FIREWALLS IN LOGICAL NETWORKS

US 20130125230A1
Filed: 11/15/2012
Published: 05/16/2013
Est. Priority Date: 11/15/2011
Status: Active Grant

First Claim

Patent Images

1. A method for configuring a logical firewall in a hosting system comprising a set of nodes, the logical firewall part of a logical network comprising a set of logical forwarding elements, the method comprising:

receiving a configuration for the firewall that specifies packet processing rules for the firewall;

identifying a plurality of the nodes on which to implement the logical forwarding elements; and

distributing the firewall configuration for implementation on the identified nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Citations

21 Claims

1. A method for configuring a logical firewall in a hosting system comprising a set of nodes, the logical firewall part of a logical network comprising a set of logical forwarding elements, the method comprising:
- receiving a configuration for the firewall that specifies packet processing rules for the firewall;
  
  identifying a plurality of the nodes on which to implement the logical forwarding elements; and
  
  distributing the firewall configuration for implementation on the identified nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising receiving a specification of the logical network that comprises a set of end machines connected by the set of logical forwarding elements, wherein the logical firewall connects to at least one of the logical forwarding elements, wherein the set of end machines are implemented as a plurality of virtual machines residing on nodes of the hosting system.
  - 3. The method of claim 2, wherein the identified plurality of nodes on which to implement the forwarding elements comprises the nodes on which the plurality of virtual machines reside.
  - 4. The method of claim 1, wherein the method is performed by a first network controller, wherein distributing the firewall configuration comprises:
    - automatically identifying a plurality of additional network controllers that managed the identified nodes; and
      
      distributing the firewall configuration to the identified additional network controllers for subsequent distribution to the identified nodes.
  - 5. The method of claim 4, wherein the method further comprises, at the first network controller:
    - receiving the set of logical forwarding elements as logical control plane data;
      
      translating the logical control plane data into a set of logical forwarding plane flow entries; and
      
      translating the logical forwarding plane flow entries into physical control plane flow entries.
  - 6. The method of claim 5, wherein the set of logical forwarding elements comprises a logical router to which the logical firewall is connected, wherein the logical control plane data comprises routing policies that specify rules for sending packets to the logical firewall.
  - 7. The method of claim 6, wherein the logical forwarding plane flow entries comprises an entry specifying that when a packet matches a particular rule to send the packet to the logical firewall.

8. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a node in a hosting system, the program comprising sets of instructions for:
- receiving a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application;
  
  determining whether to allow the packet based on a received set of processing rules to apply to the packet; and
  
  when the packet is allowed, sending the packet back to the managed switching element through the software port.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The machine readable medium of claim 8, wherein the processing rules are received from a network control system that also configures the managed switching element.
  - 10. The machine readable medium of claim 8, wherein when the processing rules specify to drop the packet, the packet is not sent back to the managed switching element.
  - 11. The machine readable medium of claim 8, wherein the packet sent back to the managed switching element is treated as a new packet by the managed switching element.
  - 12. The machine readable medium of claim 8, wherein the program further comprises a set of instructions for negotiating the software port with the managed switching element prior to receiving any packets from the managed switching element.
  - 13. The machine readable medium of claim 8, wherein the program further comprises sets of instructions for:
    - reading a slice identifier appended to the packet after receiving the packet; and
      
      matching the slice identifier with the particular received set of processing rules prior to determining whether to allow the packet.
  - 14. The machine readable medium of claim 13, wherein the program further comprises sets of instructions for:
    - receiving a second packet with a second, different slice identifier from the managed switching element within the node;
      
      matching the second slice identifier with a second, different set of received processing rules to apply to the packet; and
      
      determining whether to allow the second packet based on the second set of processing rules.
  - 15. The machine readable medium of claim 8, wherein the set of processing rules comprises a set of rules for determining whether to allow, block, or drop packets based on information about the packets.
  - 16. The machine readable medium of claim 15, wherein the information about the packets comprises stateful transport connection information.

17. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a node in a hosting system, the program comprising sets of instructions for:
- receiving a first firewall configuration for a first logical network along with a first identifier;
  
  receiving a second firewall configuration for a second logical network along with a second identifier; and
  
  processing packets tagged with the first identifier using the first firewall configuration while processing packets tagged with the second identifier using the second firewall configuration.
- View Dependent Claims (18, 19, 20)
- - 18. The machine readable medium of claim 17, wherein the first and second configurations are received from a network controller of a network control system.
  - 19. The machine readable medium of claim 18, wherein the network controller assigns the first and second identifiers.
  - 20. The machine readable medium of claim 17, wherein the packets are received from a managed switching element located at the node that adds one of the first and second identifiers to each packet before sending the packet to the firewall application.

21. The machine readable medium of 20, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Koponen, Teemu, Zhang, Ronghua, Thakkar, Pankaj, Casado, Martin

Granted Patent

US 9,015,823 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

G06F 15/177   Initialisation or configura...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45595   Network integration; Enabli...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/08   Configuration management of...

H04L 41/0803   Configuration setting

H04L 41/0806   for initial configuration o...

H04L 41/0813   characterised by the condit...

H04L 41/0823   characterised by the purpos...

H04L 41/0889   Techniques to speed-up the ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 45/02   Topology update or discovery

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 49/15   Interconnection of switchin...

H04L 49/70 : Virtual switches

H04L 61/2503 : Translation of Internet pro...

H04L 61/2517 : using port numbers

H04L 61/2521 : Translation architectures o...

H04L 61/256 : NAT traversal

H04L 63/0218 : Distributed architectures, ...

H04L 67/1008 : based on parameters of serv...

View All

FIREWALLS IN LOGICAL NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

FIREWALLS IN LOGICAL NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links