Session slicing of mirrored packets
US-12184680-B2 · Dec 31, 2024 · US
Distributed network security system
US2016294874A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016294874-A1 |
| Application number | US-201514811425-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jul 28, 2015 |
| Priority date | Apr 6, 2015 |
| Publication date | Oct 6, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments of the invention provide a method that performs security operations for packets that are processed by a forwarding element. The method of some embodiments receives, at a security agent operating on a physical machine, a packet from a forwarding element that also operates on the physical machine. The method then determines whether a security rule is stored for the packet at the security agent. When no security rule is stored for the packet, the method transmits the packet to a default security controller of several security controllers that store security rules for a network and process packets according to the stored security rules. When the security rule is stored for the packet, the method processes the packet according to the stored security rule for the packet.
First claim
Opening claim text (preview).
We claim: 1 . A method for performing security operations for packets processed by a forwarding element, the method comprising: at a security agent operating on a physical machine, receiving a packet from a forwarding element that also operates on the physical machine; determining whether a security rule is stored for the packet at the security agent; when no security rule is stored for the packet, transmitting the packet to a default security controller of a plurality of security controllers that store security rules for a network and process packets according to the stored security rules; and when the security rule is stored for the packet, processing the packet according to the stored security rule for the packet. 2 . The method of claim 1 , wherein the physical machine is a host machine on which a plurality of data compute nodes reside, wherein the packet is destined for one of the data compute nodes. 3 . The method of claim 1 , wherein the physical machine is a host machine on which a plurality of data compute nodes reside, wherein the packet is transmitted from one of the data compute nodes. 4 . The method of claim 1 , wherein the physical machine operates in a datacenter comprising a plurality of physical machines on each of which a security agent and a forwarding element operate. 5 . The method of claim 4 , wherein the physical machine is a first physical machine and the security agent is a first security agent, wherein a second security agent of a second physical machine transmits a packet to the default security controller when no security rule is stored for the packet at the second security agent. 6 . The method of claim 4 , wherein the physical machine is a first physical machine, the security agent is a first security agent, and the default security controller is a first default security controller, wherein a second security agent of a second host machine transmits a packet to a second, different default security controller of the plurality of security controllers when no security rule is stored for the packet at the second security agent. 7 . The method of claim 1 , wherein processing the packet according to the security rule comprises transmitting the packet to a particular security controller specified for the packet for deep-packet inspection processing. 8 . The method of claim 7 , wherein the particular security controller is different than the default security controller. 9 . The method of claim 1 , wherein determining whether a security rule is stored at the security agent comprises: upon receiving the packet, extracting identification information from a set of packet headers; and matching the extracted identification information against a rules table stored in a local data storage on the physical machine. 10 . The method of claim 9 , wherein the rules table comprises a plurality of rules, each rule comprising (i) a set of packet identification fields and (ii) security processing instructions, wherein the extracted identification information is matched against the sets of packet identification fields for the plurality of rules. 11 . The method of claim 1 further comprising: after transmitting the packet to the default security controller, receiving a new security rule from the default security controller; and storing the new security rule at the security agent. 12 . The method of claim 11 further comprising receiving the packet from the default security controller for processing by the forwarding element. 13 . A non-transitory machine readable medium of a host machine storing a security agent for performing security operations for packets processed by a forwarding element of the host machine, the security agent comprising sets of instructions for: receiving a packet from the forwarding element of the host machine; determining whether a security rule is stored for the packet at the security agent; when no security rule is stored for the packet, transmitting the packet to a default security controller of a plurality of security controllers that store security rules for a network and process packets according to the stored security rules; and when the security rule is stored for the packet, processing the packet according to the stored security rule for the packet. 14 . The non-transitory machine readable medium of claim 13 , wherein the default security controller is a first controller, wherein when the default security controller has no security rule stored for the packet, the default security controller transmits the packet to a second controller in the plurality of security controllers that the default security controller determines as a security controller that stores a security rule for the packet. 15 . The non-transitory machine readable medium of claim 14 , wherein when the second security controller has no security rule stored for the packet, the second security controller sends a message to the security agent indicating that no rule was found for the packet. 16 . The non-transitory machine readable medium of claim 13 , wherein the security rule specifies to perform at least one of dropping the packet, allowing the packet, blocking the packet, and transmit the packet to a particular security controller of the plurality of security controllers for deep-packet inspection. 17 . The non-transitory machine readable medium of claim 16 , wherein the deep packet inspection comprises inspecting the packet for viruses by a third-party anti-virus application. 18 . The non-transitory machine readable medium of claim 13 , wherein the physical machine operates in a datacenter comprising a plurality of physical machines on each of which a security agent and a forwarding element operate. 19 . The non-transitory machine readable medium of claim 18 , wherein the physical machine is a first physical machine and the security agent is a first security agent, wherein a second security agent of a second physical machine transmits a packet to the default security controller when no security rule is stored for the packet at the second security agent. 20 . The non-transitory machine readable medium of claim 18 , wherein the physical machine is a first physical machine, the security agent is a first security agent, and the default security controller is a first default security controller, wherein a second security agent of a second host machine transmits a packet to a second, different default security controller of the plurality of security controllers when no security rule is stored for the packet at the second security agent.
Assignees
Inventors
Classifications
Parsing or analysis of headers · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/0227Primary
Filtering policies (mail message filtering H04L51/212) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016294874A1 cover?
- Some embodiments of the invention provide a method that performs security operations for packets that are processed by a forwarding element. The method of some embodiments receives, at a security agent operating on a physical machine, a packet from a forwarding element that also operates on the physical machine. The method then determines whether a security rule is stored for the packet at the …
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Oct 06 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).