Host-based firewall for distributed computer systems
First Claim
Patent Images
1. A computer-implemented method, comprising:
- executing a host-based firewall loaded into memory of a virtual machine instance operated by a customer of a plurality of customers of a computing resource service provider, where the virtual machine instance is a computing resource that is a member of a set of computing resources provided to the plurality of customers by the computing resource service provider;
obtaining network traffic information from the host-based firewall, the network traffic information indicating a set of connection attempts between the virtual machine instance and at least one other computer system and a particular application of one or more applications executed by the virtual machine instance associated with a particular connection attempt of the set of connection attempts;
prompting the customer for decisions to allow or deny the set of connection attempts by at least providing the customer with a notification of the set of connection attempts;
obtaining, from the customer, a first set of decisions to allow or deny the set of connection attempts;
obtaining, from a different customer, a second set of decisions to allow or deny another set of connection attempts between a virtual machine instance of the different customer and at least one other computer system;
generating a rule set by the host-based firewall based at least in part on the first set of decisions and the second set of decisions; and
enforcing, by the host-based firewall, the generated rule set.
1 Assignment
0 Petitions
Accused Products
Abstract
Customers of a computing resource service provider may utilize computing resources of the computing resources service provided to implement one or more computer systems. Furthermore, the customer may cause a host-based firewall to be executed by the one or more computer systems. The host-based firewall may collect network traffic information. The customer may then be provided with the network traffic information and be prompted to provide decisions associated with the network traffic information. The decisions may be used to generate a set of rules which may be enforced by the host-based firewall.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
executing a host-based firewall loaded into memory of a virtual machine instance operated by a customer of a plurality of customers of a computing resource service provider, where the virtual machine instance is a computing resource that is a member of a set of computing resources provided to the plurality of customers by the computing resource service provider; obtaining network traffic information from the host-based firewall, the network traffic information indicating a set of connection attempts between the virtual machine instance and at least one other computer system and a particular application of one or more applications executed by the virtual machine instance associated with a particular connection attempt of the set of connection attempts; prompting the customer for decisions to allow or deny the set of connection attempts by at least providing the customer with a notification of the set of connection attempts; obtaining, from the customer, a first set of decisions to allow or deny the set of connection attempts; obtaining, from a different customer, a second set of decisions to allow or deny another set of connection attempts between a virtual machine instance of the different customer and at least one other computer system; generating a rule set by the host-based firewall based at least in part on the first set of decisions and the second set of decisions; and enforcing, by the host-based firewall, the generated rule set. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
one or more processors; and memory that includes instructions that, when executed by the one or more processors, cause the system to; obtain network traffic information from one or more host-based firewalls implemented by a plurality of virtual machine instances operated by a plurality of customers of a computing resource service provider, the network traffic information indicating one or more processes executed by the plurality of virtual machine instances and associated with one or more network connections included in the network traffic information; generate a set of rules for network traffic based at least in part on decisions received from at least two of the plurality of customers, the decisions identifying whether to allow or deny a set of connection attempts between virtual machine instances of the at least two of the plurality of customers and other computer systems; provide the set of rules to the one or more host-based firewalls; and enforce, by the host-based firewalls, the set of rules. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
execute a host-based firewall, the host-based firewall included in memory of the computer system as a result of a command from a customer of a plurality of customers of a computing resource service provider; cause the host-based firewall to obtain network traffic information indicating a process associated with network traffic; provide the network traffic information to a security service; obtain, from the security service, a set of rules for network traffic to be enforced by the host-based firewall, the set of rules for network traffic generated based at least in part on rule decisions made by a plurality of the customers, the rule decisions identifying whether to allow or deny a set of connection attempts between virtual machines of the customers and other computer systems; and enforce, by the host-based firewall, the set of rules. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification