Systems and methods for monitoring virtual networks

US 9,961,105 B2
Filed: 12/31/2014
Issued: 05/01/2018
Est. Priority Date: 12/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for monitoring virtual networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment;

emulating a physical wiretap within the virtualized edge switching device by;

identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and

providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that;

is defined by a tenant of the virtual network; and

comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network;

intercepting, at the source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network;

determining that at least one characteristic of the packet satisfies at least one of the software-defined network rules; and

in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules;

creating a copy of the packet;

forwarding, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and

forwarding the packet to the destination port along an intended network path of the packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port, (2) providing, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) intercepting, at the source port, a packet destined for the destination port, (4) determining that at least one characteristic of the packet satisfies at least one of the rules, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, forwarding a copy of the packet to a virtual tap port that analyzes the packet for security threats. Various other methods, systems, and computer-readable media are also disclosed.

Citations

18 Claims

1. A computer-implemented method for monitoring virtual networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment;
  
  emulating a physical wiretap within the virtualized edge switching device by;
  
  identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and
  
  providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that;
  
  is defined by a tenant of the virtual network; and
  
  comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network;
  
  intercepting, at the source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network;
  
  determining that at least one characteristic of the packet satisfies at least one of the software-defined network rules; and
  
  in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules;
  
  creating a copy of the packet;
  
  forwarding, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and
  
  forwarding the packet to the destination port along an intended network path of the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the tenant of the virtual network:
    - utilizes the virtual network to host a cloud-based application; and
      
      requests that the virtualized edge switching device monitor packets passed between the cloud-based application and the additional virtual network.
  - 3. The method of claim 1, wherein the predetermined property associated with the security policy comprises at least one of:
    - a property of a destination of the packets;
      
      a property of a source of the packets; and
      
      a property of a protocol used to route the packets.
  - 4. The method of claim 1, wherein the virtualized edge switching device connects the source port to both additional ports within the virtual network and to ports outside the virtual network.
  - 5. The method of claim 4, wherein:
    - the security policy further comprises a malware detection policy applied to network traffic distributed from outside the virtual network to an additional destination port that resides within the virtual network.
  - 6. The method of claim 1, wherein the virtual tap port is outside of the control of the tenant of the virtual network.
  - 7. The method of claim 1, further comprising:
    - determining, based on an analysis of the copy of the packet at the virtual tap port, that the packet comprises a security threat; and
      
      performing at least one security action in response to determining that the packet comprises the security threat.
  - 8. The method of claim 1, further comprising:
    - intercepting, at the source port, an additional packet that contains at least one property that satisfies at least one of the software-defined network rules;
      
      determining, based on additional criteria within the set of software-defined network rules, that a current network traffic load within the virtual network exceeds a predetermined threshold; and
      
      in response to determining that the current network traffic load exceeds the predetermined threshold, forwarding a copy of the additional packet to an additional virtual tap port instead of the virtual tap port.

9. A system for monitoring virtual networks, the system comprising:
- an identification module, stored in memory, that identifies, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment;
  
  a providing module, stored in the memory, that emulates a physical wiretap within the virtualized edge switching device by;
  
  identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and
  
  providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that;
  
  is defined by a tenant of the virtual network; and
  
  comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network;
  
  an interception module, stored in the memory, that intercepts, at the source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network;
  
  a determination module, stored in the memory, that determines that at least one characteristic of the packet satisfies at least one of the software-defined network rules;
  
  a forward module, stored in the memory, that in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules;
  
  creates a copy of the packet;
  
  forwards, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and
  
  forwards the packet to the destination port along an intended network path of the packet; and
  
  at least one hardware processor that executes the identification module, the providing module, the interception module, the determination module, and the forward module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the tenant of the virtual network:
    - utilizes the virtual network to host a cloud-based application; and
      
      requests that the virtualized edge switching device monitor packets passed between the cloud-based application and the additional virtual network.
  - 11. The system of claim 9, wherein the predetermined property associated with the security policy comprises at least one of:
    - a property of a destination of the packets;
      
      a property of a source of the packets; and
      
      a property of a protocol used to route the packets.
  - 12. The system of claim 9, wherein the virtualized edge switching device connects the source port to both additional ports within the virtual network and to ports outside the virtual network.
  - 13. The system of claim 12, wherein:
    - the security policy further comprises a malware detection policy applied to network traffic distributed from outside the virtual network to an additional destination port that resides within the virtual network.
  - 14. The system of claim 9, wherein the virtual tap port is outside of the control of the tenant of the virtual network.
  - 15. The system of claim 9, further comprising:
    - an analysis module that determines, based on an analysis of the copy of the packet at the virtual tap port, that the packet comprises a security threat; and
      
      a security module that performs at least one security action in response to the determination that the packet comprises the security threat.
  - 16. The system of claim 9, wherein:
    - the interception module intercepts, at the source port, an additional packet that contains at least one property that satisfies at least one of the software-defined network rules;
      
      the determination module determines, based on additional criteria within the set of software-defined network rules, that a current network traffic load within the virtual network exceeds a predetermined threshold; and
      
      in response to the determination that the current network traffic load exceeds the predetermined threshold, the forward module forwards a copy of the additional packet to an additional virtual tap port instead of the virtual tap port.

17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment;
  
  emulate a physical wiretap within the virtualized edge switching device by;
  
  identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and
  
  providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that;
  
  is defined by a tenant of the virtual network; and
  
  comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network;
  
  intercept, at a source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network;
  
  determine that at least one characteristic of the packet satisfies at least one of the software-defined network rules; and
  
  in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules;
  
  create a copy of the packet;
  
  forward, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and
  
  forward the packet to the destination port along an intended network path of the packet.
- View Dependent Claims (18)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the tenant of the virtual network:
    - utilizes the virtual network to host a cloud-based application; and
      
      requests that the virtualized edge switching device monitor packets passed between the cloud-based application and the additional virtual network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nanda, Susanta K., Sun, Yuqiong
Primary Examiner(s)
Nipa, Wasika

Application Number

US14/587,048
Publication Number

US 20160191545A1
Time in Patent Office

1,217 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

H04L 43/20   the monitoring system or th...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Systems and methods for monitoring virtual networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for monitoring virtual networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links