Method and apparatus for distributing firewall rules

US 10,264,021 B2
Filed: 12/14/2015
Issued: 04/16/2019
Est. Priority Date: 02/20/2014
Status: Active Grant

First Claim

Patent Images

1. A method of distributing firewall rules, the method comprising:

specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the firewall rule should be enforced;

to each of a plurality of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, distributing the specified firewall rule along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, wherein each device supplies the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device;

modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group; and

in response to the modification, distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced). As the AppliedTo tuples of the firewall rules can refer to dynamically modifiable constructs, the application of the AppliedTo firewall rules (i.e., rules that are specified to include an AppliedTo tuple) can be dynamically adjusted for different locations within a network by dynamically adjusting the membership of these modifiable constructs.

174 Citations

18 Claims

1. A method of distributing firewall rules, the method comprising:
- specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the firewall rule should be enforced;
  
  to each of a plurality of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, distributing the specified firewall rule along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, wherein each device supplies the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device;
  
  modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group; and
  
  in response to the modification, distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group.
- View Dependent Claims (2, 3, 4, 5, 16, 17, 18)
- - 2. The method of claim 1, wherein modifying the group of enforcement nodes associated with the group identifier comprises receiving an update from a network administrator.
  - 3. The method of claim 1, whereinat least a first device in the plurality of devices is associated with first and second enforcement nodes;
    - modifying the group of enforcement nodes comprises removing the first enforcement node from the group of enforcement nodes; and
      
      distributing the group update comprises directing the first device to remove the specified firewall rule from the first enforcement node.
  - 4. The method of claim 3, wherein the first device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes are firewall modules executing on the host to process firewall rules for the VMs.
  - 5. The method of claim 4, wherein each enforcement node is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM.
  - 16. The method of claim 1, whereindistributing the specified firewall rule to a device comprises distributing the firewall rule to a firewall rule table stored on the device;
    - andadding the specified firewall rule to an enforcement node comprises storing the rule in a rule table associated with the enforcement node that is a different rule table than said firewall rule table.
  - 17. The method of claim 16, wherein removing the specified firewall rule comprises removing the specified firewall rule from the rule table associated with the enforcement node.
  - 18. The method of claim 17 further comprising maintaining the specified firewall rule in the rule table of the device after the specified firewall rule has been removed from the enforcement node rule table.

6. A non-transitory machine readable medium storing a program for distributing firewall rules, the program comprising sets of instructions for:
- specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the firewall rule should be enforced;
  
  to each of a plurality of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, distributing the specified firewall rule along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, wherein each device supplies the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device;
  
  modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group; and
  
  in response to the modification, distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The machine readable medium of claim 6, wherein the set of instructions for modifying the group of enforcement nodes associated with the group identifier comprises a set of instructions for receiving an update from a network administrator through a user interface.
  - 8. The machine readable medium of claim 6, whereinat least a first device in the plurality of devices is associated with first and second enforcement nodes;
    - the set of instructions for modifying the group of enforcement nodes comprises a set of instructions for removing the first enforcement node from the group of enforcement nodes; and
      
      the set of instructions for distributing the group update comprises a set of instructions for directing the first device to remove the specified firewall rule from the first enforcement node.
  - 9. The machine readable medium of claim 8, wherein the first device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes are firewall modules executing on the host to process firewall rules for the VMs.
  - 10. The machine readable medium of claim 9, wherein each enforcement node is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM.

11. A firewall system comprising:
- a plurality of devices each associated with a set of one or more firewall enforcement nodes;
  
  a set of servers for specifying a firewall rule and a group identifier that identifies a group of enforcement nodes at which the specified firewall rule should be enforced, and for distributing the specified firewall rule to each of a set of devices associated with at least one enforcement node from the group of enforcement nodes identified by the group identifier, said specified firewall rule distributed to each of the set of devices along with a set of node identifiers identifying a set of enforcement nodes associated with the device at which the specified firewall rule has to be enforced, each device in the set supplying the specified firewall rule to each enforcement node that is associated with the device and that is identified by a node identifier in the set of node identifiers received by the device;
  
  the set of servers further for modifying the group of enforcement nodes associated with the group identifier by adding or removing at least one enforcement node to or from the group, and for distributing a group update to each device that is associated with an enforcement node affected by the modification to the group for the device to use to supply the specified rule to one or more enforcement nodes added to the group or to eliminate the specified rule from one or more enforcement nodes removed from the group.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11 further comprising a server for providing an interface through which a network administrator modifies the group of enforcement nodes associated with the group identifier by adding an enforcement node to the group or removing an enforcement node from the group.
  - 13. The system of claim 11, wherein at least a first device in the plurality of devices is associated with first and second enforcement nodes, and the group of enforcement nodes is modified by removing the first enforcement node from the group of enforcement nodes, and the group update directs the first device to remove the specified firewall rule from the first enforcement node.
  - 14. The system of claim 13, wherein the first device is a host computing device on which a plurality of virtual machines (VMs) are executing, wherein the enforcement nodes are firewall modules executing on the host to process firewall rules for the VMs.
  - 15. The system of claim 14, wherein each enforcement node is specified in terms of an identifier for a virtual network interface card (VNIC) of a VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Bansal, Kaushal, Masurekar, Uday, Srinivasan, Aravind, Shah, Shadab, Maskalik, Serge
Primary Examiner(s)
Perungavoor, Venkat

Application Number

US14/968,795
Publication Number

US 20160191570A1
Time in Patent Office

1,219 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Method and apparatus for distributing firewall rules

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for distributing firewall rules

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links