Micro-firewalls in a microservice mesh environment
US-2020177549-A1 · Jun 4, 2020 · US
Security context aware nano-segmentation for container based microservices
US11343231B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11343231-B2 |
| Application number | US-201916547634-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 22, 2019 |
| Priority date | Jul 4, 2019 |
| Publication date | May 24, 2022 |
| Grant date | May 24, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The present disclosure provides an approach for creating one or more firewall rules to regulate communication between containers. The approach includes calculating a trust score for each container. To generate a rule for any two containers, a difference between the trust scores is computed, and if the difference in trust levels is too large, then the more trustworthy container is not allowed to communicate with the less trustworthy container. If the difference in trust scores is not too large, then the trustworthy container is allowed to communicate with the other trustworthy container, or an untrustworthy container is allowed to communicate with another untrustworthy container.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of generating or maintaining a firewall rule of a firewall of one or more computer systems, the one or more computer systems including a first container and a second container executing on one or more operating systems, wherein the first container comprises a first set of security attributes, and wherein the second container comprises a second set of security attributes, the method comprising: computing one or more first attribute trust scores of at least one of the first set of security attributes; computing one or more second attribute trust scores of at least one of the second set of security attributes; based on the one or more first attribute trust scores, computing a first workload trust score of the first container; based on the one or more second attribute trust scores, computing a second workload trust score of the second container; comparing the first workload trust score to the second workload trust score; and based on the comparing, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first container and the second container. 2. The method of claim 1 , the method further comprising: transmitting a packet from the first container to the second container; based on the rule, determining by the firewall whether to allow or block transmission of the packet; and based on the determining, blocking or allowing transmission of the packet. 3. The method of claim 1 , wherein the computing the first workload trust score comprises: comparing each score of the first attribute trust scores to an attribute threshold value to determine whether each attribute of the first set of security attributes is a trustworthy attribute; adjusting at least one score of the first attribute trust scores by one or more weights; based on the comparing, adjusting at least one score of the first attribute trust scores; and summing each score of the first attribute trust scores. 4. The method of claim 1 , wherein the first container is instantiated from a container image, the method further comprising, prior to the computing the first attribute trust scores, obtaining one or more signatures located within the container image, and wherein the computing the first attribute trust scores is performed using at least one of the one or more signatures or packet transmission information. 5. The method of claim 1 , the method further comprising, prior to the computing the first attribute trust scores, obtaining an identifier of a source registry of the first container from which a container image of the first container originated, wherein the computing the first attribute trust scores is performed using at least the identifier. 6. The method of claim 1 , the method further comprising, prior to the computing the first attribute trust scores, obtaining packet transmission information of the first container, wherein the computing the first attribute trust scores is performed using at least the packet transmission information. 7. The method of claim 1 , wherein a first service runs from the first container, wherein the first container is instantiated from a container image, and wherein the container image comprises executable code, system tools, configurations, settings, system libraries, and file system of the first service. 8. The method of claim 1 , the method further comprising: receiving, by the firewall, a packet from the first container, the second container, or a third container; processing the packet to extract one or more packet attributes; comparing the one or more packet attributes to the rule; and based on the comparing, allowing or blocking transmission of the packet. 9. A non-transitory computer readable medium comprising instructions to be executed in a processor of one or more computer systems, the instructions when executed in the processor cause the one or more computer systems to carry out a method of generating or maintaining a firewall rule of a firewall of the one or more computer system, the one or more computer system including a first container and a second container executing on one or more operating systems, wherein the first container comprises a first set of security attributes, and wherein the second container comprises a second set of security attributes, the method comprising: computing one or more first attribute trust scores of at least one of the first set of security attributes; computing one or more second attribute trust scores of at least one of the second set of security attributes; based on the one or more first attribute trust scores, computing a first workload trust score of the first container; based on the one or more second attribute trust scores, computing a second workload trust score of the second container; comparing the first workload trust score to the second workload trust score; and based on the comparing, generating or maintaining a rule for the firewall to block or allow transmission of packets between the first container and the second container. 10. The non-transitory computer readable medium of claim 9 , the method further comprising: transmitting a packet from the first container to the second container; based on the rule, determining by the firewall whether to allow or block transmission of the packet; and based on the determining, blocking or allowing transmission of the packet. 11. The non-transitory computer readable medium of claim 9 , wherein the computing the first workload trust score comprises: comparing each score of the first attribute trust scores to an attribute threshold value to determine whether each attribute of the first set of security attributes is a trustworthy attribute; adjusting at least one score of the first attribute trust scores by one or more weights; based on the comparing, adjusting at least one score of the first attribute trust scores; and summing each score of the first attribute trust scores. 12. The non-transitory computer readable medium of claim 9 , wherein the first container is instantiated from a container image, the method further comprising, prior to the computing the first attribute trust scores, obtaining one or more signatures located within the container image, and wherein the computing the first attribute trust scores is performed using at least one of the one or more signatures or packet transmission information. 13. The non-transitory computer readable medium of claim 9 , the method further comprising, prior to the computing the first attribute trust scores, obtaining an identifier of a source registry of the first container from which a container image of the first container originated, wherein the computing the first attribute trust scores is performed using at least the identifier. 14. The non-transitory computer readable medium of claim 9 , the method further comprising, prior to the computing the first attribute trust scores, obtaining packet transmission information of the first container, wherein the computing the first attribute trust scores is performed using at least the packet transmission information. 15. The non-transitory computer readable medium of claim 9 , wherein a first service runs from the first container, wherein the first container is instantiated from a container image, and wherein the container image comprises executable code, system tools, configurations, settings, system libraries, and file system of the first service. 16. The non-transitory computer readable medium of claim 9 , the method further comprising: receiving, by the firewall, a packet from the first container, the secon
Assignees
Inventors
Classifications
- H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L63/0263Primary
Rule management · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11343231B2 cover?
- The present disclosure provides an approach for creating one or more firewall rules to regulate communication between containers. The approach includes calculating a trust score for each container. To generate a rule for any two containers, a difference between the trust scores is computed, and if the difference in trust levels is too large, then the more trustworthy container is not allowed to…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 24 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).