Systems and methods for monitoring virtual networks
First Claim
1. A computer-implemented method for monitoring virtual networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment;
emulating a physical wiretap within the virtualized edge switching device by;
identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and
providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that;
is defined by a tenant of the virtual network; and
comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network;
intercepting, at the source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network;
determining that at least one characteristic of the packet satisfies at least one of the software-defined network rules; and
in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules;
creating a copy of the packet;
forwarding, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and
forwarding the packet to the destination port along an intended network path of the packet.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port, (2) providing, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) intercepting, at the source port, a packet destined for the destination port, (4) determining that at least one characteristic of the packet satisfies at least one of the rules, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, forwarding a copy of the packet to a virtual tap port that analyzes the packet for security threats. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
18 Claims
-
1. A computer-implemented method for monitoring virtual networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment; emulating a physical wiretap within the virtualized edge switching device by; identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that; is defined by a tenant of the virtual network; and comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network; intercepting, at the source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network; determining that at least one characteristic of the packet satisfies at least one of the software-defined network rules; and in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules; creating a copy of the packet; forwarding, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and forwarding the packet to the destination port along an intended network path of the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for monitoring virtual networks, the system comprising:
-
an identification module, stored in memory, that identifies, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment; a providing module, stored in the memory, that emulates a physical wiretap within the virtualized edge switching device by; identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that; is defined by a tenant of the virtual network; and comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network; an interception module, stored in the memory, that intercepts, at the source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network; a determination module, stored in the memory, that determines that at least one characteristic of the packet satisfies at least one of the software-defined network rules; a forward module, stored in the memory, that in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules; creates a copy of the packet; forwards, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and forwards the packet to the destination port along an intended network path of the packet; and at least one hardware processor that executes the identification module, the providing module, the interception module, the determination module, and the forward module. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify, within a cloud-computing environment that hosts a plurality of virtual networks, a virtual network comprising at least one virtualized edge switching device that handles, using a software-defined network protocol, all packets passed between the virtual network and at least one additional virtual network within the cloud-computing environment; emulate a physical wiretap within the virtualized edge switching device by; identifying characteristics of the physical wiretap that enable the physical wiretap to filter packets; and providing, within the virtualized edge switching device, a set of software-defined network rules based on the characteristics of the physical wiretap and containing criteria for identifying packets having at least one predetermined property associated with a security policy that; is defined by a tenant of the virtual network; and comprises a data loss prevention policy applied to packets distributed from a source port of the virtualized edge switching device to outside the virtual network; intercept, at a source port of the virtualized edge switching device, a packet destined for a destination port that resides outside of the virtual network; determine that at least one characteristic of the packet satisfies at least one of the software-defined network rules; and in response to determining that the characteristic of the packet satisfies at least one of the software-defined network rules; create a copy of the packet; forward, via a tunneling mechanism, the copy of the packet to a virtual tap port that is located outside of the virtual network and performs a security analysis on the copy of the packet that is invisible to the tenant of the virtual network, wherein the tunneling mechanism encapsulates the copy of the packet at the source port and decapsulates the copy of the packet at the destination port; and forward the packet to the destination port along an intended network path of the packet. - View Dependent Claims (18)
-
Specification