System and method for securing virtualized networks
First Claim
1. A method comprising:
- receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
selecting, by the network automation engine, a test network access device of the plurality of network access devices from which test traffic is to be injected into the dynamic virtualized network based on one or more of the current network policy, a topology of the physical network and a topology of the dynamic virtualized network;
determining, by the network automation engine, a predicted result of injection of the test traffic into the dynamic virtualized network based on the current network policy;
causing, by the network automation engine, the test network access device to inject the test traffic into the dynamic virtualized network;
monitoring, by the network automation engine, a result of injection of the test traffic into the dynamic virtualized network; and
identifying, by the network automation, one or more errors in connection with handling of the test traffic by the dynamic virtualized network by comparing the predicted result with the result.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A test network access device is selected from which test traffic is to be injected into the dynamic virtualized network. The test network access device is caused to inject the test traffic into the dynamic virtualized network. One or more errors in connection with handling of the test traffic by the dynamic virtualized network are identified by comparing a predicted result with the actual result of injection of the test traffic.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated; selecting, by the network automation engine, a test network access device of the plurality of network access devices from which test traffic is to be injected into the dynamic virtualized network based on one or more of the current network policy, a topology of the physical network and a topology of the dynamic virtualized network; determining, by the network automation engine, a predicted result of injection of the test traffic into the dynamic virtualized network based on the current network policy; causing, by the network automation engine, the test network access device to inject the test traffic into the dynamic virtualized network; monitoring, by the network automation engine, a result of injection of the test traffic into the dynamic virtualized network; and identifying, by the network automation, one or more errors in connection with handling of the test traffic by the dynamic virtualized network by comparing the predicted result with the result. - View Dependent Claims (2, 3, 4, 5, 6, 10)
-
- 7. The method of clam 4, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list allows network traffic that includes an identifier associated with the authorized endpoint traffic to pass through the port.
-
9. The method of clam 4, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list causes network traffic that does not include an identifier associated with the authorized endpoint to be dropped.
-
11. A non-transitory machine-readable medium having embodied therein executable instructions representing a network automation engine, which when executed by one or more processors of a software defined networking (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network perform a method comprising:
-
receiving a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated; selecting a test network access device of the plurality of network access devices from which test traffic is to be injected into the dynamic virtualized network based on one or more of the current network policy, a topology of the physical network and a topology of the dynamic virtualized network; determining a predicted result of injection of the test traffic into the dynamic virtualized network based on the current network policy; causing the test network access device to inject the test traffic into the dynamic virtualized network; monitoring a result of injection of the test traffic into the dynamic virtualized network; and identifying one or more errors in connection with handling of the test traffic by the dynamic virtualized network by comparing the predicted result with the result. - View Dependent Claims (12, 13, 14, 15, 16, 20)
-
- 17. The non-transitory machine-readable medium of clam 14, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list allows network traffic that includes an identifier associated with the authorized endpoint traffic to pass through the port.
-
19. The non-transitory machine-readable medium of clam 14, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list causes network traffic that does not include an identifier associated with the authorized endpoint to be dropped.
Specification