Systems and methods for secure containerization

US 10,116,625 B2
Filed: 01/08/2016
Issued: 10/30/2018
Est. Priority Date: 01/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method for provisioning a secure container for running an application, comprising:

routing traffic between the application and a secure container service over a virtual private network;

using network filter rules to restrict network traffic to or from the application other than traffic to or from the secure container service;

using a customized domain name system service to provide name resolution to domain name system requests from the application within the secure container, the name resolution limited to server names allowed by a security policy;

examining the secure container for known vulnerabilities and preventing the secure container from launching when a known vulnerability is detected, the examining including at least one of checking configuration settings to identify combinations of settings that create known vulnerabilities, checking versions of libraries or applications within the secure container to identify unpatched known vulnerabilities, performing a port scan to identify known vulnerabilities, and any combination thereof;

establishing an inbound network proxy to filter and route approved inbound traffic to the application; and

establishing an outbound network proxy to filter and route approved outbound traffic from the application.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for provisioning a secure container for running an application includes routing traffic between the application and a secure container service over a virtual private network, and restricting the flow of traffic to or from the application other than traffic to or from the secure container service. The method further includes providing limited name resolution for the secure container with a customized domain name system server, establishing network proxy services to filter and route approved inbound traffic to the application, and establishing outbound network proxy services to filter and route approved outbound traffic from the application.

Citations

15 Claims

1. A method for provisioning a secure container for running an application, comprising:
- routing traffic between the application and a secure container service over a virtual private network;
  
  using network filter rules to restrict network traffic to or from the application other than traffic to or from the secure container service;
  
  using a customized domain name system service to provide name resolution to domain name system requests from the application within the secure container, the name resolution limited to server names allowed by a security policy;
  
  examining the secure container for known vulnerabilities and preventing the secure container from launching when a known vulnerability is detected, the examining including at least one of checking configuration settings to identify combinations of settings that create known vulnerabilities, checking versions of libraries or applications within the secure container to identify unpatched known vulnerabilities, performing a port scan to identify known vulnerabilities, and any combination thereof;
  
  establishing an inbound network proxy to filter and route approved inbound traffic to the application; and
  
  establishing an outbound network proxy to filter and route approved outbound traffic from the application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising receiving a request to create the secure container for the application.
  - 3. The method of claim 1, further comprising examining a container image or startup options to determine the security policy for the secure container.
  - 4. The method of claim 1, further comprising capturing data streams from the application and forwarding the data streams to a logging function.
  - 5. The method of claim 1, wherein the inbound network proxy and the outbound network proxy are components of the secure container service.
  - 6. The method of claim 1, wherein the customized domain name system server is provided by the secure container service.

7. A method for providing name resolution for an application within a secure container, the method comprising:
- receiving a request for name resolution from the application;
  
  forwarding the request for name resolution to an upstream domain name server if a requested name is allowed by a security policy;
  
  receiving a response from the upstream domain name server, the response including a network address and a time-to-live;
  
  modifying a network filter to allow traffic to the network address;
  
  forwarding the response to the application; and
  
  modifying the network filter to disallow traffic to the network address after the time-to-live has expired.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, wherein the security policy is determined by examining a container image or startup options.
  - 9. The method of claim 7, wherein the application resides within a virtual container.
  - 10. The method of claim 7, wherein the network filter is provided by a secure container service.

11. An information handling system comprising:
- a processor configured to;
  
  route traffic between an application and a secure container service over a virtual private network;
  
  use network filter rules to restrict network traffic to or from the application other than traffic to or from the secure container service;
  
  provide name resolution to domain name system requests from the application within the secure container using a customized domain name system server, the name resolution limited to server names allowed by a security policy;
  
  examine the secure container for known vulnerabilities, including at least one of check configuration settings to identify combinations of settings that create known vulnerabilities, check versions of libraries or applications within the secure container to identify unpatched known vulnerabilities, perform a port scan to identify known vulnerabilities, and any combination thereof,prevent the secure container from launching when a known vulnerability is detected;
  
  establish an inbound network proxy to filter and route approved inbound traffic to the application; and
  
  establish an outbound network proxy to filter and route approved outbound traffic from the application.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The information handling system of claim 11, further comprising receiving a request to create the secure container for the application.
  - 13. The information handling system of claim 11, further comprising examining a container image or startup options to determine the security policy for the secure container.
  - 14. The information handling system of claim 11, further comprising capturing data streams from the application and forwarding the data streams to a logging function.
  - 15. The information handling system of claim 11, wherein the inbound network proxy and the outbound network proxy are components of the secure container service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Inventors
Kinder, Ross R., Ramsey, Jon R., Vidas, Timothy M., Danford, Robert
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US14/991,628
Publication Number

US 20170201490A1
Time in Patent Office

1,026 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/1433   Vulnerability analysis

Systems and methods for secure containerization

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure containerization

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links