System and method for securing virtualized networks

US 9,887,901 B2
Filed: 03/21/2017
Issued: 02/06/2018
Est. Priority Date: 10/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;

selecting, by the network automation engine, a test network access device of the plurality of network access devices from which test traffic is to be injected into the dynamic virtualized network based on one or more of the current network policy, a topology of the physical network and a topology of the dynamic virtualized network;

determining, by the network automation engine, a predicted result of injection of the test traffic into the dynamic virtualized network based on the current network policy;

causing, by the network automation engine, the test network access device to inject the test traffic into the dynamic virtualized network;

monitoring, by the network automation engine, a result of injection of the test traffic into the dynamic virtualized network; and

identifying, by the network automation, one or more errors in connection with handling of the test traffic by the dynamic virtualized network by comparing the predicted result with the result.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A test network access device is selected from which test traffic is to be injected into the dynamic virtualized network. The test network access device is caused to inject the test traffic into the dynamic virtualized network. One or more errors in connection with handling of the test traffic by the dynamic virtualized network are identified by comparing a predicted result with the actual result of injection of the test traffic.

Citations

20 Claims

1. A method comprising:
- receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
  
  selecting, by the network automation engine, a test network access device of the plurality of network access devices from which test traffic is to be injected into the dynamic virtualized network based on one or more of the current network policy, a topology of the physical network and a topology of the dynamic virtualized network;
  
  determining, by the network automation engine, a predicted result of injection of the test traffic into the dynamic virtualized network based on the current network policy;
  
  causing, by the network automation engine, the test network access device to inject the test traffic into the dynamic virtualized network;
  
  monitoring, by the network automation engine, a result of injection of the test traffic into the dynamic virtualized network; and
  
  identifying, by the network automation, one or more errors in connection with handling of the test traffic by the dynamic virtualized network by comparing the predicted result with the result.
- View Dependent Claims (2, 3, 4, 5, 6, 10)
- - 2. The method of claim 1, further comprising reporting, by the network automation engine, the one or more errors.
  - 3. The method of claim 1, wherein the dynamic virtualized network comprises a Virtual eXtensible Local Area Network (VxLAN) and the physical network comprises a layer 3 network.
  - 4. The method of claim 3, further comprising addressing the one or more errors, by the network automation engine, by taking corrective action, including one or more of:
    - terminating, by the network automation engine, a VxLAN segment associated with the one or more errors;
      
      causing, by the network automation engine, one or more specific ports of one or more network access devices of the plurality of network access devices and associated with the one or more errors to be disconnected; and
      
      causing, by the network automation engine, a particular network access device of the plurality of network access devices to enforce a new security measure by;
      
      creating the new security measure specifying how network traffic is to be processed by the particular network access device; and
      
      applying the new security measure to the particular network access device.
  - 5. The method of claim 4, wherein the security measure comprises a multicast join filter that passes a multicast join request on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated.
  - 6. The method of claim 4, wherein the security measure comprises a multicast join filter that drops a multicast join request on a port of the particular network access device with which none of the plurality of authorized endpoints are associated.
  - 10. The method of claim 4, wherein the security measure comprises an access control list on a port of the particular network access device with which none of the plurality of authorized endpoints are associated and wherein the access control list causes network traffic that is encapsulated for the dynamic virtualized network to be dropped.

7. The method of clam 4, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list allows network traffic that includes an identifier associated with the authorized endpoint traffic to pass through the port.
- View Dependent Claims (8)
- - 8. The method of claim 7, wherein the identifier comprises a VxLAN Network Identifier (VNI).

9. The method of clam 4, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list causes network traffic that does not include an identifier associated with the authorized endpoint to be dropped.

11. A non-transitory machine-readable medium having embodied therein executable instructions representing a network automation engine, which when executed by one or more processors of a software defined networking (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network perform a method comprising:
- receiving a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
  
  selecting a test network access device of the plurality of network access devices from which test traffic is to be injected into the dynamic virtualized network based on one or more of the current network policy, a topology of the physical network and a topology of the dynamic virtualized network;
  
  determining a predicted result of injection of the test traffic into the dynamic virtualized network based on the current network policy;
  
  causing the test network access device to inject the test traffic into the dynamic virtualized network;
  
  monitoring a result of injection of the test traffic into the dynamic virtualized network; and
  
  identifying one or more errors in connection with handling of the test traffic by the dynamic virtualized network by comparing the predicted result with the result.
- View Dependent Claims (12, 13, 14, 15, 16, 20)
- - 12. The non-transitory machine-readable medium of claim 11, wherein the method further comprises reporting the one or more errors.
  - 13. The non-transitory machine-readable medium of claim 11, wherein the dynamic virtualized network comprises a Virtual eXtensible Local Area Network (VxLAN) and the physical network comprises a layer 3 network.
  - 14. The non-transitory machine-readable medium of claim 13, wherein the method further comprises addressing the one or more errors by taking corrective action, including one or more of:
    - terminating a VxLAN segment associated with the one or more errors;
      
      causing one or more specific ports of one or more network access devices of the plurality of network access devices and associated with the one or more errors to be disconnected; and
      
      causing a particular network access device of the plurality of network access devices to enforce a new security measure by;
      
      creating the new security measure specifying how network traffic is to be processed by the particular network access device; and
      
      applying the new security measure to the particular network access device.
  - 15. The non-transitory machine-readable medium of claim 14, wherein the security measure comprises a multicast join filter that passes a multicast join request on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated.
  - 16. The non-transitory machine-readable medium of claim 14, wherein the security measure comprises a multicast join filter that drops a multicast join request on a port of the particular network access device with which none of the plurality of authorized endpoints are associated.
  - 20. The non-transitory machine-readable medium of claim 14, wherein the security measure comprises an access control list on a port of the particular network access device with which none of the plurality of authorized endpoints are associated and wherein the access control list causes network traffic that is encapsulated for the dynamic virtualized network to be dropped.

17. The non-transitory machine-readable medium of clam 14, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list allows network traffic that includes an identifier associated with the authorized endpoint traffic to pass through the port.
- View Dependent Claims (18)
- - 18. The non-transitory machine-readable medium of claim 17, wherein the identifier comprises a VxLAN Network Identifier (VNI).

19. The non-transitory machine-readable medium of clam 14, wherein the security measure comprises an access control list on a port of the particular network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list causes network traffic that does not include an identifier associated with the authorized endpoint to be dropped.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Wanser, Kelly, Antonopoulos, Andreas Markso
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US15/465,577
Publication Number

US 20170195207A1
Time in Patent Office

322 Days
Field of Search

726 1, 726 3, 726 13, 726 14, 726 15, 709223, 709224, 370231, 370252, 370254, 713151, 713153
US Class Current
CPC Class Codes

H04L 12/18   for broadcast or conference...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/20   Network management software...

H04L 43/50   Testing arrangements

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/143   Termination or inactivation...

H04L 67/146   Markers for unambiguous ide...

System and method for securing virtualized networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing virtualized networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links