Security mediation for dynamically programmable network
First Claim
Patent Images
1. A method, comprising:
- receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network;
comparing the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network;
determining that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and
transmitting a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.
-
Citations
33 Claims
-
1. A method, comprising:
-
receiving, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network; comparing the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network; determining that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and transmitting a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions that, when executed by one or more processors, cause the one or more processors to:
-
receive, by a computing system on a network, a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network; compare the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network; determine that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and transmit a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computing system on a network, comprising:
-
one or more processors; and a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including; receiving a candidate flow rule, wherein the candidate flow rule is received during live operation of the network, wherein the network is dynamically programmable, wherein a flow rule is associated with an action, wherein an action determines a disposition of a communication corresponding to the flow rule, and wherein a flow rule can be implemented by a network switch on the network; comparing the candidate flow rule against a set of currently active flow rules, wherein the set of currently active flow rules control a flow of communications across the network during live operation of the network; determining that the candidate flow rule does not conflict with the set of currently active flow rules, wherein determining that the candidate flow rule does not conflict includes determining that a same action is associated with both the candidate flow rule and a rule from the set of currently active flow rules; and transmitting a packet when the candidate flow rule does not conflict with the set of currently active flow rules, wherein the packet is configured to reprogram the network switch during live operation of the network, wherein reprogramming the network switch includes adding the candidate flow rule to the network switch. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification