Atomic update of access control list rules
US-2020007547-A1 · Jan 2, 2020 · US
Enforcing instructions of a segmentation policy on a network midpoint device
US10965648B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10965648-B2 |
| Application number | US-201816115145-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 28, 2018 |
| Priority date | Aug 28, 2018 |
| Publication date | Mar 30, 2021 |
| Grant date | Mar 30, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for enforcing an instruction of a segmentation policy on a network midpoint device, the method comprising: obtaining a network topology specifying a connectivity of a downstream port of a network midpoint device to a target workload and a connectivity of an upstream port of the network midpoint device to a remote workload; receiving, by an enforcement module, an inbound management instruction that permits the target workload to receive an inbound connection request from the remote workload; generating, by a processor device based on the inbound management instruction, a midpoint device ingress rule permitting the downstream port of the network midpoint device to receive ingress communications to the downstream port of network midpoint device that are sourced from the target workload and destined for the remote workload and are associated with a connection between the target workload and the remote workload established via the inbound connection request from the remote workload; and configuring the network midpoint device to enforce the midpoint device ingress rule for the downstream port by updating an ingress access control list associated with the downstream port to include the midpoint device ingress rule, wherein the ingress access control list causes the network midpoint device to block ingress communications to the downstream port not specifically permitted by a rule of the ingress access control list. 2. The method of claim 1 , further comprising: generating, based on the management instruction, a midpoint device egress rule permitting the downstream port of the network midpoint device to transmit egress communications to the target workload that are sourced from the remote workload and destined to the target workload and either represent the inbound connection request to the target workload or are associated with the connection between the target workload and the remote workload established via the inbound connection; and configuring the network midpoint device to enforce the midpoint device egress rule for the downstream port. 3. The method of claim 2 , wherein configuring the network midpoint device comprises: updating an egress access control list associated with the downstream port to include the midpoint device egress rule, wherein the egress access control list causes the network midpoint device to block egress communications from the downstream port not specifically permitted by a rule of the egress access control list. 4. The method of claim 1 , further comprising: generating, based on the inbound management instruction, a midpoint device ingress rule permitting the upstream port of the network midpoint device to receive ingress communications that are sourced from the remote workload and destined to the target workload; generating, based on the management instruction, midpoint device ingress deny rules denying other ports of the network midpoint device from receiving ingress communications that are destined to the target workload by default unless expressly permitted by a different midpoint device ingress rule; and configuring the network midpoint device to enforce the midpoint device ingress rule for the upstream port and the midpoint device ingress deny rules for the other ports. 5. The method of claim 4 , wherein configuring the network midpoint device comprises: updating an ingress access control list associated with the upstream port to include the midpoint device ingress rule, wherein the ingress access control list causes the network midpoint device to block ingress communications to the upstream port not specifically permitted by a rule of the ingress access control list associated with the upstream port; and configuring respective ingress access control lists associated with the other ports of the network midpoint device, wherein the respective ingress access control lists associated with the other ports cause the network midpoint device to block ingress communications to the other ports not specifically permitted by a rule of the ingress access control lists associated with the other ports. 6. A non-transitory computer-readable storage medium storing instructions for enforcing an instruction of a segmentation policy on a network midpoint device, the instructions when executed by a processor device cause the processor device to perform steps including: obtaining a network topology specifying a connectivity of a downstream port of a network midpoint device to a target workload and a connectivity of an upstream port of the network midpoint device to a remote workload; receiving, by an enforcement module, an inbound management instruction that permits the target workload to receive an inbound connection request from the remote workload; generating, based on the inbound management instruction, a midpoint device ingress rule permitting the downstream port of the network midpoint device to receive ingress communications to the downstream port of network midpoint device that are sourced from the target workload and destined for the remote workload and are associated with a connection between the target workload and the remote workload established via the inbound connection request from the remote workload; and configuring the network midpoint device to enforce the midpoint device ingress rule for the downstream port by updating an ingress access control list associated with the downstream port to include the midpoint device ingress rule, wherein the ingress access control list causes the network midpoint device to block ingress communications to the downstream port not specifically permitted by a rule of the ingress access control list. 7. The non-transitory computer-readable storage medium of claim 6 , the instructions when executed further causing the processor device to perform steps including: generating, based on the inbound management instruction, a midpoint device egress rule permitting the downstream port of the network midpoint device to transmit egress communications to the target workload that are sourced from the remote workload and destined to the target workload and either represent the inbound connection request to the target workload or are associated with the connection between the target workload and the remote workload established via the inbound connection; and configuring the network midpoint device to enforce the midpoint device egress rule for the downstream port. 8. The non-transitory computer-readable storage medium of claim 7 , wherein configuring the network midpoint device comprises: updating an egress access control list associated with the downstream port to include the midpoint device egress rule, wherein the egress access control list causes the network midpoint device to block egress communications from the downstream port not specifically permitted by a rule of the egress access control list. 9. The non-transitory computer-readable storage medium of claim 6 , the instructions when executed further causing the processor device to perform steps including: generating, based on the inbound management instruction, a midpoint device ingress rule permitting the upstream port of the network midpoint device to receive ingress communications that are sourced from the remote workload and destined to the target workload; generating, based on the inbound management instruction, midpoint device ingress deny rules denying other ports of the network midpoint device from receiving ingress communications that are destined to the target workload by default unless expressly permitted by a different midpoint device ingress rule; and configuring the network midpoint device to enforce the midpoint device ingress rule for the upstream port and the midpoin
Assignees
Inventors
Classifications
Policy-based network configuration management · CPC title
Discovery or management of network topologies · CPC title
- H04L63/0263Primary
Rule management · CPC title
- H04L41/0806Primary
for initial configuration or provisioning, e.g. plug-and-play · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10965648B2 cover?
- An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characterist…
- Who is the assignee on this patent?
- Illumio Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 30 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).