Techniques to deliver security and network policies to a virtual network function

US 9,871,823 B2
Filed: 12/23/2014
Issued: 01/16/2018
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a first processing unit, the first processing unit comprising a secure execution partition, the secure execution partition comprising a partition of circuitry within the first processing unit and wherein the secure execution partition is a circuitry partition which is secured from other partitions within said circuitry; and

a policy agent executed at the secure execution partition, the policy agent to receive and validate a policy for a virtual network Function (VNF) and to configure the VNF to implement a network function based on the validated policy, the VNF to be executed upon a second processing unit different from the first processing unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples may include techniques to securely provision, configure, and de-provision virtual network functions for a software defined network or a cloud infrastructure elements. A policy for a virtual network function may be received, at a secure execution partition of circuitry, and the virtual network function configured to implement the policy by the secure execution partition of the circuitry. The secure execution partition may connect to the virtual network function through a virtual switch and may cause the virtual network function to implement a network function based on the policy.

Citations

25 Claims

1. An apparatus comprising:
- a first processing unit, the first processing unit comprising a secure execution partition, the secure execution partition comprising a partition of circuitry within the first processing unit and wherein the secure execution partition is a circuitry partition which is secured from other partitions within said circuitry; and
  
  a policy agent executed at the secure execution partition, the policy agent to receive and validate a policy for a virtual network Function (VNF) and to configure the VNF to implement a network function based on the validated policy, the VNF to be executed upon a second processing unit different from the first processing unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The apparatus of claim 1, the policy agent to configure a plurality of VNFs to implement the policy.
  - 3. The apparatus of claim 1, the VNF a first VNF and the policy a first policy, the policy agent to receive a second policy for a second VNF and to configure the second VNF to implement a second network function based on the second policy.
  - 4. The apparatus of claim 1, the policy agent to configure the VNF via a virtual switch, wherein the virtual switch comprises a host embedded controller interface or an open virtual switch.
  - 5. The apparatus of claim 1, wherein the network function comprises a firewall, an intrusion prevention system, data loss prevention, load balancing, network acceleration, a packet data network gateway, a mobile management entity, or a serving gateway.
  - 6. The apparatus of claim 1, wherein the secure execution partition is a trusted execution environment (TEE) of the first processing unit.
  - 7. The apparatus of claim 1, comprising a virtual security control agent (VSCA) for execution by the secure execution partition, the VSCA to organize a security group to include at least one virtual machine (VM).
  - 8. The apparatus of claim 7, the VM for execution by circuitry different than the secure execution partition.
  - 9. The apparatus of claim 7, the VSCA to generate a virtual VM connector (VVMC) to communicatively connect the VNF to each of the one or more VMs in the security group.
  - 10. The apparatus of claim 7, wherein the security group comprises a first VM and a second VM, the VSCA to move the second VM to a quarantine security group.
  - 11. The apparatus of claim 1, comprising:
    - a host memory, the policy agent to monitor the host memory to identify the VNF.
  - 12. The apparatus of claim 11, wherein the host memory is a virtual memory partition.

13. A method comprising:
- receiving, at a secure execution partition of a first processing unit, a policy for a virtual network function (VNF), the secure execution partition comprising a partition of circuitry within the first processing unit and wherein the secure execution partition a circuitry partition which is secured from other partitions within said circuitry; and
  
  configuring and validating the VNF to implement a network function based on the validated policy the VNF to be executed by a second processing unit different than the first processing unit.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, configuring a plurality of VNFs to implement the policy.
  - 15. The method of claim 13, the VNF a first VNF and the policy a first policy, the method comprising:
    - receiving, at the secure execution partition, a second policy for a second VNF; and
      
      configuring the second VNF to implement a second network function based on the second policy.
  - 16. The method of claim 13, comprising configuring the VNF via a virtual switch.
  - 17. The method of claim 16, wherein the virtual switch comprises a host embedded controller interface or an open virtual switch.
  - 18. The method of claim 13, wherein the network function comprises a firewall, an intrusion prevention system, data loss prevention, load balancing, network acceleration, a packet data network gateway, a mobile management entity, or a serving gateway.
  - 19. The method of claim 13, comprising organizing a security group to include at least one virtual machine (VM).
  - 20. The method of claim 19, comprising generating a virtual VM connector (VVMC) to communicatively connect the VNF to each of the one or more VMs in the security group.
  - 21. The method of claim 19, wherein the security group comprises a first VM and a second VM, the method comprising moving the second VM to a quarantine security group.

22. At least one non-transitory machine readable medium comprising a plurality of instructions that in response to being executed by a secure execution partition of a first processing unit cause the secure execution partition to:
- receive, at the secure execution partition, a policy for a virtual network function (VNF), the secure execution partition comprising a partition of circuitry within the first processing unit and wherein the secure execution partition is a circuitry partition which is secured from other partitions within said circuitry;
  
  validate the policy; and
  
  configure and validating the VNF to implement a network function based on the validated policy, the VNF to be executed by a second processing unit different from the first processing unit.
- View Dependent Claims (23, 24, 25)
- - 23. The at least one non-transitory machine readable medium of claim 22, the instructions to further cause the secure execution partition to configure a plurality of VNFs to implement the policy.
  - 24. The at least one non-transitory machine readable medium of claim 22, the VNF a first VNF and the policy a first policy, the instructions to further cause the secure execution partition to:
    - receive a second policy for a second VNF; and
      
      validate the policy; and
      
      configure the second VNF to implement a second network function based on the second policy.
  - 25. The at least one non-transitory machine readable medium of claim 22, wherein the network function comprises a firewall, an intrusion prevention system, data loss prevention, load balancing, or network acceleration, a packet data network gateway, a mobile management entity, or a serving gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Nedbal, Manuel, Slaight, Thomas M., Skerry, Brian J., Wang, Ren
Primary Examiner(s)
Chai, Longbit

Application Number

US14/582,063
Publication Number

US 20160182567A1
Time in Patent Office

1,120 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0272   Virtual private networks

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Techniques to deliver security and network policies to a virtual network function

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques to deliver security and network policies to a virtual network function

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links