DEVICE AND METHOD OF FORWARDING DATA PACKETS IN A VIRTUAL SWITCH OF A SOFTWARE-DEFINED WIDE AREA NETWORK ENVIRONMENT

摘要

The invention relates to a method of forwarding data packets in a virtual switch (120) of a software-defined wide area network (SD-WAN) environment (100), wherein the virtual switch (120) comprises at least one first virtual port (122) for receiving outbound LAN traffic (T) from and transmitting inbound LAN traffic (T) to at least one physical local area network (LAN) port (112), at least one second virtual port (124) for receiving inbound secured traffic (T) from and transmitting outbound secured traffic (T) to at least one physical secured traffic port (114), and at least one third virtual port (126) for receiving inbound Internet traffic (T) from and transmitting outbound Internet traffic (T) to at least one physical Internet port (116), the method comprising the steps of: determining, for each or at least selected data packets of the outbound LAN traffic (T) directed to the at least one first virtual port (122), a dedicated signature information based on the bits of the data packet; storing the signature information and, if appropriate, information identifying the packet to which the signature information has been assigned; if appropriate, outputting the outbound LAN traffic (T) at the first virtual port (122) for processing by a virtual machine (134); receiving at least a portion of the outbound LAN traffic (T), as the case may be after having been further processed by the virtual machine (134), at the second virtual port (124) as an outbound secured traffic (T) that is to be supplied to the at least one physical secured traffic port (114); examining each data packet of the outbound secure traffic (T) as to whether it matches the dedicated signature information and using the result of this check for controlling the forwarding of the respective data packet as part of the outbound secured traffic (T) to the at least one physical secured traffic port (114) and/or for creating a SUSPICIOUS SOURCE alarm if a predetermined alarm condition is met. Further, the invention relates to a network interface device (110) which is configured to implement the method as well as to a computer program product stored which is configured to cause a computer to perform the method.