System and method for securing virtualized networks
First Claim
1. A method comprising:
- receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
generating, by the network automation engine, a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices;
determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and
when said determining is affirmative, creating the one or more security measures; and
applying, by the network automation engine, the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for securing a dynamic virtualized network are provided. According to one embodiment, a network policy of a dynamic virtualized network is received by an SDN controller of the dynamic virtualized network. The network policy includes network policy elements which each identify (i) an authorized endpoint, (ii) a network access device, and (iii) a port of the network access device with which the authorized endpoint is associated. A security policy for the dynamic virtualized network is generated based on the network policy, by, for each network access device, creating a set of appropriate security measures for the network access device. Each security measure specifies how network traffic in the dynamic virtualized network is to be processed by a port of the network access device. Finally, the security policy is applied to each affected network access device.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated; generating, by the network automation engine, a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices; determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and when said determining is affirmative, creating the one or more security measures; and applying, by the network automation engine, the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14, 18, 20)
-
-
11. A non-transitory machine-readable medium having embodies therein executable instructions representing a network automation engine, which when executed by one or more processors of a software defined networking (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network perform a method comprising:
-
receiving a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated; generating a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices; determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and when said determining is affirmative, creating the one or more security measures; and applying the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy. - View Dependent Claims (12, 13, 15, 16, 17, 19)
-
Specification