Search

US-20260128993-A1 - STATE-BASED NETWORK SEGMENTATION IN A NETWORK DEVICE

US20260128993A1US 20260128993 A1US20260128993 A1US 20260128993A1US-20260128993-A1

Abstract

Methods and systems relate to packet forwarding that includes a network device receiving a message from a second network device and that has a destination address of a third network device. The circuitry of the network device determines that a connection between the second network device and the third network device has been previously opened by the third network device. In response to the determination that the connection is open and in response to receiving the message, the circuitry transmits the message towards the third network device.

Inventors

  • Venkatavaradhan Devarajan
  • Balaji Sankaran
  • Gopalakrishna Tellapalli

Assignees

  • HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Dates

Publication Date
20260507
Application Date
20241107

Claims (20)

  1. 1 . A network device, comprising: circuitry configured to: receive incoming data at the network device; implement a flow table to track data flows between a second network device and a third network device via the network device; implement a policy table; determine, based on the policy table, that a first communication from the second network device to the third network device via the network device is allowed; transmit the first communication from the network device to the third network device; determine, based on the policy table, that a second communication from the third network device to the second network device via the network device is allowed when a connection between the third network device to the second network device is open as indicated by the tracked data flows in the flow table; transmit, based on the determination of the allowance, the second communication from the network device to the second network device; determine, based on the policy table, that a third communication from the third network device to the second network device via the network device is blocked when the connection is not open between the second network device and the third network device as indicated by the tracked data flows in the flow table; and drop the third communication without transmitting the third communication to the second network device based on the determination of the block of the third communication.
  2. 2 . The network device of claim 1 , wherein the second network device comprises a client device, and the third network device comprises a server.
  3. 3 . The network device of claim 1 , wherein the connection is open when a previous message has been received at the network device from the second network device targeting the third network device as indicated in the flow table, and the connection has not been terminated by the second network device.
  4. 4 . The network device of claim 1 , wherein the connection is not open when no previous message has been received for the third network device from the second network device as indicated in the flow table.
  5. 5 . The network device of claim 1 , wherein the connection is not open when the second network device has terminated the connection after opening the connection using a previous message as indicated in the flow table.
  6. 6 . The network device of claim 5 , wherein the circuitry is configured to: receive the previous message at the network device from the second network device; receive an instruction to close the connection; and close the connection by updating the flow table.
  7. 7 . The network device of claim 1 , wherein the network device comprises: at least one processing resource; and at least one non-transitory, computer-readable medium comprising instructions executable by the at least one processing resource to update the flow table of the circuitry to indicate that the connection is open by storing at least one entry in the flow table when a message is sent from the second network device to the third network device.
  8. 8 . The network device of claim 7 , wherein the at least one entry in the flow table comprises: a first entry indicating a forward flow of data from the second network device to the third network device through the network device; and a second entry indicating a reverse flow of data from the third network device to the second network device through the network device.
  9. 9 . The network device of claim 8 , wherein the instructions are executable by the at least one processing resource to: receive an instruction from the second network device via the circuitry to terminate the connection; and terminate the connection by deleting the forward flow and the reverse flow from the flow table.
  10. 10 . The network device of claim 1 , wherein the policy table defines a policy for the circuitry to determine whether the connection is open by matching the second network device and the third network device to an entry in the flow table.
  11. 11 . The network device of claim 1 , wherein the circuitry comprises an application-specific integrated circuit.
  12. 12 . A method, comprising: receiving, by circuitry of a network device, a message from a second network device which has a destination address of a third network device; determining, by the circuitry, that a connection between the second network device and the third network device has been previously opened by the third network device; and in response to the determination that the connection is open and receiving the message, transmitting the message towards the third network device by the circuitry.
  13. 13 . The method of claim 12 , comprising: receiving a previous message from the third network device to the second network device; and in response to receiving the previous message, opening the connection by storing one or more entries in a flow table of the network device.
  14. 14 . The method of claim 13 , wherein storing the one or more entries comprises: storing a first entry indicating a forward flow from the third network device to the second network device; and storing a second entry indicating a reverse flow from the second network device to the third network device.
  15. 15 . The method of claim 14 , comprising: closing the connection; receiving, by the circuitry, a subsequent message from the second network device and that has a destination address of the third network device; and in response to closing the connection and receiving the subsequent message, blocking transmission of the subsequent message towards the third network device by the circuitry.
  16. 16 . The method of claim 15 , wherein closing the connection comprises deleting the first entry and the second entry, and blocking transmission of the subsequent message is based at least in part on the subsequent message not corresponding to a stored entry in the flow table.
  17. 17 . The method of claim 15 , comprising receiving, at the network device and from the third network device, an instruction to close the connection, wherein closing the connection is in response to the instruction.
  18. 18 . The method of claim 14 , wherein determining that the connection is open comprises verifying that the message matches the forward flow or the reverse flow in the flow table.
  19. 19 . The method of claim 13 , wherein each of the one or more entries comprises: a source network device for a flow; and a destination network device for the flow.
  20. 20 . A network device, comprising: first circuitry configured to: communicatively couple to a second network device to send and receive data between the network device and the second network device; implement a first flow table to track data flows via the first circuitry of the network device; implement a first policy table to define a first policy to enable data transmissions from the second network device and to define a second policy to selectively enable data transmissions to the second network device when a corresponding entry exists in the first policy table and selectively block data transmissions to the second network device when no corresponding entry exists in the first flow table; and transmit first data from the network device according to the first and second policies in the first policy table; and second circuitry configured to: communicatively couple to a third network device to send and receive data between the network device and the third network device; implement a second flow table to track data flows via the second circuitry of the network device; implement a second policy table to define the first policy to enable data transmissions from the second network device and to define the second policy to selectively enable data transmissions to the second network device when a corresponding entry exists in the first policy table and selectively block data transmissions to the second network device when no corresponding entry exists in the second flow table; and transmit second data from the network device according to the first and second policies in the second policy table; and a fabric to communicatively couple the first circuitry and the second circuitry together to enable transmission of data between the second network device and the third network device via the first circuitry and the second circuitry of the network device.

Description

BACKGROUND Local area networks (LANs) and/or other networks include multiple network devices connected together. Often these networks may utilize a network access switch (NAS) to enable a connection between other network devices. For instance, a NAS may couple a client device to the network(s) through which the client device may communicate with to enable certain actions and/or control operations for the client device. BRIEF DESCRIPTION OF DRAWINGS Features, aspects, and advantages of the present disclosure will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein: FIG. 1 is a flow diagram illustrating a system that includes a network between multiple network devices that couple through other network devices, such as a network access switch (NAS), in accordance with aspects of the present disclosure; FIG. 2 is a diagram of a system (e.g., the system of FIG. 1) that uses a network firewall to enhance security of communications through its corresponding network, in accordance with aspects of the present disclosure; FIG. 3 is a diagram of a computing system that includes at least one application specific integrated circuit (ASIC) and at least one processing resource that may be used in network devices, such as the network devices of the system of FIG. 1, in accordance with aspects of the present disclosure; FIG. 4 is a diagram illustrating operations in a network device using circuitry and/or processing resources of the network device, in accordance with aspects of the present disclosure; FIG. 5 is a flow diagram for applying a stateful access control list (ACL) in a network device, in accordance with aspects of the present disclosure; FIG. 6 is a diagram illustrating operations in a network device, such as a multi-part NAS, using circuitry and/or processing resources of the network device, in accordance with aspects of the present disclosure; FIG. 7 is a flow diagram of a process that may be deployed by processing resources and/or circuitry in network operations to implement state-based network segmentation and policy enforcement, in accordance with aspects of the present disclosure; and FIG. 8 is a flow diagram of a process that may be deployed by processing resources and/or circuitry in network operations to implement state-based network segmentation and policy enforcement, in accordance with aspects of the present disclosure. DETAILED DESCRIPTION One or more specific aspects of the present disclosure will be described below. In an effort to provide a concise description of these aspects, all features of an actual implementation may not be described in the specification. It should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions are made to achieve the developers’ specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another. Moreover, it should be appreciated that such a development effort might be complex and time consuming, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure. When introducing elements of various aspects of the present disclosure, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements. Aspects provided herein relate to techniques for implementing network segmentation and policy enforcement in local area networks (LANs) that use states to implement directionality in a network access switch (NAS) that may not be available in traditional stateless NAS devices. Specifically, the NAS may enable a connection between network devices. For instance, the network devices may include a client, such as a door badge sensor, door lock, an Internet of Things (IoT) device, and/or any other device that may utilize a network connection through the NAS. Additionally or alternatively, the network devices may include a server, such as a door badge admission controller, a database, and/or any other device that may perform actions based on instructions from other network devices. This second network device (e.g., a server) may be permitted to communicate with the other network device (e.g., the client) when the other network device initiates the connection or a connection is already open between the two devices. For instance, the connection may be already open if the other network device has previously opened the connection. By ensuring that connections can be opened from a single side of the network connections, the communications between the network devices may be secured more stron