What technology area does this patent fall under?

Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 15 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Method and apparatus for distributing firewall rules

US9215213B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9215213-B2
Application number	US-201414231683-A
Country	US
Kind code	B2
Filing date	Mar 31, 2014
Priority date	Feb 20, 2014
Publication date	Dec 15, 2015
Grant date	Dec 15, 2015

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).

First claim

Opening claim text (preview).

We claim: 1. A method of distributing firewall rules, the method comprising: specifying a firewall rule and an enforcement node identifier that identifies a set of enforcement nodes at which the firewall rule should be enforced by a set of enforcement devices; distributing the specified firewall rule to each enforcing device in the set of enforcement devices, wherein at least a first enforcement device in the set enforces the firewall rule for at least a group of two enforcement nodes; modifying the set of enforcement devices by adding a particular enforcement node to the group of enforcement nodes; and in response to the modification, communicating with the first enforcement device to add the particular enforcement node to the group of enforcement nodes. 2. The method of claim 1 , further comprising: modifying the set of enforcement devices by adding an enforcement device to the set; and distributing the firewall rule to the added enforcement device. 3. The method of claim 1 , further comprising: modifying the set of enforcement devices by removing an enforcement device from the set; and directing the removed enforcement device to remove the firewall rule. 4. A method of distributing firewall rules, the method comprising: specifying a firewall rule and an enforcement node identifier that identifies a set of enforcement nodes at which the firewall rule should be enforced by a set of enforcement devices; distributing the specified firewall rule to each enforcing device in the set of enforcement devices, wherein at least a first enforcement device in the set enforces the firewall rule for at least a group of two enforcement nodes; modifying the set of enforcement devices by removing a particular enforcement node from the group of enforcement nodes; and in response to the modification, communicating with the first enforcement device to remove the particular enforcement node from the group of enforcement nodes. 5. The method of claim 4 , wherein the first enforcement device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes in the group of enforcement nodes are VMs executing on the host. 6. The method of claim 5 , wherein each enforcement node in the group is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM. 7. A non-transitory machine readable medium storing a program for distributing firewall rules, the program comprising sets of instructions for: specifying a firewall rule and an enforcement node identifier that identifies a set of enforcement nodes at which the firewall rule should be enforced by a set of enforcement devices; distributing the specified firewall rule to each enforcing device in the set of enforcement devices, wherein at least a first enforcement device in the set enforces the firewall rule for at least a group of two enforcement nodes; modifying the set of enforcement devices by adding a particular enforcement node to the group of enforcement nodes; and in response to the modification, communicating with the first enforcement device to add the particular enforcement node to the group of enforcement nodes. 8. The machine readable medium of claim 7 , wherein the program further comprises sets of instructions for: modifying the set of enforcement devices by adding an enforcement device to the set; and distributing the firewall rule to the added enforcement device. 9. The machine readable medium of claim 7 , wherein the program further comprises sets of instructions for: modifying the set of enforcement devices by removing an enforcement device from the set; and directing the removed enforcement device to remove the firewall rule. 10. A non-transitory machine readable medium storing a program for distributing firewall rules, the program comprising sets of instructions for: specifying a firewall rule and an enforcement node identifier that identifies a set of enforcement nodes at which the firewall rule should be enforced by a set of enforcement devices; distributing the specified firewall rule to each enforcing device in the set of enforcement devices, wherein at least a first enforcement device in the set enforces the firewall rule for at least a group of two enforcement nodes; modifying the set of enforcement devices by removing a particular enforcement node from the group of enforcement nodes; and in response to the modification, communicating with the first enforcement device to remove the particular enforcement node from the group of enforcement nodes. 11. The machine readable medium of claim 10 , wherein the first enforcement device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes in the group of enforcement nodes are VMs executing on the host. 12. The machine readable medium of claim 11 , wherein each enforcement node in the group is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM. 13. A method of specifying firewall rules, the method comprising: specifying a plurality of firewall rules that each includes at least one enforcement-node identifier that identifies a set of enforcement nodes in a network where the firewall rule has to be enforced, at least one enforcement-node identifier being a group identifier that includes a modifiable set of members; based on the enforcement-node identifiers of the specified firewall rules, distributing at least first and second firewall rules respectively to first and second enforcement devices; in response to a modification to the members of the group identifier, identifying at least the first firewall rule as a rule that uses the group identifier as an enforcement-node identifier; and distributing an update to the first enforcement device to update a set of enforcement nodes to which the first enforcement device applies the first firewall rule. 14. The method of claim 13 , wherein the update removes an enforcement node from the set of enforcement nodes to which the first enforcement device applies the first firewall rule. 15. The method of claim 13 , wherein the update adds an enforcement node to the set of enforcement nodes to which the first enforcement device applies the first firewall rule. 16. The method of claim 13 further comprising distributing the identified firewall rule to a third enforcement device after identifying the firewall rule. 17. The method of claim 1 , wherein the first enforcement device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes in the group of enforcement nodes are VMs executing on the host. 18. The method of claim 17 , wherein each enforcement node in the group is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM. 19. The machine readable medium of claim 7 , wherein the first enforcement device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes in the group of enforcement nodes are VMs executing on the host. 20. The machine readable medium of claim 19 , wherein each enforcement node in the group is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM.

Assignees

Nicira Inc

Inventors

Classifications

H04L63/0245
Filtering by information in the payload · CPC title
H04L63/0263Primary
Rule management · CPC title
H04L63/02
for separating internal from external traffic, e.g. firewalls · CPC title
H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title

Patent family

Related publications grouped by family.

View patent family 53799154

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9215213B2 cover?: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to …
Who is the assignee on this patent?: Nicira Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 15 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).