Methods and systems for orchestrating physical and virtual switches to enforce security boundaries

US 9,973,472 B2
Filed: 04/02/2015
Issued: 05/15/2018
Est. Priority Date: 04/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

writing, by a policy engine, entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point;

receiving, by the switch, the first data packets;

forwarding, by the switch, the first data packets to the enforcement point using the forwarding table;

determining, by the enforcement point, whether the first data packets violate a high-level security policy using a low-level rule set;

configuring, by the enforcement point, the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy;

configuring, by the enforcement point, the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to determining the first data packets violate the security policy;

receiving, by the switch, the second data packets; and

selectively dropping or forwarding the second data packets, by the switch, in accordance with the configuration.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments include methods comprising: writing entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point; receiving the first data packets; forwarding the first data packets to the enforcement point using the forwarding table; determining whether the first data packets violate a high-level security policy using a low-level rule set; configuring the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy; configuring the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to the determining.

235 Citations

7 Claims

1. A method comprising:
- writing, by a policy engine, entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point;
  
  receiving, by the switch, the first data packets;
  
  forwarding, by the switch, the first data packets to the enforcement point using the forwarding table;
  
  determining, by the enforcement point, whether the first data packets violate a high-level security policy using a low-level rule set;
  
  configuring, by the enforcement point, the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy;
  
  configuring, by the enforcement point, the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to determining the first data packets violate the security policy;
  
  receiving, by the switch, the second data packets; and
  
  selectively dropping or forwarding the second data packets, by the switch, in accordance with the configuration.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - receiving, by the enforcement point, a re-compiled rule set from a distributed security processor;
      
      receiving, by the enforcement point, a third data packet;
      
      identifying, by the enforcement point, a trigger in the third data packet, the trigger being at least one of a;
      
      received Transmission Control Protocol (TCP) header, flag, and timer-based trigger; and
      
      writing, by the enforcement point, entries in the forwarding table through the API, such that fourth data packets from the first host and directed to the second host are forwarded by the switch to the enforcement point, in response to identifying the trigger.
  - 3. The method of claim 2 further comprising:
    - receiving, by the switch, the fourth data packets;
      
      forwarding, by the switch, the fourth data packets to the enforcement point using the forwarding table; and
      
      determining, by the enforcement point, whether the fourth data packets violate the re-compiled rule set or pre-configured protocol behavior requirements.
  - 4. The method of claim 1 wherein at least one of the writing and the configuring of the forwarding table is performed using a software development kit (SDK).
  - 5. The method of claim 1 wherein the security function is at least one of a:
    - honeypot, tarpit, and intrusion detection system.
  - 6. The method of claim 1 wherein at least one of the first host and the second host are a physical host and the switch is a physical switch.
  - 7. The method of claim 1 wherein at least one of the first host and the second host are a virtual machine and the switch is a virtual switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Woolward, Marc, Shieh, Choung-Yaw
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/677,827
Publication Number

US 20160294774A1
Time in Patent Office

1,139 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Methods and systems for orchestrating physical and virtual switches to enforce security boundaries

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

235 Citations

7 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for orchestrating physical and virtual switches to enforce security boundaries

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

235 Citations

7 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others