Software defined networking pipe for network traffic inspection

US 9,407,579 B1
Filed: 01/07/2016
Issued: 08/02/2016
Est. Priority Date: 12/02/2013
Status: Active Grant

First Claim

Patent Images

1. A software defined networking (SDN) computer network comprising:

a security component;

an SDN switch comprising a plurality of ports that receive network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to the security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the security component that is coupled to the second port, wherein the SDN switch receives outgoing packets from the first port and forwards the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and

an SDN controller that controls forwarding behavior of the SDN switch and inserts the first flow rule into the flow table of the SDN switch,wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and re-injects the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A software defined networking (SDN) computer network includes an SDN controller and an SDN switch. The SDN controller inserts flow rules in a flow table of the SDN switch to create an SDN pipe between a sender component and a security component. A broadcast function of the SDN switch to the ports that form the SDN pipe may be disabled. The SDN pipe allows outgoing packets sent by the sender component to be received by the security component. The security component inspects the outgoing packets for compliance with security policies and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection. The SDN controller may also insert a flow rule in the flow table of the SDN switch to bypass inspection of specified packets.

18 Citations

17 Claims

1. A software defined networking (SDN) computer network comprising:
- a security component;
  
  an SDN switch comprising a plurality of ports that receive network traffic of an SDN computer network, the SDN switch having a first port coupled to a sender component and a second port coupled to the security component, the SDN switch comprising a flow table that comprises a first flow rule to forward a packet received in the first port to the security component that is coupled to the second port, wherein the SDN switch receives outgoing packets from the first port and forwards the outgoing packets to the second port in accordance with the first flow rule, the outgoing packets being sent by the sender component to a destination component; and
  
  an SDN controller that controls forwarding behavior of the SDN switch and inserts the first flow rule into the flow table of the SDN switch,wherein the security component receives the outgoing packets from the second port of the SDN switch, inspects the outgoing packets, and re-injects the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The SDN computer network of claim 1, wherein the SDN computer network is in a virtualized computing environment hosted by one or more computers, and the sender component comprises a virtual machine.
  - 3. The SDN computer network of claim 1, wherein the SDN switch comprises a physical packet switch, the SDN controller comprises one or more computers that send flow rules to the SDN switch, and the sender component comprises a computer coupled to the first port of the SDN switch.
  - 4. The SDN computer network of claim 1, wherein the security component performs a security response on the outgoing packets when the outgoing packets do not pass inspection.
  - 5. The SDN computer network of claim 4, wherein the security component drops the outgoing packets when the outgoing packets do not pass inspection.
  - 6. The SDN computer network of claim 1, wherein the flow table of the SDN switch includes a bypass flow rule that forwards specified packets directly from the first port of the SDN switch to a third port of the SDN switch without being forwarded to the security component for inspection.
  - 7. The SDN computer network of claim 6, wherein the specified packets are packets having a particular transport control protocol (TCP) source or destination port.
  - 8. The SDN computer network of claim 1, wherein the security component inspects the outgoing packets for presence of malicious codes.
  - 9. The SDN computer network of claim 1, wherein the flow table further comprises a second flow rule to forward a packet received in the second port to the first port, and a broadcast function of the SDN switch to the first port of the SDN switch and the second port of the SDN switch is disabled.

10. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
- inserting a first flow rule in a flow table of an SDN switch, the first flow rule instructing the SDN switch to forward packets received in a first port of the SDN switch to a second port of the SDN switch;
  
  inserting a second flow rule in the flow table of the SDN switch, the second flow rule instructing the SDN switch to forward packets received in the second port of the SDN switch to the first port of the SDN switch;
  
  disabling a broadcast function of the SDN switch to the first port of the SDN switch and to the second port of the SDN switch;
  
  forwarding outgoing packets from the first port of the SDN switch to the second port of the SDN switch in accordance with the first flow rule;
  
  receiving the outgoing packets in a security component that is coupled to the second port of the SDN switch;
  
  inspecting the outgoing packets in the security component for compliance with security policies; and
  
  re-injecting the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-implemented method of claim 10, wherein inspecting the outgoing packets in the security component for compliance with security policies comprises inspecting the outgoing packets for presence of malicious codes.
  - 12. The computer-implemented method of claim 10, further comprising:
    - after inspecting the outgoing packets in the security component, dropping the outgoing packets when the outgoing packets do not pass inspection for compliance with the security policies.
  - 13. The computer-implemented method of claim 10, further comprising:
    - inserting a third flow rule in the flow table of the SDN switch, the third flow rule instructing the SDN switch to forward specified packets directly from the first port of the SDN switch to a third port of the SDN switch to bypass inspection of the specified packets by the security component.

14. A computer-implemented method of inspecting network traffic in a software defined networking (SDN) computer network, the method comprising:
- receiving outgoing packets in a first port of an SDN switch;
  
  forwarding the outgoing packets from the first port of the SDN switch to a second port of the SDN switch in accordance with a first flow rule inserted by an SDN controller in a flow table of the SDN switch, the first port of the SDN switch being coupled to a virtual machine and the second port of the SDN switch being coupled to a security component;
  
  receiving the outgoing packets in the security component by way of the second port of the SDN switch;
  
  inspecting the outgoing packets in the security component; and
  
  re-injecting the outgoing packets back into the SDN switch to allow the outgoing packets to be forwarded out of another port of the SDN switch towards their destination when the outgoing packets pass inspection.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-implemented method of claim 14, wherein the outgoing packets are transmitted by a virtual machine to a destination component.
  - 16. The computer-implemented method of claim 14, wherein the outgoing packets are inspected for presence of malicious codes.
  - 17. The computer-implemented method of claim 14, further comprising:
    - disabling a broadcast function to the first port of the SDN switch and to the second port of the SDN switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Lin, Chuan-Hung, Li, Ching-Yi, Liang, Po-Cheng
Primary Examiner(s)
Lewis, Lisa

Application Number

US14/990,007
Time in Patent Office

208 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 47/2441   relying on flow classificat...

H04L 49/30   Peripheral units, e.g. inpu...

H04L 49/35   Switches specially adapted ...

H04L 49/70   Virtual switches

H04L 63/0245   Filtering by information in...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Software defined networking pipe for network traffic inspection

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Software defined networking pipe for network traffic inspection

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others