FR3098615B1 - PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS - Google Patents
PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS Download PDFInfo
- Publication number
- FR3098615B1 FR3098615B1 FR1907572A FR1907572A FR3098615B1 FR 3098615 B1 FR3098615 B1 FR 3098615B1 FR 1907572 A FR1907572 A FR 1907572A FR 1907572 A FR1907572 A FR 1907572A FR 3098615 B1 FR3098615 B1 FR 3098615B1
- Authority
- FR
- France
- Prior art keywords
- routing
- packet
- cloud computing
- cloud computer
- virtual cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/20—Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/58—Association of routers
- H04L45/586—Association of routers of virtual routers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
La présente invention concerne un procédé, un système et un produit de programme informatique pour la sécurité réseau avant routage pour informatique en nuage. Le procédé de sécurité réseau avant routage pour informatique en nuage comprend la réception, dans un composant de routage (280), tel qu'un équilibreur de charge, d'un environnement informatique en nuage (200) comprenant au moins deux conteneurs virtualisés différents (220), d'un flux de paquets (250) ciblant une adresse réseau de destination, et, avant le traitement du flux de paquets dans le composant de routage, la déviation du flux de paquets vers un inspecteur de paquets (260) s'exécutant dans l'un des différents conteneurs virtualisés. Ensuite, seule une fraction des paquets du flux de paquets dévié est envoyée par l'inspecteur de paquets au composant de routage, et la fraction de paquets est ensuite traitée dans le routeur de façon à être acheminée vers l'adresse réseau de destination. Figure à publier avec l’abrégé : Fig. 2The present invention relates to a method, system, and computer program product for pre-routing network security for cloud computing. The pre-routing network security method for cloud computing includes receiving, in a routing component (280), such as a load balancer, a cloud computing environment (200) comprising at least two different virtualized containers ( 220), a packet flow (250) targeting a destination network address, and, prior to processing the packet flow in the routing component, diverting the packet flow to a packet inspector (260) s' running in one of several virtualized containers. Then, only a fraction of the packets of the diverted packet stream are sent by the Packet Inspector to the routing component, and the fraction of packets is then processed in the router so as to be routed to the destination network address. Figure to be published with the abstract: Fig. 2
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1907572A FR3098615B1 (en) | 2019-07-08 | 2019-07-08 | PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR1907572 | 2019-07-08 | ||
FR1907572A FR3098615B1 (en) | 2019-07-08 | 2019-07-08 | PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS |
Publications (2)
Publication Number | Publication Date |
---|---|
FR3098615A1 FR3098615A1 (en) | 2021-01-15 |
FR3098615B1 true FR3098615B1 (en) | 2021-07-02 |
Family
ID=68733199
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
FR1907572A Active FR3098615B1 (en) | 2019-07-08 | 2019-07-08 | PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS |
Country Status (1)
Country | Link |
---|---|
FR (1) | FR3098615B1 (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9571507B2 (en) * | 2012-10-21 | 2017-02-14 | Mcafee, Inc. | Providing a virtual security appliance architecture to a virtual cloud infrastructure |
KR101394424B1 (en) * | 2013-04-22 | 2014-05-13 | 한국인터넷진흥원 | Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system |
US9961105B2 (en) * | 2014-12-31 | 2018-05-01 | Symantec Corporation | Systems and methods for monitoring virtual networks |
-
2019
- 2019-07-08 FR FR1907572A patent/FR3098615B1/en active Active
Also Published As
Publication number | Publication date |
---|---|
FR3098615A1 (en) | 2021-01-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10454790B2 (en) | System and method for efficient classification and processing of network traffic | |
US10187263B2 (en) | Integrating physical and virtual network functions in a service-chained network environment | |
Luizelli et al. | Piecing together the NFV provisioning puzzle: Efficient placement and chaining of virtual network functions | |
EP2951713B1 (en) | Method and system for intrusion and extrusion detection | |
US9460289B2 (en) | Securing a virtual environment | |
US10812376B2 (en) | Chaining network functions to build complex datapaths | |
US10225194B2 (en) | Transparent network-services elastic scale-out | |
CN104412558B (en) | For ensuring the reverse access method of front end applications and other application safety | |
US20150082412A1 (en) | Application state sharing in a firewall cluster | |
US20110314180A1 (en) | Virtual server recirculation | |
US20180309781A1 (en) | Sdn controller assisted intrusion prevention systems | |
CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
Bonelli et al. | Network traffic processing with PFQ | |
FR3098615B1 (en) | PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS | |
CN101729573A (en) | Dynamic load balancing method of network intrusion detection | |
US9218356B2 (en) | Systems and methods for accelerating networking functionality | |
Rao et al. | SEDoS-7: a proactive mitigation approach against EDoS attacks in cloud computing | |
CN104363177B (en) | A kind of optimization method and device of rule table entry for Message processing | |
JP2015231131A (en) | Network relay device, ddos protection method employing the device, and load distribution method | |
US8677471B2 (en) | Port allocation in a firewall cluster | |
US6598088B1 (en) | Port switch | |
US20050086325A1 (en) | Method and apparatus for network content insertion and phase insertion | |
US20210336977A1 (en) | Deep packet analysis | |
CN103905324A (en) | Dispatching and distributing method and system based on message five-element set | |
Thatha et al. | Security and risk analysis in the cloud with software defined networking architecture. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PLFP | Fee payment |
Year of fee payment: 2 |
|
PLSC | Publication of the preliminary search report |
Effective date: 20210115 |
|
PLFP | Fee payment |
Year of fee payment: 3 |
|
PLFP | Fee payment |
Year of fee payment: 4 |
|
PLFP | Fee payment |
Year of fee payment: 5 |