Providing a fast path between two entities

US 10,587,576 B2
Filed: 12/10/2013
Issued: 03/10/2020
Est. Priority Date: 09/23/2013
Status: Active Grant

First Claim

Patent Images

1. At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform operations comprising:

providing control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance;

receiving one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance;

in response to receiving the one or more security policies, reconfiguring the control logic using the one or more SDN controllers according to the one or more security policies to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance;

providing an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers;

(1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; and

adding an offset based on Transport Control Protocol (TCP) information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure combines Software Defined Networks (SDN) concepts with Security concepts. The coordination between SDN and Security provides a myriad of advantageous use cases. One exemplary use case involves providing a fast path at network speeds using SDN by routing network traffic to bypass a security appliance once the security appliance determines that the security appliance no longer needs to inspect the network traffic. Another exemplary use case involves remote provisioning of security zones.

Citations

20 Claims

1. At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform operations comprising:
- providing control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance;
  
  receiving one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance;
  
  in response to receiving the one or more security policies, reconfiguring the control logic using the one or more SDN controllers according to the one or more security policies to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance;
  
  providing an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers;
  
  (1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; and
  
  adding an offset based on Transport Control Protocol (TCP) information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The at least one machine readable storage medium of claim 1, wherein the second route traverses through the security appliance.
  - 3. The at least one machine readable storage medium of claim 1, wherein:
    - the control logic comprises logic for determining one or more flow table entries for configuring flow table(s) of the one or more SDN switches.
  - 4. The at least one machine readable storage medium of claim 1, wherein:
    - the security appliance is integrated with the one or more SDN controllers; and
      
      the one or more SDN controllers are integrated with or communicably connected to the one or more SDN switches.
  - 5. The at least one machine readable storage medium of claim 1, wherein:
    - the security appliance is communicably connected to the one or more SDN controllers remote from the security appliance; and
      
      the one or more SDN controllers are integrated with or communicably connected to the one or more SDN switches.
  - 6. The at least one machine readable storage medium of claim 1, wherein at least one of the one or more SDN switches is configured to rewrite one or more fields of packets of the network traffic to indicate to the security appliance a switch port or security zone a packet was originally received at and/or to direct the packets to bypass the security appliance.
  - 7. The at least one machine readable storage medium of claim 1, wherein:
    - the first node is a client, the second node is a server, and the security appliance comprises a proxy that terminates the data flow;
      
      the one or more security policies comprise information indicating that the data flow is allowed and/or the data flow no longer needs to traverse through the proxy; and
      
      the second route is through a particular one of the one or more SDN switches, and the second route bypasses the proxy.
  - 8. The at least one machine readable storage medium of claim 7, wherein the operations further comprise:
    - transmitting, by the one or more SDN controllers to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow in response to receiving the information indicating that the data flow is allowed, wherein the TCP information comprises one or more of the following;
      
      (a) TCP Sequence of client flow;
      
      (b) TCP Ack of client flow;
      
      (c) TCP Sequence of server flow; and
      
      (d) TCP Ack of server flow.
  - 9. The at least one machine readable storage medium of claim 7, wherein:
    - the particular one of the one or more SDN switches is configured to calculate the offset based on the TCP information and to add the offset to TCP Sequence and TCP Ack numbers as packets are passed through the one of the one or more SDN switches.
  - 10. The at least one machine readable storage medium of claim 1, wherein:
    - the one or more security policies indicate the particular amount of network traffic; and
      
      the particular amount of network traffic is measurable by a particular number of units of data, a particular number of bytes, or a particular number of protocol data units as measured at any one of the Open Systems Interconnection layers.
  - 11. The at least one machine readable storage medium of claim 1, wherein:
    - providing the control logic comprises configuring security zones in the SDN environment for carrying network traffic, wherein the security zones provide different levels of security for network and data access;
      
      the one or more security policies comprise information which adds, removes, and/or modifies the security zones; and
      
      reconfiguring the control logic comprises reconfiguring, using the one or more SDN controllers, the security zones according to the one or more security policies.
  - 12. The at least one machine readable storage medium of claim 1, wherein:
    - the one or more security policies comprise information indicating that a host belongs to a particular security zone; and
      
      reconfiguring the control logic comprises (1) adding, using the one or more SDN controllers, the particular security zone to the SDN environment, and/or (2) adding, using the one or more SDN controllers, the host to the particular security zone, in response to receiving the one or more security policies.

13. At least one machine-readable, non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions when executed by at least one processor cause the at least one processor to perform operations comprising:
- receiving one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers;
  
  in response to receiving the one or more flow table entries, reconfiguring the one or more flow tables according to the flow table entries in accordance with one or more security policies, wherein the one or more security policies specify one or more of the following;
  
  security zone(s), network access right(s), data access right(s), insertion of a security appliance, or removal of the security appliance;
  
  routing or switching the network traffic, based on the one or more flow tables;
  
  receiving, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for a data flow; and
  
  adding an offset based on the TCP information to TCP Sequence and TCP Ack numbers as packets are passed through the SDN switch.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The at least one machine-readable, non-transitory storage medium of claim 13, wherein the operations further comprise:
    - rewriting one or more fields of packets of the network traffic to indicate to the security appliance a switch port or security zone a packet was originally received at and/or to direct the packets to bypass the security appliance according to the one or more flow tables.
  - 15. The at least one machine-readable, non-transitory storage medium of claim 13, wherein the receiving the TCP information is performed in response to receiving the information indicating that the data flow is allowed, and the TCP information comprises one or more of the following:
    - (e) TCP Sequence of client flow;
      
      (f) TCP Ack of client flow;
      
      (g) TCP Sequence of server flow; and
      
      (h) TCP Ack of server flow.
  - 16. The at least one machine-readable, storage medium of claim 15, wherein the operations further comprise:
    - calculating, at the SDN switch, the offset based on the TCP information.
  - 17. The at least one machine-readable, storage medium of claim 13, wherein:
    - the one or more security policies from the security appliance indicate network traffic for a particular number of bytes of network traffic can bypass the security appliance or the particular number of bytes of network traffic is to traverse the security appliance; and
      
      the operations further comprise;
      
      receiving from the one or more SDN controllers one or more flow entries conditioned on the particular number of bytes of network traffic or a number of units of data as measured at any one of the Open Systems Interconnection layers; and
      
      routing network traffic, after the particular number of bytes of network traffic has bypassed the security appliance, back to the security appliance.

18. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising:
- at least one memory element;
  
  at least one processor coupled to the at least one memory element; and
  
  one or more SDN controllers that, when executed by the at least one processor, are configured toprovide control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the control logic configures a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance;
  
  receive one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance;
  
  in response to receiving the one or more security policies, reconfigure the control logic using the one or more SDN controllers according to the one or more security policies, to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance;
  
  provide an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers;
  
  (1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; and
  
  add an offset based on Transport Control Protocol information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.

19. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising:
- at least one memory element;
  
  at least one processor coupled to the at least one memory element; and
  
  a SDN switching module that, when executed by the at least one processor, is configured toreceive one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers;
  
  in response to receiving the one or more flow table entries, reconfigure the one or more flow tables according to the flow table entries in accordance with one or more security policies, wherein the one or more security policies specify one or more of the following;
  
  security zone(s), network access right(s), data access right(s), insertion of a security appliance, or removal of the security appliance;
  
  route or switch the network traffic, based on the one or more flow tables;
  
  receive, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for a data flow; and
  
  add an offset based on the TCP information to TCP Sequence and TCP Ack numbers as packets are passed through the SDN switch.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein the SDN switching module is further configured to rewrite one or more fields of packets of the network traffic to indicate to the security appliance a switch port or security zone a packet was originally received at and/or to direct the packets to bypass the security appliance according to the one or more flow tables.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Cooper, Geoffrey Howard, Guzik, John Richard
Primary Examiner(s)
Arani, Taghi T
Assistant Examiner(s)
Champakesan, Badri

Application Number

US14/911,576
Publication Number

US 20160205071A1
Time in Patent Office

2,282 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 12/6418   Hybrid transport

H04L 49/3009   Header conversion, routing ...

H04L 49/70   Virtual switches

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Providing a fast path between two entities

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Providing a fast path between two entities

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links