Software defined networking pipe for network traffic inspection
First Claim
1. A software defined networking (SDN) computer network comprising:
- an SDN switch comprising a plurality of ports that receives network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to a security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the second port and a second flow rule to forward a packet received in the second port to the first port, the SDN switch receiving outgoing packets from the first port and forwarding the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and
an SDN controller that controls forwarding behavior of the SDN switch and inserts the first and second flow rules into the flow table of the SDN switch,wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection,wherein the security component allows the outgoing packets to be forwarded to their destination by instructing the SDN switch to release copies of the outgoing packets.
1 Assignment
0 Petitions
Accused Products
Abstract
A software defined networking (SDN) computer network includes an SDN controller and an SDN switch. The SDN controller inserts flow rules in a flow table of the SDN switch to create an SDN pipe between a sender component and a security component. A broadcast function of the SDN switch to the ports that form the SDN pipe may be disabled. The SDN pipe allows outgoing packets sent by the sender component to be received by the security component. The security component inspects the outgoing packets for compliance with security policies and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection. The SDN controller may also insert a flow rule in the flow table of the SDN switch to bypass inspection of specified packets.
-
Citations
17 Claims
-
1. A software defined networking (SDN) computer network comprising:
-
an SDN switch comprising a plurality of ports that receives network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to a security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the second port and a second flow rule to forward a packet received in the second port to the first port, the SDN switch receiving outgoing packets from the first port and forwarding the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and an SDN controller that controls forwarding behavior of the SDN switch and inserts the first and second flow rules into the flow table of the SDN switch, wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection, wherein the security component allows the outgoing packets to be forwarded to their destination by instructing the SDN switch to release copies of the outgoing packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
-
inserting a first flow rule in a flow table of an SDN switch, the first flow rule instructing the SDN switch to forward packets received in a first port of the SDN switch to a second port of the SDN switch; inserting a second flow rule in the flow table of the SDN switch, the second flow rule instructing the SDN switch to forward packets received in the second port of the SDN switch to the first port of the SDN switch; disabling a broadcast function of the SDN switch to the first port of the SDN switch and to the second port of the SDN switch; forwarding outgoing packets from the first port of the SDN switch to the second port of the SDN switch in accordance with the first flow rule; receiving the outgoing packets in a security component coupled to the second port of the SDN switch; inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch; and after inspecting the outgoing packets in the security component, instructing the SDN switch to release the copy of the outgoing packets when the outgoing packets pass inspection for compliance with the security policies. - View Dependent Claims (11, 12, 13)
-
-
14. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
-
receiving outgoing packets in a first port of an SDN switch; forwarding the outgoing packets from the first port of the SDN switch to a second port of the SDN switch in accordance with a first flow rule inserted by an SDN controller in a flow table of the SDN switch, the first port of the SDN switch being coupled to a virtual machine and the second port of the SDN switch being coupled to a security component; receiving the outgoing packets in the security component by way of the second port of the SDN switch; inspecting the outgoing packets in the security component; and releasing a copy of the outgoing packets stored in the SDN switch when the outgoing packets pass inspection by the security component. - View Dependent Claims (15, 16, 17)
-
Specification