Network-access partitioning using virtual machines

US 10,055,231 B1
Filed: 06/19/2012
Issued: 08/21/2018
Est. Priority Date: 03/13/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources among virtual machines, which when executed by one or more processors, cause:

upon a device receiving, from a first virtual machine executing on the device, a first request for network resources located over said one or more networks from said storage mediums, consulting policy data to determine how to service the first request;

the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion;

upon the device receiving, from a second virtual machine executing on the device, a second request for network resources located over said one or more networks from said storage mediums, consulting the policy data to determine how to service the second request; and

the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, andwherein the first portion is not coextensive with the second portion, andwherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for handling network resources in a virtualized computing environment. A first request for network resources is received from a first virtual machine. Policy data is consulted to determine how to service the first request. The first request is processed by providing the first virtual machine with access to only a first portion of network resources. A second request for network resources is received from a second virtual machine. Policy data is consulted to determine how to service the second request. The second request is processed by providing the second virtual machine with access to only a second portion of network resources that is not coextensive with the first portion. In this way, virtual machines may have access to particular resources and/or specific bounded areas of a network.

185 Citations

33 Claims

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources among virtual machines, which when executed by one or more processors, cause:
- upon a device receiving, from a first virtual machine executing on the device, a first request for network resources located over said one or more networks from said storage mediums, consulting policy data to determine how to service the first request;
  
  the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion;
  
  upon the device receiving, from a second virtual machine executing on the device, a second request for network resources located over said one or more networks from said storage mediums, consulting the policy data to determine how to service the second request; and
  
  the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, andwherein the first portion is not coextensive with the second portion, andwherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - in response to receiving a request from the first virtual machine to access resources of the second virtual machine, accessing the policy data; and
      
      determining, based on the policy data, whether to allow the first virtual machine to access the resources of the second virtual machine.
  - 3. The one or more non-transitory computer-readable storage mediums of claim 1, wherein processing the first request further comprises:
    - determining, based on the policy data, whether to allow the first virtual machine to access the second portion of network resources,and wherein processing the second request further comprises;
      
      determining, based on the policy data, whether to allow the second virtual machine to access the first portion of network resources.
  - 4. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - receiving, from the first virtual machine, a third request for network resources, consulting policy data to determine how to service the third request; and
      
      processing, by a party other than the first virtual machine or said second virtual machine, the third request by, accessing a third portion of network resources, wherein neither the first nor the second virtual machine is allowed to access the third portion of network resources.
  - 5. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the first virtual machine is instantiated in response to the request for access to the first portion of network resources.
  - 6. The one or more non-transitory computer-readable storage mediums of claim 1, wherein access to the first and second portion of network resources is accomplished by granting the first virtual machine access to a first virtual network interface and granting the second virtual machine access to a second virtual network interface, and wherein the first and second virtual network interfaces are implemented using the same physical network card.
  - 7. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy data is stored on the client machine.
  - 8. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy data defines a policy that considers information related to communication protocols, MIME types or port information associated with the request in determining how to service the request.
  - 9. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy data comprises whether a request for network resources resulted from input of an IP address.
  - 10. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy data comprises ensuring whether a request for network resources resulted from resolving a network address via a DNS query for a fully qualified domain name.

11. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by one or more processors, cause:
- in response to receiving a first request from a first virtual machine for access to a first network resource on said one or more networks, accessing policy data to identify a network section to which the first request for access is directed; and
  
  based on the identifying, determining whether the first virtual machine may access the first network resource,wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 12. The one or more non-transitory computer-readable storage mediums of claim 11, wherein the first network resource is a web site.
  - 13. The one or more non-transitory computer-readable storage mediums of claim 11, wherein the network section corresponds to an intranet.
  - 14. The one or more non-transitory computer-readable storage mediums of claim 11, wherein the network section comprises a plurality of IP addresses.
  - 15. The one or more non-transitory computer-readable storage mediums of claim 11, wherein the network section comprises a plurality of web sites.
  - 16. The one or more non-transitory computer-readable storage mediums of claim 11, wherein execution of the one or more sequences of instructions further causes:
    - in response to receiving a second request from the first virtual machine for access to a second network resource on said one or more networks, accessing policy data to identify a network section to which the second request for access is directed; and
      
      based on the determination that the network section to which the second request is directed comprises a trusted network section, denying the second request, wherein the first request was directed to an untrusted network section.
  - 17. The one or more non-transitory computer-readable storage mediums of claim 16, wherein the trusted network section comprises an intranet.
  - 18. The one or more non-transitory computer-readable storage mediums of claim 16, wherein the untrusted network section corresponds to an Internet.
  - 19. The one or more non-transitory computer-readable storage mediums of claim 11, wherein execution of the one or more sequences of instructions further causes:
    - in response to receiving a second request from a second virtual machine for access to a second network resource on the network, accessing policy data to identify a network section to which the second request for access is directed; and
      
      based on the identification, determining whether the second virtual machine may access the second network resource.
  - 20. The one or more non-transitory computer-readable storage mediums of claim 19, wherein the second request from the second virtual machine is directed to a different network section than to which the first request from the first virtual machine is directed, and wherein execution of the one or more sequences of instructions further causes allowing the second virtual machine to access the second network resource.
  - 21. The one or more non-transitory computer-readable storage mediums of claim 19, wherein execution of the one or more sequences of instructions further causes:
    - in response to receiving a request from the first virtual machine to access resources of the second virtual machine, accessing the policy data to determine whether the first virtual machine may access the resources of the second virtual machine.
  - 22. The one or more non-transitory computer-readable storage mediums of claim 21, wherein the request from the first virtual machine corresponds to a web page being rendered in the first virtual machine attempting to communicate with a web page being rendered within the second virtual machine.
  - 23. The one or more non-transitory computer-readable storage mediums of claim 21, wherein execution of the one or more sequences of instructions further cause:
    - determining whether the first virtual machine may access the second virtual machine based on which network port the first virtual machine contacts the second virtual machine.
  - 24. The one or more non-transitory computer-readable storage mediums of claim 21, wherein execution of the one or more sequences of instructions further cause:
    - determining whether the first virtual machine may access the second virtual machine based on either the MIME type of data requested from the second virtual machine by the first virtual machine or the network protocol utilized by the request to the second virtual machine by the first virtual machine.
  - 25. The one or more non-transitory computer-readable storage mediums of claim 24, wherein the list of network protocols comprises at least one of the following:
    - FTP, SMTP, HTTP, HTTPS and SSH.

26. A client, comprising:
- one or more processors;
  
  one or more storage mediums storing one or more sequences of instructions for partitioning network resources among virtual machines, which when executed by the one or more processors, causes;
  
  upon a device receiving, from a first virtual machine executing on the device, a first request for network resources, consulting policy data to determine how to service the first request;
  
  the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion;
  
  upon the device receiving, from a second virtual machine, a second request for network resources, consulting the policy data to determine how to service the second request; and
  
  the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, andwherein the first portion is not coextensive with the second portion, andwherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.

27. A client, comprising:
- one or more processors;
  
  one or more storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by the one or more processors, causes;
  
  in response to receiving a first request from a first virtual machine for access to a first network resource on said one or more networks, accessing policy data to identify a network section to which the first request for access is directed; and
  
  based on the identification, determining whether the first virtual machine may access the first network resource, andwherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine.

28. A method for partitioning network resources among virtual machines, comprising:
- upon a device receiving, from a first virtual machine executing on the device, a first request for network resources, consulting policy data to determine how to service the first request;
  
  the device processing the first request by providing the first virtual machine with access to a first portion of the network resources, wherein the first virtual machine cannot access any of the network resources other than the first portion;
  
  upon the device receiving, from a second virtual machine, a second request for network resources, consulting the policy data to determine how to service the second request; and
  
  the device processing the second request by providing the second virtual machine with access to a second portion of the network resources, wherein the second virtual machine cannot access any of the network resources other than the second portion, andwherein the first portion is not coextensive with the second portion, andwherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine and said second virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine or said second virtual machine.

29. A method for partitioning network resources available to a virtualized environment, comprising:
- in response to receiving a first request from a first virtual machine for access to a first network resource on a network, accessing policy data to identify a network section to which the first request for access is directed; and
  
  based on the identification, determining whether the first virtual machine may access the first network resource,wherein the policy data is implemented by a module that decides which activities can be executed within said first virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said first virtual machine.

30. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by one or more processors, cause:
- in response to receiving a request from a virtual machine for access to a network resource on a network, wherein the request comprises an IP address, causing a domain name server (DNS) query on the IP address to be performed;
  
  in response to the DNS query being resolved by a trusted DNS server, consulting policy data to determine how to service the request, wherein said trusted DNS server is a DNS server that is deemed trustworthy by policy data; and
  
  in response to the determination, granting or denying the request,wherein the policy data is implemented by a module that decides which activities can be executed within said virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said virtual machine.

31. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for partitioning network resources available to a virtualized environment, which when executed by one or more processors, cause:
- in response to receiving a request from a virtual machine for access to a network resource, determining whether the source of the request executing in the virtual machine is trusted or untrusted;
  
  if the source of the request is untrusted, then accessing policy data defining access rules for a first section and second section of the network;
  
  identifying whether the requested network resource corresponds to the first section or second section; and
  
  in response to the identification, determining whether to allow the request based on the policy data,wherein the policy data is implemented by a module that decides which activities can be executed within said virtual machine, including one or more of access control, determination of available resources, resource servicing, and creation or elimination of said virtual machine.
- View Dependent Claims (32, 33)
- - 32. The one or more non-transitory computer-readable storage mediums of claim 31, wherein the first section comprises an Intranet, and wherein the Intranet is determined by querying a trusted domain name server.
  - 33. The one or more non-transitory computer-readable storage mediums of claim 31, wherein the second section comprises an arbitrarily defined set of network resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Li, Xin, Banga, Gaurav, Pratt, Ian, Kapoor, Vikram
Primary Examiner(s)
Aponte, Francisco

Application Number

US13/527,161
Time in Patent Office

2,254 Days
Field of Search

718104
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 2009/45587   Isolation or security of vi...

G06F 21/6218   to a system of files or obj...

G06F 2209/5018   Thread allocation

G06F 9/3891   organised in groups of unit...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Network-access partitioning using virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

185 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Network-access partitioning using virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links