摘要 |
Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol). |
主权项 |
1. A system for a security controller that performs packet classification for network routing, comprising:
a processor configured to:
receive packets associated with a flow from a network device, wherein the network device performs packet forwarding;classify the flow, comprising to:
determine application associated with the flow, comprising to:
determine type of traffic related to the flow; andperform application signature matching based on the type of traffic to determine the application; anddetermine user associated with the flow, comprising to:
extract username, password, or a combination thereof being submitted to an external site from the received packets to determine the user;determine an action for the flow based on a policy, comprising:
determine the action for the flow based on the application and the user;instruct the network device to perform the action for the flow, wherein the action is to drop the flow, ignore the flow, or shunt the flow; andreceive additional packets associated with a new flow from the network device, wherein the security controller performs further classification of the new flow; and a memory coupled to the processor and configured to provide the processor with instructions. |