Elastic enforcement layer for cloud security using SDN
First Claim
1. A method performed by a controller in a split architecture network to control network connectivity for a cloud computing environment, the split architecture network including a plurality of switches coupled to the controller, wherein the controller manages a control plane for the plurality of switches and policy enforcement for network security for a plurality of virtual machines (VMs) including a source VM and a destination VM that execute applications in the cloud computing environment and exchange data via the split architecture network, the method comprising the steps of:
- receiving by the controller a packet from the plurality of switches, the packet originating from the source VM, where the controller manages the control plane for the plurality of switches and the plurality of switches implement the data plane of the split architecture network;
extracting by the controller an application identifier from the received packet, the application identifier identifying an application running on the source VM;
determining by the controller a chain of middlebox types based on the application identifier;
mapping by the controller one or more of the middlebox types in the chain to corresponding one or more middlebox instances based on current availability of resources in the cloud computing environment, wherein one or more of the middlebox instances perform network security operations on the packet and the one or more middlebox instances are in communication with one or more of the plurality of switches; and
sending by the controller a set of rules to the plurality of switches, the set of rules to add a set of tags to the packet to cause the plurality of switches to forward the packet toward the destination VM via the one or more middlebox instances to thereby enforce network security in the cloud computing environment.
2 Assignments
0 Petitions
Accused Products
Abstract
An efficient elastic enforcement layer (EEL) for realizing security policies is deployed in a cloud computing environment based on a split architecture framework. The split architecture network includes a controller coupled to switches. When the controller receives a packet originating from a source VM, it extracts an application identifier from the received packet that identifies an application running on the source VM. Based on the application identifier, the controller determines a chain of middlebox types. The controller further determines middlebox instances based on current availability of resources. The controller then adds a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the middlebox instances.
29 Citations
20 Claims
-
1. A method performed by a controller in a split architecture network to control network connectivity for a cloud computing environment, the split architecture network including a plurality of switches coupled to the controller, wherein the controller manages a control plane for the plurality of switches and policy enforcement for network security for a plurality of virtual machines (VMs) including a source VM and a destination VM that execute applications in the cloud computing environment and exchange data via the split architecture network, the method comprising the steps of:
-
receiving by the controller a packet from the plurality of switches, the packet originating from the source VM, where the controller manages the control plane for the plurality of switches and the plurality of switches implement the data plane of the split architecture network; extracting by the controller an application identifier from the received packet, the application identifier identifying an application running on the source VM; determining by the controller a chain of middlebox types based on the application identifier; mapping by the controller one or more of the middlebox types in the chain to corresponding one or more middlebox instances based on current availability of resources in the cloud computing environment, wherein one or more of the middlebox instances perform network security operations on the packet and the one or more middlebox instances are in communication with one or more of the plurality of switches; and sending by the controller a set of rules to the plurality of switches, the set of rules to add a set of tags to the packet to cause the plurality of switches to forward the packet toward the destination VM via the one or more middlebox instances to thereby enforce network security in the cloud computing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network node functioning as a controller in a split architecture network to control network connectivity for a cloud computing environment, the split architecture network including a plurality of switches coupled to the controller, wherein the controller manages a control plane of the plurality of switches and policy enforcement for network security for a plurality of virtual machines (VMs) including a source VM and a destination VM that execute applications in the cloud computing environment and exchange data via the split architecture network, the controller comprising:
-
receiver circuitry configured to receive a packet from one of the plurality of switches, the packet originating from the source VM, where the controller manages the control plane for the plurality of switches and the plurality of switches implement the data plane of the split architecture network; and a processor coupled to the receiver circuitry and a memory, the processor configured to execute an elastic enforcement module, which is configured to extract an application identifier from the received packet, the application identifier identifying an application running on the source VM; determine a chain of middlebox types based on the application identifier; and map one or more of the middlebox types in the chain to corresponding one or more middlebox instances based on current availability of resources in the cloud computing environment, wherein one or more of the middlebox instances perform network security operations on the packet and the one or more middlebox instances are in communication with one or more of the plurality of switches; and transmitter circuitry coupled to the processor, the transmitter circuitry configured to send a set of rules to the plurality of switches to add a set of tags to the packet to cause the plurality of switches to forward the packet toward the destination VM via the one or more middlebox instances to thereby enforce network security in the cloud computing environment. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification