Software defined networking pipe for network traffic inspection

US 9,264,400 B1
Filed: 12/02/2013
Issued: 02/16/2016
Est. Priority Date: 12/02/2013
Status: Active Grant

First Claim

Patent Images

1. A software defined networking (SDN) computer network comprising:

an SDN switch comprising a plurality of ports that receives network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to a security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the second port and a second flow rule to forward a packet received in the second port to the first port, the SDN switch receiving outgoing packets from the first port and forwarding the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and

an SDN controller that controls forwarding behavior of the SDN switch and inserts the first and second flow rules into the flow table of the SDN switch,wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection,wherein the security component allows the outgoing packets to be forwarded to their destination by instructing the SDN switch to release copies of the outgoing packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A software defined networking (SDN) computer network includes an SDN controller and an SDN switch. The SDN controller inserts flow rules in a flow table of the SDN switch to create an SDN pipe between a sender component and a security component. A broadcast function of the SDN switch to the ports that form the SDN pipe may be disabled. The SDN pipe allows outgoing packets sent by the sender component to be received by the security component. The security component inspects the outgoing packets for compliance with security policies and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection. The SDN controller may also insert a flow rule in the flow table of the SDN switch to bypass inspection of specified packets.

Citations

17 Claims

1. A software defined networking (SDN) computer network comprising:
- an SDN switch comprising a plurality of ports that receives network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to a security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the second port and a second flow rule to forward a packet received in the second port to the first port, the SDN switch receiving outgoing packets from the first port and forwarding the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and
  
  an SDN controller that controls forwarding behavior of the SDN switch and inserts the first and second flow rules into the flow table of the SDN switch,wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection,wherein the security component allows the outgoing packets to be forwarded to their destination by instructing the SDN switch to release copies of the outgoing packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The SDN computer network of claim 1, wherein the SDN computer network is in a virtualized computing environment hosted by one or more computers, and the sender component comprises a virtual machine.
  - 3. The SDN computer network of claim 1, wherein the SDN switch comprises a physical packet switch, the SDN controller comprises one or more computers that send flow rules to the SDN switch, and the sender component comprises a computer coupled to the first port of the SDN switch.
  - 4. The SDN computer network of claim 1, wherein the security component allows the outgoing packets to be forwarded to their destination by reinjecting the outgoing packets back to the SDN switch.
  - 5. The SDN computer network of claim 1, wherein the security component performs a security response on the outgoing packets when the outgoing packets do not pass inspection.
  - 6. The SDN computer network of claim 5, wherein the security component drops the outgoing packets when the outgoing packets do not pass inspection.
  - 7. The SDN computer network of claim 5, wherein the flow table of the SDN switch includes a bypass flow rule that forwards specified packets directly from the first port of the SDN switch to a third port of the SDN switch without being forwarded to the security component for inspection.
  - 8. The SDN computer network of claim 7, wherein the specified packets are packets having a particular transport control protocol (TCP) source or destination port.
  - 9. The SDN computer network of claim 1, wherein a broadcast function of the SDN switch to the first port of the SDN switch and the second port of the SDN switch is disabled.

10. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
- inserting a first flow rule in a flow table of an SDN switch, the first flow rule instructing the SDN switch to forward packets received in a first port of the SDN switch to a second port of the SDN switch;
  
  inserting a second flow rule in the flow table of the SDN switch, the second flow rule instructing the SDN switch to forward packets received in the second port of the SDN switch to the first port of the SDN switch;
  
  disabling a broadcast function of the SDN switch to the first port of the SDN switch and to the second port of the SDN switch;
  
  forwarding outgoing packets from the first port of the SDN switch to the second port of the SDN switch in accordance with the first flow rule;
  
  receiving the outgoing packets in a security component coupled to the second port of the SDN switch;
  
  inspecting the outgoing packets in the security component for compliance with security policies;
  
  storing a copy of the outgoing packets in the SDN switch; and
  
  after inspecting the outgoing packets in the security component, instructing the SDN switch to release the copy of the outgoing packets when the outgoing packets pass inspection for compliance with the security policies.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-implemented method of claim 10, further comprising:
    - after inspecting the outgoing packets in the security component, reinjecting the outgoing packets back into the SDN switch when the outgoing packets pass inspection for compliance with the security policies.
  - 12. The computer-implemented method of claim 10, further comprising:
    - after inspecting the outgoing packets in the security component, dropping the outgoing packets when the outgoing packets do not pass inspection for compliance with the security policies.
  - 13. The computer-implemented method of claim 10, further comprising:
    - inserting a third flow rule in the flow table of the SDN switch, the third flow rule instructing the SDN switch to forward specified packets directly from the first port of the SDN switch to a third port of the SDN switch to bypass inspection of the specified packets by the security component.

14. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
- receiving outgoing packets in a first port of an SDN switch;
  
  forwarding the outgoing packets from the first port of the SDN switch to a second port of the SDN switch in accordance with a first flow rule inserted by an SDN controller in a flow table of the SDN switch, the first port of the SDN switch being coupled to a virtual machine and the second port of the SDN switch being coupled to a security component;
  
  receiving the outgoing packets in the security component by way of the second port of the SDN switch;
  
  inspecting the outgoing packets in the security component; and
  
  releasing a copy of the outgoing packets stored in the SDN switch when the outgoing packets pass inspection by the security component.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-implemented method of claim 14, further comprising:
    - reinjecting the outgoing packets back into the SDN switch when the outgoing packets pass inspection by the security component.
  - 16. The computer-implemented method of claim 14, wherein the outgoing packets are transmitted by the virtual machine to a destination component.
  - 17. The computer-implemented method of claim 14, further comprising:
    - disabling a broadcast function of the SDN switch to the first port of the SDN switch and to the second port of the SDN switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Lin, Chuan-Hung, Li, Ching-Yi, Liang, Po-Cheng
Primary Examiner(s)
Lewis, Lisa

Application Number

US14/094,442
Time in Patent Office

806 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 47/2441   relying on flow classificat...

H04L 49/30   Peripheral units, e.g. inpu...

H04L 49/35   Switches specially adapted ...

H04L 49/70   Virtual switches

H04L 63/0245   Filtering by information in...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Software defined networking pipe for network traffic inspection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Software defined networking pipe for network traffic inspection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links