What technology area does this patent fall under?

Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Nov 29 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Virtual patching in a label-based segmented network environment

US11516242B2 · US · B2

Patent metadata
Field	Value
Publication number	US-11516242-B2
Application number	US-201916553137-A
Country	US
Kind code	B2
Filing date	Aug 27, 2019
Priority date	Aug 27, 2019
Publication date	Nov 29, 2022
Grant date	Nov 29, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based on network layer data. To implement a virtual patch, the traffic filters are configured to redirect traffic to or from an application being patched to a transparent application proxy. The transparent application proxy implements an application layer filter that filters traffic based on application layer data to block specific types of traffic associated with a vulnerability addressed by the virtual patch.

First claim

Opening claim text (preview).

The invention claimed is: 1. A method for configuring an enforcement module on a host device to enforce a segmentation policy including a virtual patch for patching an application to protect against one or more security vulnerabilities, the method comprising: receiving, from a segmentation server at a distributed enforcement module remote from the segmentation server, management instructions for enforcing a segmentation policy with respect to a subset of workloads in a network domain, the management instructions including access control rules for controlling permissible connections of the subset of workloads in the network domain, and the access control rules including at least one virtual patch rule for applying a virtual patch to traffic to or from an application executed by the subset of workloads managed by the enforcement module; responsive to receiving the virtual patch rule, instantiating by the distributed enforcement module, a transparent application proxy on the host device for implementing the virtual patch and configuring the transparent application proxy to implement an application layer filter that blocks at least a subset of the traffic to or from the application in a manner that prevents exploitation of the one or more security vulnerabilities; and responsive to receiving the access control rules, configuring a traffic filter on the host device based on the access control rules to filter traffic based on network layer data including source and destination addresses and to redirect at least a subset of the traffic to or from the application to the transparent application proxy; applying the traffic filter and the transparent application proxy to enforce the segmentation policy; responsive to determining that the virtual patch is no longer applicable to the subset of workloads managed by the enforcement module under the segmentation policy, removing the transparent application proxy from the host device. 2. The method of claim 1 , wherein instantiating the transparent application proxy comprises: detecting that the transparent application proxy is not present on the host device to enforce the virtual patch; and instantiating the transparent application proxy responsive to the detection. 3. The method of claim 1 , wherein removing the transparent application proxy comprises: detecting an update to application information associated with the application; transmitting the update to the segmentation server; responsive to transmitting the update, receiving from the segmentation server, updated instructions for removing the virtual patch; removing the transparent application proxy in response to the updated instructions; and updating the traffic filter to remove the filtering rule redirecting the traffic to or from the application to the transparent application proxy. 4. The method of claim 1 , wherein removing the transparent application proxy comprises: detecting an update to application information associated with the application; determining that the virtual patch is not applicable to the application based on the updated application information; responsive to determining that the virtual patch is not applicable, removing the transparent application proxy; and updating the traffic filter to remove the filtering rule redirecting the traffic to or from the application to the transparent application proxy. 5. The method of claim 1 , wherein applying the traffic filter and the transparent application proxy comprises: receiving an inbound data packet having a source address associated with a network source and a destination address associated with the application; applying the traffic filter to redirect the inbound data packet to the transparent application proxy based on the source address and the destination address matching a filtering rule of the traffic filter associated with enforcement of the virtual patch; and applying the application layer filter at the transparent application proxy to determine whether to allow or block the inbound data packet based on application layer data associated with the inbound data packet. 6. The method of claim 5 , further comprising: dropping the inbound data packet responsive to determining to block the inbound data packet based on the application layer data. 7. The method of claim 5 , further comprising: forwarding the inbound data packet to the application responsive to determining to allow the inbound data packet based on the application layer data. 8. The method of claim 1 , wherein applying the traffic filter and the transparent application proxy comprises: receiving an outbound data packet having a source address associated with the application and a destination address associated with a network host; applying the traffic filter to redirect the outbound data packet to the transparent application proxy based on the source address and the destination address matching a filtering rule of the traffic filter associated with enforcement of the virtual patch; and applying the application layer filter at the transparent application proxy to determine whether to allow or block the outbound data packet based on application layer data associated with the outbound data packet. 9. The method of claim 1 , wherein the traffic filter comprises an IP address-based traffic filter to filter the traffic based on source and destination IP addresses. 10. The method of claim 9 , wherein the traffic filter is further configured to filter the traffic based on a port and protocol associated with the traffic. 11. A non-transitory computer-readable storage medium storing instructions for configuring an enforcement module on a host device to enforce a segmentation policy including a virtual patch for patching an application to protect against one or more security vulnerabilities, the instructions when executed by a processor causing the processor to perform steps including: receiving, from a segmentation server at a distributed enforcement module remote from the segmentation server, management instructions for enforcing a segmentation policy with respect to a subset of workloads in a network domain, the management instructions including access control rules for controlling permissible connections of the subset of workloads in the network domain, and the access control rules including at least one virtual patch rule for applying a virtual patch to traffic to or from an application executed by the subset of workloads managed by the enforcement module; responsive to receiving the virtual patch rule, instantiating by the distributed enforcement module, a transparent application proxy on the host device for implementing the virtual patch and configuring the transparent application proxy to implement an application layer filter that blocks at least a subset of the traffic to or from the application in a manner that prevents exploitation of the one or more security vulnerabilities; and responsive to receiving the access control rules, configuring a traffic filter on the host device based on the access control rules to filter traffic based on network layer data including source and destination addresses and to redirect at least a subset of the traffic to or from the application to the transparent application proxy; applying the traffic filter and the transparent application proxy to enforce the segmentation policy; responsive to determining that the virtual patch is no longer applicable to the subset of workloads managed by the enforcement module under the segmentation policy, removing the transparent application proxy from the host device. 12. The non-transitory computer-readable storage medium of claim 11 , wherein instantiatin

Assignees

Illumio Inc

Inventors

Classifications

H04L63/0236
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
H04L67/563
Data redirection of data network streams · CPC title
H04L63/1433Primary
Vulnerability analysis · CPC title
H04L47/20
Traffic policing · CPC title
G06F8/65
Updates (security arrangements therefor G06F21/57) · CPC title

Patent family

Related publications grouped by family.

View patent family 74680310

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11516242B2 cover?: A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based…
Who is the assignee on this patent?: Illumio Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Nov 29 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).