Security mediation for dynamically programmable network
First Claim
1. A security mediation service for a software-defined network, the security mediation service comprising a plurality of instructions embodied in one or more non-transitory machine accessible storage media and executable by a hardware processor, the instructions configured to, during a live operation of the network:
- determine a source of a packet disposition directive that may be implemented by one or more network switches of the software-defined network to change the behavior or configuration of the one or more network switches, wherein the source comprises one of a network administrator, a network switch, and a software application;
determine whether to implement the packet disposition directive at the one or more network switches based on a current security policy of the live network and a priority of the source of the packet disposition directive;
communicate the packet disposition directive to the one or more network switches in response to a determination that the packet disposition directive should be implemented at the one or more network switches;
coordinate the communication of the packet disposition directive to the one or more network switches;
wherein the security mediation service communicates the packet disposition directive to the one or more network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive; and
wherein each of the one or more network switches has a local flow table and the security mediation service inserts the packet disposition directive in the local flow tables of the one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at the one or more network switches.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches.
121 Citations
19 Claims
-
1. A security mediation service for a software-defined network, the security mediation service comprising a plurality of instructions embodied in one or more non-transitory machine accessible storage media and executable by a hardware processor, the instructions configured to, during a live operation of the network:
-
determine a source of a packet disposition directive that may be implemented by one or more network switches of the software-defined network to change the behavior or configuration of the one or more network switches, wherein the source comprises one of a network administrator, a network switch, and a software application; determine whether to implement the packet disposition directive at the one or more network switches based on a current security policy of the live network and a priority of the source of the packet disposition directive; communicate the packet disposition directive to the one or more network switches in response to a determination that the packet disposition directive should be implemented at the one or more network switches; coordinate the communication of the packet disposition directive to the one or more network switches; wherein the security mediation service communicates the packet disposition directive to the one or more network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive; and wherein each of the one or more network switches has a local flow table and the security mediation service inserts the packet disposition directive in the local flow tables of the one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at the one or more network switches. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for enforcing a security policy for a software-defined computer network, the method comprising, with a computing system coupled to the network:
-
receiving a packet disposition directive from the network, wherein the packet disposition directive is configured to effect a change in the behavior or configuration of one or more network switches; and
, during live operation of the software-defined network;determining a priority associated with the packet disposition directive; determining whether the packet disposition directive conflicts with a currently active network security policy, wherein the currently active security policy currently controls the behavior and configuration of the one or more network switches; and in response to determining that the packet disposition directive conflicts with the currently active network security policy, determining whether to implement the packet disposition directive at the one or more network switches based on the priority associated with the packet disposition directive; wherein the security mediation service is to communicate the packet disposition directive to the one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at the one or more network switches and the security mediation service communicates the packet disposition directive to the one or more network switches before it communicates the packet disposition directive to a switch from which a communication was received that triggered the packet disposition directive, and wherein the security mediation service is to coordinate the communication of the packet disposition directive to the one or more network switches, wherein the one or more network switches has a local flow table and the security mediation service inserts the packet disposition directive in the local flow tables of one or more network switches if the security mediation service determines that the packet disposition directive should be implemented at one or more network switches. - View Dependent Claims (16, 17, 18, 19)
-
Specification