Security actuator for a dynamically programmable computer network
First Claim
1. A security service for a dynamically-programmable computer network, the security service embodied in one or more non-transitory computer readable storage media of a computing system and comprising a plurality of instructions that, when executed, cause the computing system to:
- monitor the dynamically programmable network for receipt of a flow policy directive from a flow policy directive source, the flow policy directive including a command and a set of parameters, wherein the command and the set of parameters describe a flow policy objective for the dynamically programmable computer network;
in response to the monitoring, convert the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to cause one or more network switches of the dynamically programmable computer network to implement the flow policy directive to control flow of communications across the dynamically programmable computer network;
compare the one or more packet disposition directives to a set of currently active flow rules of the dynamically programmable computer network; and
in response to the comparison of the one or more packet disposition directives to the set of currently active flow rules, add the one or more packet disposition directives to the set of currently active flow rules,wherein conversion of the flow policy directive comprises parsing the flow policy directive to identify at least one valid command,wherein receipt of the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier including one or more of a network address or a network port, andwherein conversion of the flow policy directive further comprises creation of a first quarantine flow policy trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier, creation of a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier, creation, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address, and creation, in response to the receipt of the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier, andwherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine flow policy trigger rule and the second quarantine flow policy trigger rule.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with packet disposition directives. A security actuator receives flow policy directives from a number of network applications. The flow policy directives express higher-level network security policy goals, including blocking and/or redirecting network traffic. The security actuator converts a flow policy directive into one or more packet disposition directives. The packet disposition directives may include trigger rules to cause network communications to be monitored for matching trigger packets. An automated mechanism initiated by the security actuator may cause trigger packets to be forwarded to the security actuator for analysis. The security actuator may generate packet disposition directives in response to receiving the trigger packets.
119 Citations
28 Claims
-
1. A security service for a dynamically-programmable computer network, the security service embodied in one or more non-transitory computer readable storage media of a computing system and comprising a plurality of instructions that, when executed, cause the computing system to:
-
monitor the dynamically programmable network for receipt of a flow policy directive from a flow policy directive source, the flow policy directive including a command and a set of parameters, wherein the command and the set of parameters describe a flow policy objective for the dynamically programmable computer network; in response to the monitoring, convert the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to cause one or more network switches of the dynamically programmable computer network to implement the flow policy directive to control flow of communications across the dynamically programmable computer network; compare the one or more packet disposition directives to a set of currently active flow rules of the dynamically programmable computer network; and in response to the comparison of the one or more packet disposition directives to the set of currently active flow rules, add the one or more packet disposition directives to the set of currently active flow rules, wherein conversion of the flow policy directive comprises parsing the flow policy directive to identify at least one valid command, wherein receipt of the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier including one or more of a network address or a network port, and wherein conversion of the flow policy directive further comprises creation of a first quarantine flow policy trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier, creation of a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier, creation, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address, and creation, in response to the receipt of the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier, and wherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine flow policy trigger rule and the second quarantine flow policy trigger rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for actuating flow policy directives in a dynamically programmable computer network, the method comprising, with at least one computing device:
-
monitoring the dynamically programmable computer network for receipt of a flow policy directive from a flow policy directive source; in response to the monitoring, converting the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to implement the flow policy directive at one or more network switches of the dynamically programmable computer network; and transmitting the one or more packet disposition directives to a security mediator of the dynamically programmable computer network, the security mediator mediating conflicts between packet disposition directives and transmitting packet disposition directives to network switches of the dynamically programmable network, wherein receiving the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier comprising one or more of a network address or a network port, and wherein converting the flow policy directive comprises; creating a first quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a first quarantine trigger packet addressed from the network service identifier; creating a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier; creating, in response to receiving the first or second trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address; and creating, in response to receiving the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier; wherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine trigger rule and the second quarantine trigger rule; wherein converting the flow policy directive comprises parsing the flow policy directive to identify at least one valid command. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A security actuator for actuating flow policy directives in a dynamically programmable computer network, the security actuator comprising a plurality of instructions embodied in one or more non-transitory machine accessible storage media of a computing device that, when executed, cause the computing device to:
-
monitor the dynamically programmable network for receipt of a flow policy directive from a source of flow policy directives, and in response to the monitoring; initiate an automated mechanism to communicate with one or more network switches of the dynamically programmable computer network, the automated mechanism to; monitor for packets having one or more criteria matching a trigger rule; and in response to a packet having a criterion matching the trigger rule, cause the one or more network switches to implement the flow policy directive, receipt of the flow policy directive comprises to receive a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier to include one or more of a network address or a network port; and to implement the flow policy directive comprises to; create a first quarantine trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier; create a second quarantine trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier; create, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address; and create, in response to the receipt of the first or second quarantine trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier, wherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine trigger rule and the second quarantine trigger rule; wherein the security actuator, before actuating, parses the flow policy directives to identify at least one valid command. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification