FR3098615B1 - PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS - Google Patents

PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS Download PDF

Info

Publication number
FR3098615B1
FR3098615B1 FR1907572A FR1907572A FR3098615B1 FR 3098615 B1 FR3098615 B1 FR 3098615B1 FR 1907572 A FR1907572 A FR 1907572A FR 1907572 A FR1907572 A FR 1907572A FR 3098615 B1 FR3098615 B1 FR 3098615B1
Authority
FR
France
Prior art keywords
routing
packet
cloud computing
cloud computer
virtual cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
FR1907572A
Other languages
French (fr)
Other versions
FR3098615A1 (en
Inventor
Scott Masciarelli
John Meyer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SECNAP Network Security LLC
Original Assignee
SECNAP Network Security LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SECNAP Network Security LLC filed Critical SECNAP Network Security LLC
Priority to FR1907572A priority Critical patent/FR3098615B1/en
Publication of FR3098615A1 publication Critical patent/FR3098615A1/en
Application granted granted Critical
Publication of FR3098615B1 publication Critical patent/FR3098615B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/20Arrangements for monitoring or testing data switching networks the monitoring system or the monitored elements being virtualised, abstracted or software-defined entities, e.g. SDN or NFV
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/58Association of routers
    • H04L45/586Association of routers of virtual routers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé, un système et un produit de programme informatique pour la sécurité réseau avant routage pour informatique en nuage. Le procédé de sécurité réseau avant routage pour informatique en nuage comprend la réception, dans un composant de routage (280), tel qu'un équilibreur de charge, d'un environnement informatique en nuage (200) comprenant au moins deux conteneurs virtualisés différents (220), d'un flux de paquets (250) ciblant une adresse réseau de destination, et, avant le traitement du flux de paquets dans le composant de routage, la déviation du flux de paquets vers un inspecteur de paquets (260) s'exécutant dans l'un des différents conteneurs virtualisés. Ensuite, seule une fraction des paquets du flux de paquets dévié est envoyée par l'inspecteur de paquets au composant de routage, et la fraction de paquets est ensuite traitée dans le routeur de façon à être acheminée vers l'adresse réseau de destination. Figure à publier avec l’abrégé : Fig. 2The present invention relates to a method, system, and computer program product for pre-routing network security for cloud computing. The pre-routing network security method for cloud computing includes receiving, in a routing component (280), such as a load balancer, a cloud computing environment (200) comprising at least two different virtualized containers ( 220), a packet flow (250) targeting a destination network address, and, prior to processing the packet flow in the routing component, diverting the packet flow to a packet inspector (260) s' running in one of several virtualized containers. Then, only a fraction of the packets of the diverted packet stream are sent by the Packet Inspector to the routing component, and the fraction of packets is then processed in the router so as to be routed to the destination network address. Figure to be published with the abstract: Fig. 2

FR1907572A 2019-07-08 2019-07-08 PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS Active FR3098615B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
FR1907572A FR3098615B1 (en) 2019-07-08 2019-07-08 PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1907572 2019-07-08
FR1907572A FR3098615B1 (en) 2019-07-08 2019-07-08 PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS

Publications (2)

Publication Number Publication Date
FR3098615A1 FR3098615A1 (en) 2021-01-15
FR3098615B1 true FR3098615B1 (en) 2021-07-02

Family

ID=68733199

Family Applications (1)

Application Number Title Priority Date Filing Date
FR1907572A Active FR3098615B1 (en) 2019-07-08 2019-07-08 PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS

Country Status (1)

Country Link
FR (1) FR3098615B1 (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9571507B2 (en) * 2012-10-21 2017-02-14 Mcafee, Inc. Providing a virtual security appliance architecture to a virtual cloud infrastructure
KR101394424B1 (en) * 2013-04-22 2014-05-13 한국인터넷진흥원 Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system
US9961105B2 (en) * 2014-12-31 2018-05-01 Symantec Corporation Systems and methods for monitoring virtual networks

Also Published As

Publication number Publication date
FR3098615A1 (en) 2021-01-15

Similar Documents

Publication Publication Date Title
US10454790B2 (en) System and method for efficient classification and processing of network traffic
US10187263B2 (en) Integrating physical and virtual network functions in a service-chained network environment
Luizelli et al. Piecing together the NFV provisioning puzzle: Efficient placement and chaining of virtual network functions
EP2951713B1 (en) Method and system for intrusion and extrusion detection
US9460289B2 (en) Securing a virtual environment
US10812376B2 (en) Chaining network functions to build complex datapaths
US10225194B2 (en) Transparent network-services elastic scale-out
CN104412558B (en) For ensuring the reverse access method of front end applications and other application safety
US20150082412A1 (en) Application state sharing in a firewall cluster
US20110314180A1 (en) Virtual server recirculation
US20180309781A1 (en) Sdn controller assisted intrusion prevention systems
CN105282169A (en) DDoS attack warning method and system based on SDN controller threshold
Bonelli et al. Network traffic processing with PFQ
FR3098615B1 (en) PRE-ROUTING INTRUSION PROTECTION FOR VIRTUAL CLOUD COMPUTER ENVIRONMENTS
CN101729573A (en) Dynamic load balancing method of network intrusion detection
US9218356B2 (en) Systems and methods for accelerating networking functionality
Rao et al. SEDoS-7: a proactive mitigation approach against EDoS attacks in cloud computing
CN104363177B (en) A kind of optimization method and device of rule table entry for Message processing
JP2015231131A (en) Network relay device, ddos protection method employing the device, and load distribution method
US8677471B2 (en) Port allocation in a firewall cluster
US6598088B1 (en) Port switch
US20050086325A1 (en) Method and apparatus for network content insertion and phase insertion
US20210336977A1 (en) Deep packet analysis
CN103905324A (en) Dispatching and distributing method and system based on message five-element set
Thatha et al. Security and risk analysis in the cloud with software defined networking architecture.

Legal Events

Date Code Title Description
PLFP Fee payment

Year of fee payment: 2

PLSC Publication of the preliminary search report

Effective date: 20210115

PLFP Fee payment

Year of fee payment: 3

PLFP Fee payment

Year of fee payment: 4

PLFP Fee payment

Year of fee payment: 5