Single packet authorization in a cloud computing environment

US 10,320,748 B2
Filed: 02/23/2017
Issued: 06/11/2019
Est. Priority Date: 02/23/2017
Status: Active Grant

First Claim

Patent Images

1. A compute node comprising:

a virtual switch operating on at least a portion of a plurality of hardware resources of a cloud computing environment;

a virtual firewall;

a cloud workload executing a cloud service; and

a single packet authorization service;

wherein the virtual switchreceives a single packet authorization request from a single packet authorization client executing on a computing device external to and in communication with the cloud computing environment via a network, andforwards the single packet authorization request to the virtual firewall and to the single packet authorization service; and

wherein the virtual firewall denies the single packet authorization request in accordance with a firewall policy;

wherein the single packet authorization service utilizes a single packet authorization validation scheme to validate the single packet authorization request; and

wherein the virtual firewall implements a temporary firewall policy to allow incoming packets from the single packet authorization client and directed to the cloud service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Concepts and technologies disclosed herein are directed to single packet authorization (“SPA”) in a cloud computing environment. A compute node can include a virtual switch operating on at least a portion of a plurality of hardware resources of a cloud computing environment, a virtual firewall, a cloud workload executing a cloud service, and a SPA service. The virtual switch can receive a SPA request from a SPA client executing on a computing device. The virtual switch can forward the SPA request to the virtual firewall and to the SPA service. The virtual firewall can deny the SPA request in accordance with a firewall policy. The SPA service can utilize a SPA validation scheme to validate the SPA request. The virtual firewall can implement a temporary firewall policy to allow incoming packets from the SPA client and directed to the cloud service.

32 Citations

View as Search Results

20 Claims

1. A compute node comprising:
- a virtual switch operating on at least a portion of a plurality of hardware resources of a cloud computing environment;
  
  a virtual firewall;
  
  a cloud workload executing a cloud service; and
  
  a single packet authorization service;
  
  wherein the virtual switchreceives a single packet authorization request from a single packet authorization client executing on a computing device external to and in communication with the cloud computing environment via a network, andforwards the single packet authorization request to the virtual firewall and to the single packet authorization service; and
  
  wherein the virtual firewall denies the single packet authorization request in accordance with a firewall policy;
  
  wherein the single packet authorization service utilizes a single packet authorization validation scheme to validate the single packet authorization request; and
  
  wherein the virtual firewall implements a temporary firewall policy to allow incoming packets from the single packet authorization client and directed to the cloud service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The compute node of claim 1, wherein the cloud workload comprises a virtual machine.
  - 3. The compute node of claim 1, wherein the single packet authorization request is encoded with a credential.
  - 4. The compute node of claim 3, wherein the single packet authorization validation scheme comprises verifying that the credential is valid and that access to the cloud workload is allowed.
  - 5. The compute node of claim 1, further comprising a software-defined networking controller;
    - and wherein the single packet authorization service is a function of the software-defined networking controller.
  - 6. The compute node of claim 1, wherein the virtual firewall determines whether the temporary firewall policy has expired, and in response to determining that the temporary firewall policy has expired, denying incoming packets from the single packet authorization client.
  - 7. The compute node of claim 1, further comprising a further cloud workload;
    - and wherein the single packet authorization service also serves the further cloud workload.
  - 8. The compute node of claim 1, wherein the single packet authorization request specifies a port and a protocol to be allowed in accordance with the temporary firewall policy.

9. A method comprising:
- receiving, by a virtual switch operating on a compute node that, in turn, is operating on at least a portion of a plurality of hardware resources of a cloud computing environment, a single packet authorization request from a single packet authorization client executing on a computing device external to and in communication with the cloud computing environment via a network;
  
  forwarding, by the virtual switch, the single packet authorization request to a virtual firewall and to a single packet authorization service;
  
  denying, by the virtual firewall, the single packet authorization request in accordance with a firewall policy;
  
  utilizing, by the single packet authorization service, a single packet authorization validation scheme to validate the single packet authorization request; and
  
  implementing, by the virtual firewall, a temporary firewall policy to allow incoming packets from the single packet authorization client and directed to a cloud workload executing a cloud service within the compute node.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein the cloud workload comprises a virtual machine.
  - 11. The method of claim 9, wherein the single packet authorization request is encoded with a credential.
  - 12. The method of claim 11, wherein the single packet authorization validation scheme comprises verifying that the credential is valid and that access to the cloud workload is allowed.
  - 13. The method of claim 9, further comprising determining whether the temporary firewall policy has expired, and in response to determining that the temporary firewall policy has expired, denying incoming packets from the single packet authorization client.
  - 14. The method of claim 9, wherein the single packet authorization request specifies a port and a protocol to be allowed in accordance with the temporary firewall policy.

15. A computer-readable storage medium having instructions stored thereon that, when executed by at least a portion of processing resources of a plurality of hardware resources of a cloud computing environment, cause the at least the portion of processing resources to perform operations comprising:
- receiving, by a virtual switch, a single packet authorization request from a single packet authorization client executing on a computing device external to and in communication with the cloud computing environment via a network;
  
  forwarding, by the virtual switch, the single packet authorization request to a virtual firewall and to a single packet authorization service;
  
  denying, by the virtual firewall, the single packet authorization request in accordance with a firewall policy;
  
  utilizing, by the single packet authorization service, a single packet authorization validation scheme to validate the single packet authorization request; and
  
  implementing, by the virtual firewall, a temporary firewall policy to allow incoming packets from the single packet authorization client and directed to a cloud workload executing a cloud service within the compute node.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable storage medium of claim 15, wherein the cloud workload comprises a virtual machine.
  - 17. The computer-readable storage medium of claim 15, wherein the single packet authorization request is encoded with a credential.
  - 18. The computer-readable storage medium of claim 17, wherein the single packet authorization validation scheme comprises verifying that the credential is valid and that access to the cloud workload is allowed.
  - 19. The computer-readable storage medium of claim 15, wherein the operations further comprise determining whether the temporary firewall policy has expired, and in response to determining that the temporary firewall policy has expired, denying incoming packets from the single packet authorization client.
  - 20. The computer-readable storage medium of claim 19, wherein the single packet authorization request specifies a port and a protocol to be allowed in accordance with the temporary firewall policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Stair, Michael, Solero, Daniel
Primary Examiner(s)
Song, Hosuk

Application Number

US15/441,004
Publication Number

US 20180241718A1
Time in Patent Office

838 Days
Field of Search

726 1, 726 4, 726 11, 726 13, 726 15
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04W 12/088   using filters or firewalls

Single packet authorization in a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Single packet authorization in a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links