Security actuator for a dynamically programmable computer network

摘要

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with packet disposition directives. A security actuator receives flow policy directives from a number of network applications. The flow policy directives express higher-level network security policy goals, including blocking and/or redirecting network traffic. The security actuator converts a flow policy directive into one or more packet disposition directives. The packet disposition directives may include trigger rules to cause network communications to be monitored for matching trigger packets. An automated mechanism initiated by the security actuator may cause trigger packets to be forwarded to the security actuator for analysis. The security actuator may generate packet disposition directives in response to receiving the trigger packets.

主权项

1. A security service for a dynamically-programmable computer network, the security service embodied in one or more non-transitory computer readable storage media of a computing system and comprising a plurality of instructions that, when executed, cause the computing system to:
monitor the dynamically programmable network for receipt of a flow policy directive from a flow policy directive source, the flow policy directive including a command and a set of parameters, wherein the command and the set of parameters describe a flow policy objective for the dynamically programmable computer network; in response to the monitoring, convert the flow policy directive to one or more packet disposition directives, the one or more packet disposition directives to cause one or more network switches of the dynamically programmable computer network to implement the flow policy directive to control flow of communications across the dynamically programmable computer network; compare the one or more packet disposition directives to a set of currently active flow rules of the dynamically programmable computer network; and in response to the comparison of the one or more packet disposition directives to the set of currently active flow rules, add the one or more packet disposition directives to the set of currently active flow rules, wherein conversion of the flow policy directive comprises parsing the flow policy directive to identify at least one valid command, wherein receipt of the flow policy directive comprises receiving a flow policy directive to quarantine communications associated with a network service identifier to a notifier internet address, the network service identifier including one or more of a network address or a network port, and wherein conversion of the flow policy directive further comprises creation of a first quarantine flow policy trigger rule to cause the one or more network switches to forward to a computing device a first quarantine trigger packet addressed from the network service identifier, creation of a second quarantine flow policy trigger rule to cause the one or more network switches to forward to the computing device a second quarantine trigger packet addressed to the network service identifier, creation, in response to receipt of the first or second quarantine trigger packet associated with a predefined network service, a first flow modification rule to (i) forward to the notifier internet address data communications addressed from the network service identifier and (ii) modify the data communications to identify the notifier internet address, and creation, in response to the receipt of the first or second trigger packet a second flow modification rule to (i) forward to the network service identifier data communications addressed from the notifier internet address and (ii) modify the data communications to identify the second network service identifier, and wherein the first flow modification rule and the second flow modification rule have a higher priority than the first quarantine flow policy trigger rule and the second quarantine flow policy trigger rule.