Security policy generation using container metadata

US 10,009,317 B2
Filed: 10/25/2016
Issued: 06/26/2018
Est. Priority Date: 03/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for security in a container-based virtualization environment comprising:

receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server;

determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service;

retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container;

generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate;

producing a low-level firewall rule set using the high-level declarative security policy; and

applying the low-level firewall rule set to data network traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include: receiving metadata about a deployed container from a container orchestration layer; determining an application or service associated with the deployed container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; and generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container can communicate.

195 Citations

20 Claims

1. A method for security in a container-based virtualization environment comprising:
- receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server;
  
  determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service;
  
  retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container;
  
  generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate;
  
  producing a low-level firewall rule set using the high-level declarative security policy; and
  
  applying the low-level firewall rule set to data network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, in which the metadata is received from the container orchestration layer using at least an application programming interface (API).
  - 3. The method of claim 1, in which:
    - the metadata includes at least one of an image name, image type, service name, ports, and other tags and labels associated with the deployed container; and
      
      the at least one of the image name, image type, service name, ports, and other tags and labels is associated with the determined application or service.
  - 4. The method of claim 3, in which determining the application or service includes:
    - ascertaining an image type associated with the deployed container using the metadata; and
      
      identifying the determined application or service using the image type.
  - 5. The method of claim 1, in which the deployed container is at least one of:
    - a Docker container and a Rocket (rkt) container.
  - 6. The method of claim 5, in which the container orchestration layer is at least one of:
    - Docker Swarm, Kubernetes, Diego, and Mesos.
  - 7. The method of claim 1, in which the determined application or service is at least one of:
    - a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, file server, object-based storage, naming system, storage networking, and directory.
  - 8. The method of claim 1, in which the producing the low-level firewall rule set includes providing the high-level declarative security policy to a compiler.
  - 9. The method of claim 1, in which the applying the low-level firewall rule set includes providing the low-level firewall rule set to an enforcement point.
  - 10. The method of claim 1, further comprising:
    - determining a potential violation of the high-level declarative security policy using the low-level firewall rule set; and
      
      performing at least one of;
      
      sending an alert, dropping communications associated with the potential violation, and forwarding communications associated with the potential violation.

11. A system for security in a container-based virtualization environment comprising:
- a hardware processor; and
  
  a memory coupled to the hardware processor, the memory storing instructions which are executable by the hardware processor to perform a method comprising;
  
  receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server;
  
  determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service;
  
  retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container;
  
  generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate;
  
  producing a low-level firewall rule set using the high-level declarative security policy; and
  
  applying the low-level firewall rule set to data network traffic.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, in which the metadata is received from the container orchestration layer using at least an application programming interface (API).
  - 13. The system of claim 11, in which:
    - the metadata includes at least one of an image name, image type, service name, ports, and other tags and labels associated with the deployed container; and
      
      the at least one of the image name, image type, service name, ports, and other tags and labels is associated with the determined application or service.
  - 14. The system of claim 13, in which determining the application or service includes:
    - ascertaining an image type associated with the deployed container using the metadata; and
      
      identifying the determined application or service using the image type.
  - 15. The system of claim 11, in which the deployed container is at least one of:
    - a Docker container and a Rocket (rkt) container.
  - 16. The system of claim 15, in which the container orchestration layer is at least one of:
    - Docker Swarm, Kubernetes, Diego, and Mesos.
  - 17. The system of claim 11, in which the determined application or service is at least one of:
    - a database, email server, message queue, web server, Session Initiation Protocol (SIP) server, file server, object-based storage, naming system, storage networking, and directory.
  - 18. The system of claim 11, in which the producing the low-level firewall rule set includes compiling the high-level declarative security policy, and the applying the low-level firewall rule set includes providing the low-level firewall rule set to an enforcement point.
  - 19. The system of claim 11, in which the method further comprises:
    - determining a potential violation of the high-level declarative security policy using the low-level firewall rule set; and
      
      performing at least one of;
      
      sending an alert, dropping communications associated with the potential violation, and forwarding communications associated with the potential violation.

20. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for security in a container-based virtualization environment, the method comprising:
- receiving metadata about a deployed container from a container orchestration layer, the deployed container being deployed in a server;
  
  determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service;
  
  retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container;
  
  generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate;
  
  producing a low-level firewall rule set using the high-level declarative security policy; and
  
  applying the low-level firewall rule set to data network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Woolward, Marc
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/334,151
Publication Number

US 20170279770A1
Time in Patent Office

609 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Security policy generation using container metadata

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

195 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy generation using container metadata

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links