System and method for securing virtualized networks

US 9,948,607 B2
Filed: 03/07/2017
Issued: 04/17/2018
Est. Priority Date: 10/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;

generating, by the network automation engine, a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices;

determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and

when said determining is affirmative, creating the one or more security measures; and

applying, by the network automation engine, the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A security policy for the dynamic virtualized network is generated based on the network policy, by, for each network access device, creating a set of appropriate security measures for the network access device. Each security measure specifies how network traffic in the dynamic virtualized network is to be processed by a port of the network access device. Finally, the security policy is applied to each affected network access device.

33 Citations

20 Claims

1. A method comprising:
- receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
  
  generating, by the network automation engine, a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices;
  
  determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and
  
  when said determining is affirmative, creating the one or more security measures; and
  
  applying, by the network automation engine, the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14, 18, 20)
- - 2. The method of claim 1, wherein the dynamic virtualized network comprises a Virtual eXtensible Local Area Network (VxLAN) and the physical network comprises a layer 3 network.
  - 3. The method of claim 1, wherein a security measure of the one or more security measures comprises a multicast join filter that passes a multicast join request on a port of the network access device with which an authorized endpoint of the plurality of authorized endpoints is associated.
  - 4. The method of claim 1, wherein a security measure of the one or more security measures comprises a multicast join filter that drops a multicast join request on a port of the network access device with which none of the plurality of authorized endpoints are associated.
  - 5. The method of claim 1, wherein a security measure of the one or more security measures comprises an access control list on a port of the network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list allows network that includes an identifier associated with the authorized endpoint traffic to pass through the port.
  - 6. The method of claim 5, wherein the identification comprises a VxLAN Network Identifier (VNI).
  - 7. The method of claim 1, wherein a security measure of the one or more security measures comprises an access control list on a port of the network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list causes network traffic that does not include an identifier associated with the authorized endpoint to be dropped.
  - 8. The method of claim 1, wherein a security measure of the one or more security measures comprises an access control list on a port of the network access device with which none of the plurality of authorized endpoints are associated and wherein the access control list causes network traffic that is encapsulated for the dynamic virtualized network to be dropped.
  - 9. The method of claim 1, wherein the network access device comprises a switch or a router.
  - 10. The method of claim 1, wherein the network access device comprises a virtual device.
  - 14. The non-transitory machine-readable medium of claim 1, wherein a security measure of the one or more security measures comprises a multicast join filter that drops a multicast join request on a port of the network access device with which none of the plurality of authorized endpoints are associated.
  - 18. The non-transitory machine-readable medium of claim 1, wherein a security measure of the one or more security measures comprises an access control list on a port of the network access device with which none of the plurality of authorized endpoints are associated and wherein the access control list causes network traffic that is encapsulated for the dynamic virtualized network to be dropped.
  - 20. The non-transitory machine-readable medium of claim 1, wherein the network access device comprises a virtual device.

11. A non-transitory machine-readable medium having embodies therein executable instructions representing a network automation engine, which when executed by one or more processors of a software defined networking (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network perform a method comprising:
- receiving a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
  
  generating a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices;
  
  determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and
  
  when said determining is affirmative, creating the one or more security measures; and
  
  applying the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.
- View Dependent Claims (12, 13, 15, 16, 17, 19)
- - 12. The non-transitory machine-readable medium of claim 11, wherein the dynamic virtualized network comprises a Virtual eXtensible Local Area Network (VxLAN) and the physical network comprises a layer 3 network.
  - 13. The non-transitory machine-readable medium of claim 11, wherein a security measure of the one or more security measures comprises a multicast join filter that passes a multicast join request on a port of the network access device with which an authorized endpoint of the plurality of authorized endpoints is associated.
  - 15. The non-transitory machine-readable medium of claim 11, wherein a security measure of the one or more security measures comprises an access control list on a port of the network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list allows network that includes an identifier associated with the authorized endpoint traffic to pass through the port.
  - 16. The non-transitory machine-readable medium of claim 15, wherein the identification comprises a VxLAN Network Identifier (VNI).
  - 17. The non-transitory machine-readable medium of claim 11, wherein a security measure of the one or more security measures comprises an access control list on a port of the network access device with which an authorized endpoint of the plurality of authorized endpoints is associated and wherein the access control list causes network traffic that does not include an identifier associated with the authorized endpoint to be dropped.
  - 19. The non-transitory machine-readable medium of claim 11, wherein the network access device comprises a switch or a router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Wanser, Kelly, Antonopoulos, Andreas Markso
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US15/452,436
Publication Number

US 20170180323A1
Time in Patent Office

406 Days
Field of Search

726 1, 726 3, 726 13, 726 14, 726 15, 709223, 709224, 370231, 370254, 713151, 713153
US Class Current
CPC Class Codes

H04L 12/18   for broadcast or conference...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/20   Network management software...

H04L 43/50   Testing arrangements

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/143   Termination or inactivation...

H04L 67/146   Markers for unambiguous ide...

System and method for securing virtualized networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing virtualized networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links