selected from the group consisting of a switch and a router.
  - 31. The non-transitory machine-readable medium of claim 17, wheren the additional policy is an access control list on a port of a network access device that has an authorized endpoint associated with that port, the access control list to drop network traffic that does not include an identification associated with the authorized endpoint.

26. A system to of secure a dynamic virtualized network, the system comprising:
- a plurality of network access devices;
  
  a layer 3 physical network interconnecting the plurality of physical network access devices;
  
  a dynamic virtualized network, wherein the dynamic virtualized network is a virtualized layer 2 network that is overlaid on the layer 3 physical network, the dynamic virtualized network includes the current network policy that further includes a first plurality of network policy elements, and each of the first plurality of network policy elements identifies an authorized endpoint in the dynamic virtualized network; and
  
  a network automation element that learns the current network policy by analyzing membership request communicated to the dynamic virtualized network, wherein a membership request is selected from the group consisting of a request to join the dynamic virtualized network and a request to drop from the dynamic virtualized network, determines a network security policy for the dynamic virtualized network from the current network policy, wherein the network security policy includes one or more second network policy elements that are a different network policy element than one of the plurality of first network policy elements of the current network policy, and each of the one or more second network policy network elements adds an additional policy on how network traffic in the dynamic virtualized network is processed by a port of one of the plurality of physical network access devices, and applies the network security policy to each physical network access device of the plurality of network access devices that is affected by the network security policy.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The system of claim 26, wherein the dynamic virtualized network is a Virtual eXtensible Local Area Network.
  - 28. The system of claim 26, wherein the additional policy is a multicast join filter that passes a multicast join request on the port of a physical network access device that has an authorized endpoint associated with that port.
  - 29. The system of claim 26, wherein the additional policy is a multicast join filter that drops a multicast join request on the port of a physical network access device that does not have an authorized endpoint associated with that port.
  - 30. The system of claim 26, wherein the additional policy is an access control list on the port of a physical network access device that that has an authorized endpoint associated with that port, the access control list to pass network traffic that includes an identification associated with the authorized endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Stateless Networks, Inc.
Inventors
Wanser, Kelly, Antonopoulos, Andreas Markos
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US13/842,695
Publication Number

US 20140123211A1
Time in Patent Office

662 Days
Field of Search

726/1, 726/3, 726 13- 15, 713/151, 713/153, 370/213, 370/254, 709223-224
US Class Current

726/1
CPC Class Codes

H04L 12/18   for broadcast or conference...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/20   Network management software...

H04L 43/50   Testing arrangements

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/143   Termination or inactivation...

H04L 67/146   Markers for unambiguous ide...

System and method for securing virtualized networks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing virtualized networks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links