Software-defined networking (sdn) for management of traffic between virtual processors
US-2015169345-A1 · Jun 18, 2015 · US
Performing appID based firewall services on a host
US10812451B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10812451-B2 |
| Application number | US-201715847908-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 19, 2017 |
| Priority date | Dec 22, 2016 |
| Publication date | Oct 20, 2020 |
| Grant date | Oct 20, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodiments. Some embodiments execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured. In addition to executing one or more machines on each host computer, these embodiments also execute a context engine and one or more attribute-based service engines on each host computer. One of these service engines is a firewall engine. Through the GI agents of the machines on a host, the context engine of that host in some embodiments collects contextual attributes associated with network events and/or process events on the machines. The context engine then provides the contextual attributes to the firewall engine, which, in turn, use these contextual attributes to identify firewall rules to enforce.
First claim
Opening claim text (preview).
We claim: 1. A method for performing firewall operations on a host computer on which a plurality of machines execute along with a hypervisor that provides virtualization services, the method comprising: at a firewall executing as a hypervisor service on the host computer outside of a virtual machine (VM), receiving a data message of a data message flow (i) sent by the VM and (ii) forwarded to the firewall as the data message traverses along an egress path from the VM out of the host computer; identifying a set of contextual attributes associated with the data message, the set of contextual attributes including a first identifier that specifies a type of traffic contained in the data message flow, said identifying comprising (i) using a deep packet inspector executing on the host computer to perform deep packet inspection on the data message flow and to generate the first identifier specifying the traffic type contained in the data message flow and (ii) obtaining, from a context collector as a hypervisor service on the host computer, a second identifier that identifies an application that executes on the VM and that is the source of the data message flow; using the first and second identifiers to identify a firewall rule to enforce; and performing a firewall operation on the data message based on the identified firewall rule, said firewall operation resulting in the firewall (i) allowing the received data message to pass or (ii) dropping the received data message. 2. The method of claim 1 , wherein the identified firewall rule specifies a firewall action, and performing the firewall operation comprises performing the firewall action of the identified firewall rule on the data message. 3. The method of claim 2 , wherein the identified set of contextual attributes includes an identifier of a user, logged on to the VM. 4. The method of claim 3 , wherein the user identifier is a group identifier. 5. The method of claim 3 , wherein the user identifier is an identifier that identifies a single individual. 6. The method of claim 3 , wherein the identified set of contextual attributes includes a threat level associated with an application that executes on the VM. 7. The method of claim 6 , wherein the application is the source application that sent the data message. 8. The method of claim 1 , wherein the set of contextual attributes includes at least one other contextual attribute that is not layer 2, layer 3 or layer 4 data-message header values. 9. The method of claim 1 , wherein the contextual collector obtains the second identifier based on a set of contextual attributes received by the context collector from a guest introspector executing on the VM. 10. The method of claim 1 , wherein using a deep packet inspector comprises obtaining the AppID from the context collector that executes as a hypervisor service on the host computer and that has the deep packet inspector generate the AppID before the firewall performs the firewall operation on the received data message. 11. The method of claim 1 , wherein using a deep packet inspector comprises directing the deep packet inspector to examine a set of data messages of the flow to generate the AppID. 12. A non-transitory machine readable medium storing a firewall program for performing firewall operations for a first machine executing on a host computer with a plurality of other machines, the firewall program for execution on the host computer and comprising sets of instructions for: receiving a data message of a data message flow sent by the first machine; identifying a set of contextual attributes associated with the data message, the set of contextual attributes including a first identifier that specifies a type of traffic contained in the data message flow, said identifying comprising using a deep packet inspector executing on the host computer to perform deep packet inspection on the data message flow and to generate the first identifier specifying the traffic type contained in the data message flow; obtaining, from a context engine executing on the host computer, a second identifier that identifies an application that executes on the first machine and that is the source of the data message flow; using the first and second identifiers to identify a firewall rule to enforce; and performing a firewall operation on the data message based on the identified firewall rule, said firewall operation resulting in the firewall program (i) allowing the received data message to pass or (ii) dropping the received data message. 13. The non-transitory machine readable medium of claim 12 , wherein the identified firewall rule specifies a firewall action, and performing the firewall operation comprises performing the firewall action of the identified firewall rule on the data message. 14. The non-transitory machine readable medium of claim 12 , wherein the set of contextual attributes includes at least one other contextual attribute that is not layer 2, layer 3 or layer 4 data-message header values. 15. The non-transitory machine readable medium of claim 12 , wherein the set of instructions for using a deep packet inspector comprises a set of instructions for obtaining the AppID from the context engine that executes on the host computer and that has the deep packet inspector generate the AppID before the firewall program performs the firewall operation on the received data message. 16. The non-transitory machine readable medium of claim 15 , wherein the identified set of contextual attributes includes a threat level associated with an application that executes on the first machine. 17. The non-transitory machine readable medium of claim 16 , wherein the application is the application that sent the data message. 18. The non-transitory machine readable medium of claim 16 , wherein the application is not the application that sent the data message. 19. The non-transitory machine readable medium of claim 12 , wherein the set of instructions for using a deep packet inspector comprises a set of instructions for directing the deep packet inspector to examine a set of data messages of the flow to generate the AppID.
Assignees
Inventors
Classifications
Stateful filtering · CPC title
Hypervisor-specific management and integration aspects · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Isolation or security of virtual machine instances · CPC title
- H04L63/0263Primary
Rule management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10812451B2 cover?
- Some embodiments of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers. The machines are virtual machines (VMs) in some embodiments, containers in other embodiments, or a mix of VMs and containers in still other embodimen…
- Who is the assignee on this patent?
- Nicira Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 20 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).