Claims:1. A method for implementing Software Defined Perimeter (SDP) in a Software Defined Networking (SDN) and Network Function Virtualization (NFV) framework, the method comprising a processor implemented steps of:
deploying, by one or more hardware processors, a Network Function Virtualization Orchestrator-cum-Network Function Virtualization Manager (NFVO-M) comprising of a Network Function Virtualization (NFV), a Virtual Infrastructure Manager (VIM), a Software Defined Networking (SDN) Controller, an Open vSwitch, a Software Defined Perimeter Initiating Host (SDP IH), a plurality of Software Defined Perimeter (SDP) Gateways, a Deep Packet Inspection (DPI) engine and a Software Defined Perimeter (SDP) Controller on a single or multiple hosts to configure a SDP implemented architecture;
performing, by integrating the Open vSwitch with the SDN controller, load balancing and an availability of the SDP architecture to configure a SDP service;
configuring the SDP service, by introducing a SDP configuration file into the NFVO-M for determining configuration and authorization details of the SDP IH and SDP controller of the SDP;
implementing the configuration and authorization details for requesting the VIM to create a Software Defined Perimeter Virtual Machines (SDP VM) of the configured SDP architecture;
configuring, by implementing the VIM and the SDP VM, the SDN controller for creating an integrated SDN controller, VIM and SDP VM network; and
configuring, by implementing the integrated SDN controller, VIM and SDP VM network, the Open vSwitch and attaching the SDP VM to the Open vSwitch for integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture, and
performing, using the integrated SDN-SDP-NFV architecture, at least one of:
(i) creating an application programming interface (API) to establish a communication between the NFVO-M and the SDN controller to determine an improvement in network performance; and
(ii) implementing, by using the API with the NFVO-M, network flow rules on the Open vSwitch to restrict malicious traffic on the integrated SDN-SDP-NFV architecture.
2. The processor implemented method of claim 1, wherein the step of integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture is preceded by establishing, using a single packet authentication, a connection between the SDP host and one or more of the SDP Gateways for establishing a secured communication between one or more of the SDP Gateways and servers to restrict malicious network traffic.

3. The processor implemented method of claim 1, wherein the step of creating an API to determine an improvement in network performance of the integrated SDN-SDP-NFV architecture comprises mapping of the malicious traffic to another port on the Open vSwitch that is monitored by the Deep Packet Inspection (DPI) engine running as the VNF to restrict malicious traffic flow to the integrated SDN-SDP-NFV network.

4. A system comprising:
a memory storing instructions;
one or more communication interfaces; and
one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to:
deploy by one or more hardware processors, a Network Function Virtualization Orchestrator-cum-Network Function Virtualization Manager (NFVO-M) comprising of a Network Function Virtualization (NFV), a Virtual Infrastructure Manager (VIM), a Software Defined Networking (SDN) Controller, an Open vSwitch, a Software Defined Perimeter Initiating Host (SDP IH), a plurality of Software Defined Perimeter (SDP) Gateways, a Deep Packet Inspection (DPI) engine and a Software Defined Perimeter (SDP) Controller on a single or multiple hosts to configure a SDP implemented architecture;
perform by integrating the Open vSwitch with the SDN controller, load balancing and an availability of the SDP architecture to configure a SDP service;
configure the SDP service by introducing a SDP configuration file into the NFVO-M for determining configuration and authorization details of the SDP IH and SDP controller of the SDP;
implement the configuration and authorization details for requesting the VIM to create a Software Defined Perimeter Virtual Managers (SDP VM) of the configured SDP architecture;
configure by implementing the VIM and the SDP VM, the SDN controller for creating an integrated SDN controller, VIM and SDP VM network; and
configure by implementing the integrated SDN controller, VIM and SDP VM network, the Open vSwitch and attaching the SDP VM to the Open vSwitch for integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture, and
perform using the integrated SDN-SDP-NFV architecture at least one of:
(i) create an application programming interface (API) to establish a communication between the NFVO-M and the SDN controller to determine an improvement in network performance; and
(ii) implement by using the API with the NFVO-M, network flow rules on the Open vSwitch to restrict malicious traffic on the integrated SDN-SDP-NFV architecture.

5. The system of claim 4, wherein the SDP-NFV framework is integrated to obtain an integrated SDN-SDP-NFV architecture is preceded by establishing, using a single packet authentication, a connection between the SDP host and one or more of the SDP Gateways for establishing a secured communication between one or more of the SDP Gateways and servers to restrict malicious network traffic.

6. The system of claim 4, wherein the one or more of the hardware processors are further configured to map the malicious traffic to another port on the Open vSwitch that is monitored by the Deep Packet Inspection (DPI) engine running as the VNF to restrict malicious traffic flow to the integrated SDN-SDP-NFV network prior to create an API to determine an improvement network performance of the integrated SDN-SDP-NFV architecture comprises.
, Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:
SOFTWARE DEFINED PERIMETER (SDP) IMPLEMENTATION IN A SOFTWARE DEFINED NETWORKING-NETWORK FUNCTION VIRTUALIZATION (SDN-NFV) FRAMEWORK

Applicant:
Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD
[0001] The present disclosure generally relates to a Software Defined Perimeter (SDP) implementation in Software Defined Networking-Network Function Virtualization (SDN-NFV) framework. More particularly, the present disclosure relates to systems and methods for Software Defined Perimeter (SDP) implementation in Software Defined Networking-Network Function Virtualization (SDN-NFV) framework.

BACKGROUND
[0002] A Software Defined Perimeter (SDP) is an approach in cyber security to thwart and mitigate network based attacks to Information Technology (IT) infrastructure. The SDP secures the connectivity between the customer protected applications and/or authorized end points and/or authorized users However, unlike traditional physical security, the SDP integrates some logical software components and virtualized resources that are fully managed and provided as a service thereby offering the benefits of scalability, flexibility and high security. The SDP works across resources as varied as traditional end-points, data centers or clouds, since overlay tunnels can traverse different types of infrastructures. Hosts gaining access may include traditional PCs, mobile devices, or even Internet of Things (IoT). Locations may include public clouds, data centers, traditional campus networks or remote offices. Resources may include cloud services (exposed via REST APIs) or traditional client-server data center apps accessing applications or data.
[0003] The SDP architecture comprises SDP hosts such as clients and servers and SDP controllers wherein the SDP hosts initiate and accept data connection under the supervision of SDP controllers. The SDP may also be integrated into private clouds to leverage the flexibility and elasticity of such environments. In this role, the SDPs can be used by enterprises to hide and secure their public cloud instances in isolation, or as a unified system that includes private and public cloud instances and/or cross-cloud clusters. Since the SDP implementation may be distributed across public and private clouds, therefore the SDP controller protecting the SDP hosts may reside in the public cloud and vice-versa.
[0004] A complete SDP solution may not be easily implemented into an existing infrastructure without some disruptions in the network and software infrastructure. Applications and operating system configurations need to be aware of the SDP to access the SDP workflow and secure tunnels. The presence of a controller means there is another element for networks to rely on, and it needs to be secured and be made highly available. Therefore, there is a need for a technology that provides for security, high availability and scalability of one or more SDP components.

SUMMARY
[0005] The following presents a simplified summary of some embodiments of the disclosure in order to provide a basic understanding of the embodiments. This summary is not an extensive overview of the embodiments. It is not intended to identify key/critical elements of the embodiments or to delineate the scope of the embodiments. Its sole purpose is to present some embodiments in a simplified form as a prelude to the more detailed description that is presented below.
[0006] Systems and methods of the present disclosure enable Software Defined Perimeter (SDP) implementation in a Software Defined Networking-Network Function Virtualization (SDN-NFV) framework. In an embodiment of the present disclosure, there is provided a method for the SDP implementation in an integrated SDN-NFV framework, the method comprising: deploying, by one or more hardware processors, a Network Function Virtualization Orchestrator-cum-Network Function Virtualization Manager (NFVO-M) comprising a Network Function Virtualization (NFV), a Virtualized Infrastructure Manager (VIM), a Software Defined Networking (SDN) Controller, an Open vSwitch, a Software Defined Perimeter Initiating Host (SDP IH), a plurality of Software Defined Perimeter (SDP) Gateways, a Deep Packet Inspection (DPI) engine and a Software Defined Perimeter (SDP) Controller on a single or multiple hosts to configure a SDP implemented architecture; performing, by integrating the Open vSwitch with the SDN controller, load balancing and high availability of the SDP architecture to configure a SDP service; configuring the SDP service, by introducing a SDP configuration file into the NFVO-M for determining configuration and authorization details of the SDP IH and SDP controller of the SDP; implementing the configuration and authorization details for requesting the VIM to create a Software Defined Perimeter Virtual Machines (SDP VM) of the configured SDP architecture; configuring, by implementing the VIM and the SDP VM, the SDN controller for creating an integrated SDN controller, VIM and SDP VM network; configuring, by implementing the integrated SDN controller, VIM and SDP VM network, the Open vSwitch and attaching the SDP VM to the Open vSwitch or integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture, and performing, using the integrated SDN-SDP-NFV architecture, at least one of: (i) creating an application programming interface (API) to establish a communication between the NFVO-M and the SDN controller to determine an improvement in network performance; and (ii) implementing, by using the API with the NFVO-M, network flow rules on the Open vSwitch to restrict malicious traffic on the integrated SDN-SDP-NFV architecture; establishing, using a single packet authentication, a connection between the SDP host and one or more of the SDP Gateways for establishing a secured communication between one or more of the SDP Gateways and servers to restrict malicious network traffic prior to integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture; and creating an API to determine an improvement in network performance of the integrated SDN-SDP-NFV architecture by mapping of the malicious traffic to another port on the Open vSwitch that is monitored by the Deep Packet Inspection (DPI) engine running as the VNF to restrict malicious traffic flow to the integrated SDN-SDP-NFV network.
[0007] In an embodiment of the present disclosure, there is provided a system for Software Defined Perimeter (SDP) implementation in a Software Defined Networking-Network Function Virtualization (SDN-NFV) framework, the system comprising one or more processors; one or more data storage devices operatively coupled to the one or more processors and configured to store instructions configured for execution by the one or more processors to: deploy by one or more hardware processors, a Network Function Virtualization Orchestrator-cum-Network Function Virtualization Manager (NFVO-M) comprising of a Network Function Virtualization (NFV), a Virtual Infrastructure Manager (VIM), a Software Defined Networking (SDN) Controller, an Open vSwitch, a Software Defined Perimeter Initiating Host (SDP IH), a plurality of Software Defined Perimeter (SDP) Gateways, a Deep Packet Inspection (DPI) engine and a Software Defined Perimeter (SDP) Controller on a single or multiple hosts to configure a SDP implemented architecture; perform by integrating the Open vSwitch with the SDN controller, load balancing and high availability of the SDP architecture to configure a SDP service; configure the SDP service by introducing a SDP configuration file into the NFVO-M for determining configuration and authorization details of the SDP IH and SDP controller of the SDP; implement the configuration and authorization details for requesting the VIM to create a Software Defined Perimeter Virtual Managers (SDP VM) of the configured SDP architecture; configure by implementing the VIM and the SDP VM, the SDN controller for creating an integrated SDN controller, VIM and SDP VM network; configure by implementing the integrated SDN controller, VIM and SDP VM network, the Open vSwitch and attaching the SDP VM to the Open vSwitch for integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture, and perform using the integrated SDN-SDP-NFV architecture at least one of: (i) create an application programming interface (API) to establish a communication between the NFVO-M and the SDN controller to determine an improvement in network performance; and (ii) implement by using the API with the NFVO-M, network flow rules on the Open vSwitch to restrict malicious traffic on the integrated SDN-SDP-NFV architecture; establish, using a single packet authentication, a connection between the SDP host and one or more of the SDP Gateways for establishing a secured communication between one or more of the SDP Gateways and servers to restrict malicious network traffic prior to integrating SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture; and to map the malicious traffic to another port on the Open vSwitch that is monitored by the Deep Packet Inspection (DPI) engine running as the VNF to restrict malicious traffic flow to the integrated SDN-SDP-NFV network prior to creating an API to determine an improvement network performance of the integrated SDN-SDP-NFV architecture.
[0008] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:
[0010] Fig. 1 illustrates a block diagram of a system for Software Defined Perimeter (SDP) implementation in a Software Defined Networking-Network Function Virtualization (SDN-NFV) framework according to an embodiment of the present disclosure;
[0011] Fig. 2 is an architecture illustrating the components of a system for Software Defined Perimeter (SDP) implementation in a Software Defined Networking-Network Function Virtualization (SDN-NFV) framework according to an embodiment of the present disclosure; and
[0012] Fig. 3 a flowchart illustrating the steps involved for Software Defined Perimeter (SDP) implementation in a Software Defined Networking-Network Function Virtualization (SDN-NFV) framework according to an embodiment of the present disclosure.
DETAILED DESCRIPTION OF THE EMBODIMENTS
[0013] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0014] The embodiments of the present disclosure provides systems and methods for Software Defined Perimeter (SDP) implementation in a Software Defined Networking-Network Function Virtualization (SDN-NFV) environment. The SDP mitigates network based attacks by dynamically creating perimeter networks anywhere including, but not limited to a cloud or a data center. Unlike traditional physical security, the SDP uses logical software components and virtualized resources which are fully managed and provided as a service thereby offering the benefits of scalability, flexibility and high security. The traditional systems and methods have provided for network security by providing a cloud based, managed network solutions that restricts enterprise applications and resources from attackers but do not focus on load balancing and high availability of the SDP components. Further, none of the traditional systems and methods have attempted to implement the SDP in the NFV or in an integrated SDN-NFV environment. Hence there is a need for technology that determines improvement in a network performance, restricts malicious traffic to gateways and provides for load balancing by implementing the SDP in the integrated SDN-NFV environment.
[0015] Referring now to the drawings, and more particularly to FIGS. 1 through FIG. 3, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[0016] FIG. 1 illustrates an exemplary block diagram of a system 100 for Software Defined Perimeter (SDP) implementation in the integrated Software Defined Networking-Network Function Virtualization (SDN-NFV) framework. In an embodiment, the system 100 includes one or more processors 104, communication interface device(s) or input/output (I/O) interface(s) 106, and one or more data storage devices or memory 102 operatively coupled to the one or more processors 104. The one or more processors 104 that are hardware processors can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the processor(s) is configured to fetch and execute computer-readable instructions stored in the memory. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud and the like.
[0017] The I/O interface device(s) 106 can include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like and can facilitate multiple communications within a wide variety of networks N/W and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. In an embodiment, the I/O interface device(s) can include one or more ports for connecting a number of devices to one another or to another server.
[0018] The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, one or more modules (not shown) of the system 100 can be stored in the memory 102.
[0019] According to an embodiment of the present disclosure, referring to FIG 2, the architecture and components of the system for the Software Defined Perimeter (SDP) implementation in the Software Defined Networking-Network Function Virtualization (SDN-NFV) framework may now be considered in detail. The system architecture comprises of a Network Function Virtualization Orchestrator-cum-Network Function Virtualization Manager (NFVO-M) 202. The NFVO-M 202 monitors the load and other relevant parameters on one or more SDP components and manages the lifecycle of the SDP components. For example, if load on any of the SDP components like a SDP controller 210 or a SDP Gateway 212 exceeds a pre-defined threshold (for example, 50% of a Central Processing Unit (CPU) usage or a memory usage of any SDP component), the NFVO-M 202 is configured to further perform spawning of a respective SDP component (like the SDP controller 210 or the SDP Gateway 212) to share the load. An Open vSwitch 204 comprises of a plurality of ports (not shown in the figure) and is configured to prevent malicious traffic by mapping the malicious traffic to another port and thereby improving the network performance. A Software Defined Networking (SDN) Controller 206 manages all traffic between one or more SDP components, for example, the SDP controller 210 or the SDP Gateway 212. The SDN Controller 206 also configures one or more rules, for example, an OpenFlow rule on the Open vSwitch 204 to facilitate prioritization of the traffic. The one or more rules on the Open vSwitch 204 are configured by the SDN Controller 206 by using the OpenFlow or other rule based communication protocol or one or more control plane techniques, for example, an Internet Control Message Protocol (ICMP) to push the SDP traffic to high priority queues and thus facilitating preferential treatment to the SDP traffic. A Virtual Infrastructure Manager (VIM) 208 configures and implement one or more Software Defined Perimeter Virtual Machines (SDP VMs) of the implemented SDP architecture and communicates with the SDN Controller 206 for creating a network. The SDP Controller 210 protects one or more SDP hosts (not shown in the figure). The SDP Controller 210 functions as a backend for all networking aspects of the VIM 208. The SDP Controller 210 functions as a trust broker between a Software Defined Perimeter Initiating Host (SDP IH) 214 and backend security controls such as Issuing Certificate Authority and Identity Provider. Once the identity of the SDP IH 214 has been verified, the SDP Controller 210 configures both the SDP IH 214 and the SDP Gateway 212 in real time to provision a mutual Transport Layer Security (mTLS) connection. The connection between an initiating host and a web server virtual machine is authenticated and authorized by the SDP Controller 210. The SDP Gateway 212 is the termination point for the mTLS connection from the SDP IH 214. It is usually deployed as topologically close to the protected application as possible. The SDP Gateway 212 is provided with the IP address of the SDP IH 214 and Certificates after the identity of the requesting device has been verified and the authorization of the user’s determined. The SDP Gateway 212 is configured with one or more firewall rules as DENY ALL which ensures that all traffic is blocked up front. The SDP Gateway 212 uses a Single Packet Authentication (SPA) to open up a particular port on the firewall for communication with the protected servers (for example a Web Server 218 shown in fig) behind the SDP Gateway 212. The SDP IH 214 provides authentication information, for example, host name and hardware and software inventory, to the SDP Controller 210 which provides access information, for example, an authentication token for the SDP Gateway 212. The SDP IH 214 using this access information uses the SPA to establish a Multiplexed Transport Layer Security (mTLS) connection with the SDP Gateway 212. The SDP Gateway 212 then forwards the packet to the Web Server 218 which establishes connection with the SDP IH 214. A Deep Packet Inspection (DPI) engine (216) monitors the malicious traffic that is mirrored to another port to prevent flowing of malicious traffic to the SDP Gateway 212. The DPI engine 216 runs as a Virtual Network Function (VNF). The traffic monitoring by the DPI engine 216 provides updates on the traffic pattern and about origin of malicious traffic which helps in attack prevention. The Web server 218 helps in the SDP implementation by establishing a connection with the SDP IH 214.
[0020] FIG. 3, with reference to FIG. 1 through 2, illustrates an exemplary flow diagram of a method for the SDP implementation in the SDN-NFV environment according to an embodiment of the present disclosure. In an embodiment the system 100 comprises one or more data storage devices of the memory 102 operatively coupled to the one or more hardware processors 104 and is configured to store instructions for execution of steps of the method by the one or more processors 104. The steps of the method of the present disclosure will now be explained with reference to the components of the system 100 as depicted in FIG. 1 and the flow diagram. In the embodiments of the present disclosure, the hardware processors 104 when configured the instructions performs one or more methodologies described herein. In an embodiment of the present disclosure, at step 301, the one or more hardware processors 104 deploy the Network Function Virtualization Orchestrator-cum-Network Function Virtualization Manager (NFVO-M) 202 comprising the NFV, the Virtual Infrastructure Manager (VIM) 208, the SDN Controller 206, the Open vSwitch 204, the SDP IH 214, a plurality of Software Defined Perimeter (SDP) gateways 212, the Deep Packet Inspection (DPI) engine 216 and the Software Defined Perimeter (SDP) Controller 210 on a single or multiple hosts to configure a SDP implemented architecture. According to an embodiment of the present disclosure, all the SDP components may be deployed as one or more virtual machines (VMs). A SDP-SDN-NFV environment implementation starts with the deployment of the NFVO-M 202, the VIM 208, the SDN Controller 206 as the one or more VMs and the Open vSwitch 204. According to an embodiment of the present disclosure, the configuration settings of these VMs may be present in the NFVO-M 202 and using the configuration settings the VIM instantiates one or more configured VMs. These various entities may run on one host or multiple hosts depending on single node or multi-node SDN-NFV environment implementation. The SDN Controller 206 functions as the backend for the VIM networking aspects which is used at the time of a SDP component creation. Moreover, the SDN Controller 206 exposes its Representational State Transfer Application Programming Interfaces (REST APIs) to the NFVO-M 202 for dynamic network management.
[0021] At step 302, the one or hardware processors 104 perform load balancing and high availability of the SDP architecture to configure a SDP service by integrating the Open vSwitch 204 with the SDN controller 206. According to an embodiment of the present disclosure, this may be performed by spawning one or more instances of the SDP controller 210 by using the NFVO-M 202. The spawning of the one or more instances of the SDP controller 210 may be achieved by using the configuration settings of the SDP controller 210 on the NFVO-M 202 and the VIM 208 based instantiation. Load balancing may then be achieved by the SDN controller 206 by installing appropriate flows at the Open vSwitch 204 to selectively send the traffic to the one or more instances of SDP controller 210 based upon their existing load conditions. The load on the SDP controller 210 may be monitored by the NFVO-M 202 through a Virtual Machine Central Processing Unit (VM CPU) load. According to an embodiment of the present disclosure, the health of the each of the one or more instances of SDP controller 210 may further be monitored by the NFVO-M 202 through the VM CPU load which may provide for achieving high availability of the one or more instances of SDP controller 210. Whenever the one or more instances of SDP controller 210 are about to crash, the NFVO-M 202 may further spawn the one or more instances of SDP controllers 210.
[0022] At step 303, the one or more hardware processors 104 configure the SDP service by introducing a SDP configuration file into the NFVO-M 202 for determining configuration and authorization details of the SDP IH 214 and the SDP controller 210 of the SDP. One or more of SDP images may be created as a qcow or other VIM recognizable formats which are then added to a VIM’s image database. Similarly, the one or more SDP images may then be enlisted in the NFVO-M 202 as Virtual Network Functions (VNFs) to provide a SDP service. A single instance of the SDP service may be created with the introduction of the SDP configuration file into the NFVO-M 202 and by the subsequent calling of the Virtual Infrastructure Managers Application Programming Interfaces (VIMs APIs). The SDP configuration file typically may be a JavaScript Object Notation (JSON), an eXtensible Markup Language (xml) etc. The SDP configuration file contains one or more VM parameters such as its CPU and memory requirements, I/O requirements such as Ethernet interfaces, one or more VM images to be used etc. It may also possess VM settings such as its Internet Protocol (IP) address, host name etc. The configuration file is converted to a template file that the VIM uses. This file may be transferred to the VIM by calling its APIs. The SDP configuration file may be used to determine initial configuration of the SDP components and other initiation parameters such as client and device authorization details.
[0023] At step 304, the one or more hardware processors 104 by using the NFVO-M 202 implement the configuration and authorization details for requesting the VIM 208 to implement and configure one or more Software Defined Perimeter Virtual Machines (SDP VMs – not shown in the figure) of the implemented SDP architecture. The VIM 208 implements and configures the one or more SDP VMs as the SDP authorization details such as passwords and certificates may be communicated to the SDP VMs at the time of the SDP VMs implementation and creation.
[0024] At step 305, the one or more hardware processors 104 by using the NFVO-M 202 again configures by implementing the VIM 208 and the SDP VM, the SDN controller 206 for creating an integrated SDN controller, VIM and SDP VM network. All the VMs are created by the VIM and networking settings of the VMs may be taken care of by the SDN Controller 206. Whenever a new VM gets created its network interface details such as a Universally Unique Identifier (UUID) and a Media Access Control (MAC) address are communicated to the SDN Controller 206. The SDN Controller 206 may then attach the network interface with the Open vSwitch 204 and provides it an IP address.
[0025] At step 306, the one or more hardware processors 104 performs configuration of the Open vSwitch 204 and attaching the SDP VM to the Open vSwitch 204 for integrating a SDP-NFV framework to obtain an integrated SDN-SDP-NFV architecture by implementing an integrated SDN controller, VIM and SDP VM network. According to an embodiment of the present disclosure, for establishing the communication between the NFVO-M 202 and the SDN controller 206, the NFVO-M and the SDN controller 206 may be launched as one or more instances of Virtual VMs by the NFVO-M 202. They may further be connected through the Open vSwitch 204. Every instance created of the VMs comprise of at least one network interface which may be connected to the Open vSwitch 204 by the SDN Controller. The SDN Controller 206 may further configure and install flows or rules on the Open vSwitch 204 to direct the SDP traffic.
[0026] Finally, at step 307, the one or more hardware processors 104 may create an API using the integrated SDN-SDP-NFV architecture to establish a communication between the NFVO-M 202 and the SDN controller 206 to determine an improvement in network performance. According to an embodiment of the present disclosure, the Open vSwitch 204 has been configured by default to implement and support one or more sampled flow (sFlow) and one or more NetFlow which may be used for collecting IP related network traffic statistics. Using the collected statistical parameters from the Open vSwitch 204, the SDN controller 206 further determines the network performance. When the SDP system is under some sort of attack such as a DDoS attack, the traffic through the network may increase dramatically (for example, in the case of a Transmission Control Protocol (TCP) syn flood attack, which is a type of a DDoS attack). By using the implemented sFlow and NetFlow the network traffic information may be communicated to the SDN Controller 206 and generated at the SDN Controller 206. The potentially malicious traffic will then be redirected to the DPI engine 216 through one or more dynamic Open vSwitch 204 rules for further packet analysis. In case of any malicious packets, they can be dropped at a Virtual Switch (vSwitch) itself through the one or more dynamic Open vSwitch 204 rules.
[0027] According to an embodiment of the present disclosure, the network traffic on the integrated SDP-SDN-NFV architecture may be reduced by implementing network flow rules on the Open vSwitch 204 by using the APIs with the NFVO-M 202. The SDP gateways 212 may be configured with firewall rule as a DENY ALL which ensures that all traffic is blocked up front. The SDP gateway 212 may use a single packet authentication to open up a particular port (typically https port 443) on the firewall for communication with one or more protected servers behind the SDP gateway 212. Although denied, the one or more SDP gateways 212 may receive lot of unwanted traffic from spurious sources for example, a Distributed Denial of Service (DDoS) attack packets which affects their performance. According to an embodiment of the present disclosure, the default rules, for example DENY ALL, AllowVNetInBound rules etc. may be installed on the network elements to throttle the traffic (unwanted and genuine SDP control traffic) to the one or more SDP Gateways 212. However, when the one or more SDP gateways 212 open up a particular port for communication, this information is notified to NFVO-M 202 which may establish communication with the SDN controller 206. The SDN controller 206 may then install a new rule for example, the OpenFlow rule on the Open vSwitch 204 with the opened port as match condition to give high priority to this new SDP data traffic. Similarly, the potential malicious traffic may be mirrored to another port on the Open vSwitch 204 that is subsequently monitored by the DPI engine 216 running as VNF. This provides an update on the traffic pattern and origin of malicious traffic that may be used for further attack prevention.
[0028] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[0029] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[0030] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[0031] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[0032] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, BLU-RAYs, flash drives, disks, and any other known physical storage media.
[0033] It is intended that the disclosure and examples be considered as exemplary only, with a true scope and spirit of disclosed embodiments being indicated by the following claims.