Context aware microsegmentation
First Claim
1. A context aware microsegmented network, comprising:
- an enforcement point creating a logical security boundary around at least a first and a second virtual machine collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine, the enforcement point configured to;
select at least a first and a second contextual security policy based upon attributes of the first and the second virtual machines respectively; and
apply at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within the logical security boundary based on the attributes of the first and the second virtual machines; and
a central enforcement controller that;
determines a packet forwarding path for the enforcement point;
selects a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and
applies the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path.
3 Assignments
0 Petitions
Accused Products
Abstract
Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
-
Citations
27 Claims
-
1. A context aware microsegmented network, comprising:
-
an enforcement point creating a logical security boundary around at least a first and a second virtual machine collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine, the enforcement point configured to; select at least a first and a second contextual security policy based upon attributes of the first and the second virtual machines respectively; and apply at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within the logical security boundary based on the attributes of the first and the second virtual machines; and a central enforcement controller that; determines a packet forwarding path for the enforcement point; selects a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and applies the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for context aware security policy enforcement, the method comprising:
-
selecting, by an enforcement point, at least a first and a second contextual security policy based upon attributes of at least a first and a second virtual machine respectively, the at least first and second virtual machines collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine; applying, by the enforcement point, at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within a logical security boundary based on the attributes of the first and the second virtual machines; determining, by a central enforcement controller, a packet forwarding path for the enforcement point; selecting, by the central enforcement controller, a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and applying, by the central enforcement controller, the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising:
-
selecting, by an enforcement point, at least a first and a second contextual security policy based upon attributes of at least a first and a second virtual machine respectively, the at least first and second virtual machines collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine; applying, by the enforcement point, at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within a logical security boundary based on the attributes of the first and the second virtual machines; determining, by a central enforcement controller, a packet forwarding path for the enforcement point; selecting, by the central enforcement controller, a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and applying, by the central enforcement controller, the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path.
-
Specification