Method and apparatus for virtual firewall migration in a wireless communication network

US 9,882,874 B2
Filed: 08/23/2013
Issued: 01/30/2018
Est. Priority Date: 08/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method of virtual firewall management performed at a first control node in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN, said method comprising:

detecting a handover event involving handover of a wireless device from a first RAN node in the network to a second RAN node in the network, wherein an associated virtual firewall is maintained for the wireless device at the first RAN node; and

responsive to said detecting, initiating a migration of the associated virtual firewall from the first RAN node, said migration being a horizontal migration of the associated virtual firewall to the second RAN node, or being a vertical migration of the associated virtual firewall into the CN;

said method further comprising selecting between horizontal migration or vertical migration of the associated virtual firewall based on evaluating at least one of mobility data for the wireless device and location data for the wireless device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure provides example details for apparatuses and methods that manage virtual firewalls in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN. The virtual firewalls process traffic for respective wireless devices supported by the network. For example, the virtual firewall associated with a given wireless device is maintained in the RAN at the RAN node supporting the device, and is migrated from that RAN node in response to detecting a handover event involving the device. Advantageously, migration may be “horizontal,” where the associated virtual firewall is moved between nodes in the RAN, or may be “vertical,” where the associated virtual firewall is moved from the RAN to the CN.

9 Citations

18 Claims

1. A method of virtual firewall management performed at a first control node in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN, said method comprising:
- detecting a handover event involving handover of a wireless device from a first RAN node in the network to a second RAN node in the network, wherein an associated virtual firewall is maintained for the wireless device at the first RAN node; and
  
  responsive to said detecting, initiating a migration of the associated virtual firewall from the first RAN node, said migration being a horizontal migration of the associated virtual firewall to the second RAN node, or being a vertical migration of the associated virtual firewall into the CN;
  
  said method further comprising selecting between horizontal migration or vertical migration of the associated virtual firewall based on evaluating at least one of mobility data for the wireless device and location data for the wireless device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the method includes at least one of:
    - selecting vertical migration of the associated virtual firewall, if the mobility data indicates a rate or frequency of handover for the wireless device that is above a defined threshold, or indicates a speed of the wireless device that is above a defined threshold; and
      
      selecting vertical migration of the associated virtual firewall, if the location data corresponds to a service area where the network is configured to select vertical migration.
  - 3. The method of claim 1, further comprising, if vertical migration of the associated virtual firewall was selected, later determining whether to migrate the associated virtual firewall back into the RAN, based on evaluating at least one of subsequent mobility data for the wireless device and subsequent location data for the wireless device.
  - 4. The method of claim 1, wherein said selecting between horizontal migration or vertical migration of the associated virtual firewall is further based on evaluating an indication of resource availability at the second RAN node.
  - 5. The method of claim 1, wherein the first control node is a first Serving Gateway, SGW, in the CN, and is configured for transferring traffic to and from wireless devices supported at least by the first RAN node.
  - 6. The method of claim 5, wherein, if the first and second RAN nodes are both associated with the first SGW and horizontal migration of the associated firewall was selected, the method includes initiating horizontal migration for the associated virtual firewall by sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the second RAN node.
  - 7. The method of claim 6, further comprising, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node, temporarily tunneling post-handover traffic involving the wireless device through the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall, as retained at the first RAN node.
  - 8. The method of claim 1, wherein, if the first RAN node is associated with the first SGW and the second RAN node is associated with a second SGW as a second control node in the network and horizontal migration of the associated virtual firewall was selected, the method includes initiating horizontal migration of the associated virtual firewall by sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the first SGW, and then transferring the associated virtual firewall from the first SGW to the second SGW.
  - 9. The method of claim 8, further comprising, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node, temporarily tunneling post-handover traffic involving the wireless device through the first SGW and the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall as retained at the first SGW or at the first RAN node.
  - 10. The method of claim 1, wherein said selecting between horizontal migration or vertical migration of the associated virtual firewall is further based on one or more of:
    - resource usage at the RAN node that would be targeted in the horizontal migration; and
      
      resource usage at the CN node that would be targeted in the vertical migration.

11. A first control node configured for virtual firewall management in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN, said first control node comprising:
- a communication interface configured for communicating with a first RAN node in the network;
  
  a processing circuit that is operatively associated with the communication interface and configured to;
  
  detect a handover event involving handover of a wireless device from the first RAN node in the network to a second RAN node in the network, wherein an associated virtual firewall is maintained for the wireless device at the first RAN node;
  
  responsive to said detecting;
  
  initiate a migration of the associated virtual firewall from the first RAN node, said migration being a horizontal migration of the associated virtual firewall to the second RAN node, or being a vertical migration of the associated virtual firewall into the CN; and
  
  select between horizontal migration or vertical migration of the associated virtual firewall based on evaluating at least one of mobility data for the wireless device and location data for the wireless device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The first control node of claim 11, wherein the processing circuit is configured to perform at least one of the following operations:
    - select vertical migration of the associated virtual firewall, if the mobility data indicates a rate or frequency of handover for the wireless device that is above a defined threshold, or indicates a speed of the wireless device that is above a defined threshold; and
      
      select vertical migration of the associated virtual firewall, if the location data corresponds to a service area where the network is configured to select vertical migration.
  - 13. The first control node of claim 11, wherein, if vertical migration of the associated virtual firewall was selected, the processing circuit is configured to later determine whether to migrate the associated virtual firewall back into the RAN, based on evaluating at least one of subsequent mobility data for the wireless device and subsequent location data for the wireless device.
  - 14. The first control node of claim 11, wherein the first control node is a first Serving Gateway, SGW, in the CN, and is configured for transferring traffic to and from wireless devices supported at least by the first RAN node.
  - 15. The first control node of claim 14, wherein, if the first and second RAN nodes are both associated with the first SGW and horizontal migration of the associated virtual firewall was selected, the processing circuit is configured to initiate horizontal migration of the associated virtual firewall by sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the second RAN node.
  - 16. The first control node of claim 14, wherein the processing circuit is configured to temporarily tunnel post-handover traffic involving the wireless device through the first SGW and the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall as retained at the first SGW or at the first RAN node, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node.
  - 17. The first control node of claim 11, wherein, if horizontal migration of the associated virtual firewall was selected and if the first RAN node is associated with the first SGW and the second RAN node is associated with a second SGW as a second control node in the network, the processing circuit is configured to initiate the horizontal migration by sending control signaling towards the first RAN node, indicating that the associated virtual firewall is to be transferred to the first SGW, and to then transfer the associated virtual firewall from the first SGW to the second SGW.
  - 18. The first control node of claim 17, wherein the processing circuit is configured to temporarily tunnel post-handover traffic involving the wireless device through the first SGW and the first RAN node, for processing of the post-handover traffic via a copy of the associated virtual firewall as retained at the first SGW or at the first RAN node, until detecting that the associated virtual firewall has been activated for the wireless device at the second RAN node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Pourzandi, Makan, Zhu, Zhongwen
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US13/974,637
Publication Number

US 20150058966A1
Time in Patent Office

1,621 Days
Field of Search

726 11
US Class Current
CPC Class Codes

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04W 12/088   using filters or firewalls

H04W 36/0038   of security context informa...

Method and apparatus for virtual firewall migration in a wireless communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for virtual firewall migration in a wireless communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others