Delivering security functions to distributed networks
First Claim
1. A system comprising:
- a switch;
a plurality of network assets, the network assets including at least one virtual machine;
an enforcement point communicatively coupled to the switch and at least one network asset of the plurality of network assets, the enforcement point processing, using a rule set, a data packet received from the switch, the enforcement point forwarding the processed data packet to a distributed security processor when the processing indicates the data packet is malicious, the enforcement point being another virtual machine, the data packet directed to the at least one network asset;
the distributed security processor communicatively coupled to the enforcement point and not being in the data traffic flow, the distributed security processor inspecting the processed data packet forwarded from the enforcement point, the distributed security processor directing the enforcement point to at least one of forward the processed data packet to the at least one network asset and drop the processed data packet, using the inspection and the rule set;
a logging module communicatively coupled to at least one of the switch, the enforcement point, and the distributed security processor, the logging module accumulating data associated with at least one of the data packet, the processing, and the inspection; and
an analytics module communicatively coupled to the logging module and a compiler, the analytics module analyzing the at least one of the data packet, the processing, and the inspection, the analytics module initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
145 Citations
16 Claims
-
1. A system comprising:
-
a switch; a plurality of network assets, the network assets including at least one virtual machine; an enforcement point communicatively coupled to the switch and at least one network asset of the plurality of network assets, the enforcement point processing, using a rule set, a data packet received from the switch, the enforcement point forwarding the processed data packet to a distributed security processor when the processing indicates the data packet is malicious, the enforcement point being another virtual machine, the data packet directed to the at least one network asset; the distributed security processor communicatively coupled to the enforcement point and not being in the data traffic flow, the distributed security processor inspecting the processed data packet forwarded from the enforcement point, the distributed security processor directing the enforcement point to at least one of forward the processed data packet to the at least one network asset and drop the processed data packet, using the inspection and the rule set; a logging module communicatively coupled to at least one of the switch, the enforcement point, and the distributed security processor, the logging module accumulating data associated with at least one of the data packet, the processing, and the inspection; and an analytics module communicatively coupled to the logging module and a compiler, the analytics module analyzing the at least one of the data packet, the processing, and the inspection, the analytics module initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
processing, by an enforcement point, using a rule set, a data packet received from a switch, the data packet directed to at least one network asset, the enforcement point being a virtual machine; forwarding, by the enforcement point, the processed data packet to a distributed security processor when the processing indicates the data packet is malicious; inspecting, by the distributed security processor, the processed packet forwarded from the enforcement point, the distributed security processor not being in the data traffic flow; directing, by the distributed security processor, the enforcement point to at least one of forward the processed data packet to the at least one network asset and drop the processed data packet, using the inspection and the rule set, the at least one network asset being at least another virtual machine; accumulating, by a logging module, data associated with at least one of the data packet, the processing, and the inspection; analyzing, by an analytics module, the at least one of the data packet, the processing, and the inspection; and initiating, by an analytics module, compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification