Software defined networking pipe for network traffic inspection
First Claim
1. A software defined networking (SDN) computer network comprising:
- a security component;
an SDN switch comprising a plurality of ports that receive network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to the security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the security component that is coupled to the second port, wherein the SDN switch receives outgoing packets from the first port and forwards the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and
an SDN controller that controls forwarding behavior of the SDN switch and inserts the first flow rule into the flow table of the SDN switch,wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and re-injects the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection.
0 Assignments
0 Petitions
Accused Products
Abstract
A software defined networking (SDN) computer network includes an SDN controller and an SDN switch. The SDN controller inserts flow rules in a flow table of the SDN switch to create an SDN pipe between a sender component and a security component. A broadcast function of the SDN switch to the ports that form the SDN pipe may be disabled. The SDN pipe allows outgoing packets sent by the sender component to be received by the security component. The security component inspects the outgoing packets for compliance with security policies and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection. The SDN controller may also insert a flow rule in the flow table of the SDN switch to bypass inspection of specified packets.
18 Citations
17 Claims
-
1. A software defined networking (SDN) computer network comprising:
-
a security component; an SDN switch comprising a plurality of ports that receive network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to the security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the security component that is coupled to the second port, wherein the SDN switch receives outgoing packets from the first port and forwards the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and an SDN controller that controls forwarding behavior of the SDN switch and inserts the first flow rule into the flow table of the SDN switch, wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and re-injects the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
-
inserting a first flow rule in a flow table of an SDN switch, the first flow rule instructing the SDN switch to forward packets received in a first port of the SDN switch to a second port of the SDN switch; inserting a second flow rule in the flow table of the SDN switch, the second flow rule instructing the SDN switch to forward packets received in the second port of the SDN switch to the first port of the SDN switch; disabling a broadcast function of the SDN switch to the first port of the SDN switch and to the second port of the SDN switch; forwarding outgoing packets from the first port of the SDN switch to the second port of the SDN switch in accordance with the first flow rule; receiving the outgoing packets in a security component that is coupled to the second port of the SDN switch; inspecting the outgoing packets in the security component for compliance with security policies; and re-injecting the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection. - View Dependent Claims (11, 12, 13)
-
-
14. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
-
receiving outgoing packets in a first port of an SDN switch; forwarding the outgoing packets from the first port of the SDN switch to a second port of the SDN switch in accordance with a first flow rule inserted by an SDN controller in a flow table of the SDN switch, the first port of the SDN switch being coupled to a virtual machine and the second port of the SDN switch being coupled to a security component; receiving the outgoing packets in the security component by way of the second port of the SDN switch; inspecting the outgoing packets in the security component; and re-injecting the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection. - View Dependent Claims (15, 16, 17)
-
Specification