Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
First Claim
1. A method comprising:
- writing, by a policy engine, entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point;
receiving, by the switch, the first data packets;
forwarding, by the switch, the first data packets to the enforcement point using the forwarding table;
determining, by the enforcement point, whether the first data packets violate a high-level security policy using a low-level rule set;
configuring, by the enforcement point, the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy;
configuring, by the enforcement point, the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to determining the first data packets violate the security policy;
receiving, by the switch, the second data packets; and
selectively dropping or forwarding the second data packets, by the switch, in accordance with the configuration.
4 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments include methods comprising: writing entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point; receiving the first data packets; forwarding the first data packets to the enforcement point using the forwarding table; determining whether the first data packets violate a high-level security policy using a low-level rule set; configuring the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy; configuring the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to the determining.
235 Citations
7 Claims
-
1. A method comprising:
-
writing, by a policy engine, entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point; receiving, by the switch, the first data packets; forwarding, by the switch, the first data packets to the enforcement point using the forwarding table; determining, by the enforcement point, whether the first data packets violate a high-level security policy using a low-level rule set; configuring, by the enforcement point, the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy; configuring, by the enforcement point, the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to determining the first data packets violate the security policy; receiving, by the switch, the second data packets; and selectively dropping or forwarding the second data packets, by the switch, in accordance with the configuration. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification