What technology area does this patent fall under?

Primary CPC classification H04L63/101. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Jul 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Domain name based visibility and policy enforcement in a segmented network environment

US2020228486A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2020228486-A1
Application number	US-201916248707-A
Country	US
Kind code	A1
Filing date	Jan 15, 2019
Priority date	Jan 15, 2019
Publication date	Jul 16, 2020
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.

First claim

Opening claim text (preview).

1 . A method for enforcing a segmentation policy, the method comprising: receiving at an enforcement module from a segmentation server, a management instruction for enforcing a rule of the segmentation policy that permits a connection between a first workload on a host device and a second workload in a network domain identified by a domain name; storing, by the enforcement module, the domain name in a whitelist of domain names; responsive to a connection request from the first workload to the network domain identified by the domain name, snooping on a DNS response received by the host device to obtain a network address associated with the network domain; responsive to determining that the domain name associated with the connection request is in a whitelist of domain names, storing, based on the DNS response, the network address associated with the network domain to a whitelist of network addresses; and updating a local firewall configuration of a local firewall of the host device based on the whitelist of network addresses to permit the connection between the first workload and the network address associated with the network domain. 2 . The method of claim 1 , further comprising: storing a time-to-live value in association with the network address; and responsive to the time-to-live value expiring, removing the network address from the whitelist of network addresses. 3 . The method of claim 1 , further comprising: storing a mapping of the network address to the domain name; and sending the mapping to the segmentation server to enable the segmentation server to associate the network address with the domain name. 4 . The method of claim 1 , wherein snooping on the DNS response comprises: detecting a redirect from the domain name to an alias name; snooping on a DNS response received by the enforcement module in response to the redirect to the alias name to obtain the network address. 5 . The method of claim 4 , further comprising: storing a mapping of the alias name to the domain name; sending the mapping to the segmentation server to enable the segmentation server to associate the alias name with the domain name. 6 . The method of claim 1 , further comprising: detecting traffic flows to and from the first workload and the network domain; and reporting, to the segmentation server, the traffic flows to and from the first workload based on the identified network address associated with the network domain. 7 . The method of claim 6 , further comprising: reporting to the segmentation server, a mapping between the detected network address and the network domain. 8 . The method of claim 1 , further comprising: storing one or more port numbers in association with the domain name; wherein determining that the domain name is in the whitelist further comprises determining that a port number associated with the connection request is included in the one or more port numbers associated with the domain name; and wherein updating the local firewall configuration further comprises permitting the connection with the port number associated with the connection request. 9 . The method of claim 1 , wherein the rule of the segmentation policy identifies the domain name based on an expression including one or more wildcard characters. 10 . The method of claim 1 , further comprising authenticating the domain name based on domain name system security extensions (DNSSEC). 11 . A non-transitory computer-readable storage medium storing instructions for enforcing a segmentation policy, the instructions when executed by a processor causing the processor to perform steps including: receiving at an enforcement module from a segmentation server, a management instruction for enforcing a rule of the segmentation policy that permits a connection between a first workload on a host device and a second workload in a network domain identified by a domain name; storing, by the enforcement module, the domain name in a whitelist of domain names; responsive to a connection request from the first workload to the network domain identified by the domain name, snooping on a DNS response received by the host device to obtain a network address associated with the network domain; responsive to determining that the domain name associated with the connection request is in a whitelist of domain names, storing, based on the DNS response, the network address associated with the network domain to a whitelist of network addresses; and updating a local firewall configuration of a local firewall of the host device based on the whitelist of network addresses to permit the connection between the first workload and the network address associated with the network domain. 12 . The non-transitory computer-readable storage medium of claim 11 , wherein the instructions when executed by the processor further causing the processor to perform steps including: storing a time-to-live value in association with the network address; and responsive to the time-to-live value expiring, removing the network address from the whitelist of network addresses. 13 . The non-transitory computer-readable storage medium of claim 11 , wherein the instructions when executed by the processor further causing the processor to perform steps including: storing a mapping of the network address to the domain name; and sending the mapping to the segmentation server to enable the segmentation server to associate the network address with the domain name. 14 . The non-transitory computer-readable storage medium of claim 11 , wherein snooping on the DNS response comprises: detecting a redirect from the domain name to an alias name; snooping on a DNS response received by the enforcement module in response to the redirect to the alias name to obtain the network address. 15 . The non-transitory computer-readable storage medium of claim 14 , wherein the instructions when executed by the processor further causing the processor to perform steps including: storing a mapping of the alias name to the domain name; sending the mapping to the segmentation server to enable the segmentation server to associate the alias name with the domain name. 16 . The non-transitory computer-readable storage medium of claim 11 , wherein the instructions when executed by the processor further causing the processor to perform steps including: detecting traffic flows to and from the first workload and the network domain; and reporting, to the segmentation server, the traffic flows to and from the first workload based on the identified network address associated with the network domain. 17 . The non-transitory computer-readable storage medium of claim 16 , wherein the instructions when executed by the processor further causing the processor to perform steps including: reporting to the segmentation server, a mapping between the detected network address and the network domain. 18 . A computer system comprising: a processor; and a non-transitory computer-readable storage medium storing instructions for enforcing a segmentation policy, the instructions when executed by a processor causing the processor to perform steps including: receiving at an enforcement module from a segmentation server, a management instruction for enforcing a rule of the segmentation policy that permits a connection between a first workload on a host device and a second workload in a network domain identified by a domain name; storing, by the enforcement module, the domain name in a whitelist of domain names; responsive to a connection requ

Assignees

Illumio Inc

Inventors

Classifications

H04L63/101Primary
Access control lists [ACL] · CPC title
H04L61/4511Primary
using domain name system [DNS] · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
H04L63/0263
Rule management · CPC title
H04L63/02
for separating internal from external traffic, e.g. firewalls · CPC title

Patent family

Related publications grouped by family.

View patent family 71516922

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2020228486A1 cover?: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response…
Who is the assignee on this patent?: Illumio Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/101. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Jul 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).