Security mediation for dynamically programmable network

US 9,444,842 B2
Filed: 03/13/2013
Issued: 09/13/2016
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A security mediation service for a software-defined network, the security mediation service comprising a plurality of instructions embodied in one or more non-transitory machine accessible storage media and executable by a hardware processor, the instructions configured to, during a live operation of the network:

determine a source of a packet disposition directive that may be implemented by one or more network switches of the software-defined network to change the behavior or configuration of the one or more network switches, wherein the source comprises one of a network administrator, a network switch, and a software application;

determine whether to implement the packet disposition directive at the one or more network switches based on a current security policy of the live network and a priority of the source of the packet disposition directive;

communicate the packet disposition directive to the one or more network switches in response to a determination that the packet disposition directive should be implemented at the one or more network switches;

coordinate the communication of the packet disposition directive to the one or more network switches;

wherein the security mediation service communicates the packet disposition directive to the one or more network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive; and

wherein each of the one or more network switches has a local flow table and the security mediation service inserts the packet disposition directive in the local flow tables of the one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at the one or more network switches.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.

121 Citations

19 Claims

1. A security mediation service for a software-defined network, the security mediation service comprising a plurality of instructions embodied in one or more non-transitory machine accessible storage media and executable by a hardware processor, the instructions configured to, during a live operation of the network:
- determine a source of a packet disposition directive that may be implemented by one or more network switches of the software-defined network to change the behavior or configuration of the one or more network switches, wherein the source comprises one of a network administrator, a network switch, and a software application;
  
  determine whether to implement the packet disposition directive at the one or more network switches based on a current security policy of the live network and a priority of the source of the packet disposition directive;
  
  communicate the packet disposition directive to the one or more network switches in response to a determination that the packet disposition directive should be implemented at the one or more network switches;
  
  coordinate the communication of the packet disposition directive to the one or more network switches;
  
  wherein the security mediation service communicates the packet disposition directive to the one or more network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive; and
  
  wherein each of the one or more network switches has a local flow table and the security mediation service inserts the packet disposition directive in the local flow tables of the one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at the one or more network switches.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The security mediation service of claim 1, wherein the instructions are configured to compare the priority of the source of the packet disposition directive to priorities that are associated with the sources of currently active packet disposition directives that currently control the flow of communications across the network, and to determine whether the packet disposition directive should be implemented at the network switch based on whether the priority of the source of the packet disposition directive has a higher priority than the sources of the currently active packet disposition directives.
  - 3. The security mediation service of claim 2, wherein the priority is based at least in part on a communication channel used to communicate the packet disposition directive to the security mediation service.
  - 4. The security mediation service of claim 2, wherein the priority is based at least in part on a process from which the packet disposition directive originated.
  - 5. The security mediation service of claim 1, wherein the instructions are configured to determine whether to implement the packet disposition directive at the one or more network switches based on a priority associated with the source of the packet disposition directive, and wherein the priority is determined based at least in part on whether the source is a network administrator, a network security application, or another type of software application.
  - 6. The security mediation service of claim 1, wherein the instructions are configured to determine whether to implement the packet disposition directive at the network switch based on a capability associated with the source of the packet disposition directive, and wherein the capability is based at least in part on whether the packet disposition directive is signed with a digital signature.
  - 7. The security mediation service of claim 6, wherein the instructions are configured to use a public key to authenticate the source of the packet disposition directive and the capability is based at least in part on whether the source of the packet disposition directive is authenticated.
  - 8. The security mediation service of claim 1, comprising instructions to prepare the packet disposition directive based on a network security policy associated with the source.
  - 9. The security mediation service of claim 1, comprising instructions to maintain consistency between an aggregate table of currently active packet disposition directives across a plurality of network switches including one or more network switches and a local table of flow rules resident at the one or more network switches.
  - 10. The security mediation service of claim 9, comprising instructions to communicate messages relating to the status of the local table of flow rules to the security mediation service.
  - 11. The security mediation service of claim 1, wherein the instructions are to determine whether the packet disposition directive conflicts with one or more currently active packet disposition directives that currently control the flow of communications across the network.
  - 12. The security mediation service of claim 1, wherein the packet disposition directive comprises one or more of:
    - a directive to enable or disable one or more ports of the one or more network switches, a directive to request the one or more network switches to generate network traffic in response to a specified network condition, a flow rule to control network flows at the one or more network switches, and another type of directive that may change the behavior or configuration of the one or more network switches.
  - 13. The security mediation service of claim 1, further comprising a network controller embodied in one or more non-transitory machine accessible storage media and configured to interface with software applications and with the one or more network switches.
  - 14. The security mediation service of claim 1, further comprising a network virtualization layer embodied in one or more non-transitory machine accessible storage media and configured to interface with software applications and with the one or more network switches.

15. A method for enforcing a security policy for a software-defined computer network, the method comprising, with a computing system coupled to the network:
- receiving a packet disposition directive from the network, wherein the packet disposition directive is configured to effect a change in the behavior or configuration of one or more network switches; and
  
  , during live operation of the software-defined network;
  
  determining a priority associated with the packet disposition directive;
  
  determining whether the packet disposition directive conflicts with a currently active network security policy, wherein the currently active security policy currently controls the behavior and configuration of the one or more network switches; and
  
  in response to determining that the packet disposition directive conflicts with the currently active network security policy, determining whether to implement the packet disposition directive at the one or more network switches based on the priority associated with the packet disposition directive;
  
  wherein the security mediation service is to communicate the packet disposition directive to the one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at the one or more network switches and the security mediation service communicates the packet disposition directive to the one or more network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive, andwherein the security mediation service is to coordinate the communication of the packet disposition directive to the one or more network switches, wherein the one or more network switches has a local flow table and the security mediation service inserts the packet disposition directive in the local flow tables of one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at one or more network switches.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, comprising determining whether a digital signature is associated with the packet disposition directive.
  - 17. The method of claim 15, comprising, in response to determining that a digital signature is associated with the packet disposition directive, analyzing the digital signature associated with the packet disposition directive and determining a capability associated with the packet disposition directive based on the analysis of the digital signature, wherein the capability determines whether the packet disposition directive may effect a change in the behavior or configuration of the one or more network switches.
  - 18. The method of claim 15, comprising determining a communication channel associated with the packet disposition directive and determining the priority based on the communication channel.
  - 19. The method of claim 15, comprising identifying a source of the packet disposition directive and determining the priority based on the identity of the source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A., Fong, Martin W., Yegneswaran, Vinod
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Harris, Christopher C

Application Number

US13/801,855
Publication Number

US 20140075519A1
Time in Patent Office

1,280 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/107   wherein the security polici...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Security mediation for dynamically programmable network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security mediation for dynamically programmable network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links