Distributed firewall security system that extends across different cloud computing networks

US 10,484,334 B1
Filed: 04/13/2017
Issued: 11/19/2019
Est. Priority Date: 02/26/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

providing an application profile to manage security of an application deployed across two or more cloud computing networks;

allowing a user to define in the application profile a first server group, a second server group, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber;

generating a firewall rule based on the computing flow to the cloud chamber;

distributing the firewall rule to the first server group of the cloud chamber; and

distributing a copy of the firewall rule to the second server group of the cloud chamber, wherein the first server group is in a first cloud computing network of the two or more cloud computing networks, the second server group is in a second cloud computing network of the two or more cloud computing networks, andwherein the first cloud computing network is provided by a first cloud provider, and the second cloud computing network is provided by a second cloud provider, different from the first cloud provider.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application profile is provided to manage security of an application deployed across two or more cloud computing networks. A user can define in the application profile first and second server groups, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber. A firewall rule is generated based on the computing flow. The firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.

151 Citations

View as Search Results

16 Claims

1. A method comprising:
- providing an application profile to manage security of an application deployed across two or more cloud computing networks;
  
  allowing a user to define in the application profile a first server group, a second server group, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber;
  
  generating a firewall rule based on the computing flow to the cloud chamber;
  
  distributing the firewall rule to the first server group of the cloud chamber; and
  
  distributing a copy of the firewall rule to the second server group of the cloud chamber, wherein the first server group is in a first cloud computing network of the two or more cloud computing networks, the second server group is in a second cloud computing network of the two or more cloud computing networks, andwherein the first cloud computing network is provided by a first cloud provider, and the second cloud computing network is provided by a second cloud provider, different from the first cloud provider.

2. The method of claim 1 comprising:
- receiving, at a first endpoint in the first server group of the cloud chamber, a first data packet specifying a particular destination port;
  
  evaluating the firewall rule distributed to the first server group to determine whether the first data packet should be denied or accepted;
  
  receiving, at a second endpoint in the second server group of the cloud chamber, a second data packet specifying the same particular destination port; and
  
  evaluating the copy of the firewall rule distributed to the second server group to determine whether the second data packet should be denied or accepted.

3. The method of claim 1 comprising:
- receiving, at a first endpoint in the first server group of the cloud chamber, a first data packet specifying a particular protocol;
  
  evaluating the firewall rule distributed to the first server group to determine whether the first data packet should be denied or accepted;
  
  receiving, at a second endpoint in the second server group of the cloud chamber, a second data packet specifying the same particular protocol; and
  
  evaluating the copy of the firewall rule distributed to the second server group to determine whether the second data packet should be denied or accepted.

4. The method of claim 1 comprising:
- programming the firewall rule distributed to the first server group into an operating system (OS) of an endpoint in the first server group;
  
  monitoring the firewall rule programmed into the OS to detect tampering;
  
  detecting tampering of the firewall rule programmed into the OS; and
  
  upon detecting the tampering, replacing the tampered firewall rule with the firewall rule distributed to the first server group.

5. The method of claim 4 comprising:
- calculating a frequency of the tampering;
  
  determining whether the frequency exceeds a threshold frequency; and
  
  if the frequency exceeds the threshold frequency, generating an alert to add the endpoint to a listing of quarantined endpoints.

6. The method of claim 1 comprising:
- programming the firewall rule distributed to the first server group into an operating system (OS) of an endpoint in the first server group;
  
  maintaining, in memory at the endpoint, a separate copy of the firewall rule that was programmed into the OS;
  
  periodically comparing the firewall rule programmed into the OS against the separate copy of the firewall rule maintained in the memory of the endpoint to detect tampering of the firewall rule programmed into the OS; and
  
  upon detecting tampering, copying back into the OS the separate copy of the firewall rule maintained in memory at the endpoint, and issuing an alert to a central security controller that is connected with the endpoint.

7. The method of claim 1 wherein the computing flow is a first computing flow and the method comprises:
- allowing the user to define in the application profile a second computing flow from the cloud chamber;
  
  generating a second firewall rule based on the second computing flow from the cloud chamber;
  
  distributing the second firewall rule to the first server group of the cloud chamber; and
  
  distributing a copy of the second firewall rule to the second server group of the cloud chamber.

8. A method comprising:
- providing an application profile to manage security of an application deployed across a first cloud computing network, and a second cloud computing network, the first and second cloud computing networks being connected by the Internet;
  
  allowing a user to define in the application profile a first server group, a second server group, a cloud chamber as including the first and second server groups, and a computing flow from the cloud chamber;
  
  generating a firewall rule based on the computing flow from the cloud chamber;
  
  distributing the firewall rule to the first server group of the cloud chamber; and
  
  distributing a copy of the firewall rule to the second server group of the cloud chamber, wherein the first server group is in the first cloud computing network, and the first cloud computing network belongs to a first cloud provider, andwherein the second server group is in the second cloud computing network, and the second cloud computing network belongs to a second cloud provider, different from the first cloud provider.

9. The method of claim 8 wherein the firewall rule distributed to the first server group specifies a particular destination Internet Protocol (IP) address, a particular destination port, a particular protocol, and a particular action to be performed when parameters of a data packet to be sent from the first server group matches the particular destination IP address, particular destination port, and particular protocol, andwherein the copy of the firewall rule distributed to the second server group specifies the same particular destination IP address, particular destination port, particular protocol, and particular action.

10. The method of claim 8 wherein the first and second cloud computing networks are remote from each other.

11. The method of claim 8 wherein the firewall rule is received by an agent at an endpoint in the first server group, andwherein the agent programs the firewall rule into an operating system (OS) at the endpoint, maintains a separate copy of the firewall rule in memory at the endpoint, and monitors the firewall rule programmed into the OS using the separate copy of the firewall rule maintained in the memory at the endpoint.

12. The method of claim 8 wherein the firewall rule is a first firewall rule and the method comprises:
- allowing the user to define in the application profile a second computing flow to the cloud chamber;
  
  generating a second firewall rule based on the second computing flow to the cloud chamber;
  
  distributing the second firewall rule to the first server group of the cloud chamber; and
  
  distributing a copy of the second firewall rule to the second server group of the cloud chamber.

13. The method of claim 8 comprising:
- receiving the firewall rule at an endpoint in the first server group;
  
  programming the firewall rule into an operating system (OS) at the endpoint;
  
  maintaining, in memory at the endpoint, an independent copy of the firewall rule programmed into the OS;
  
  monitoring the firewall rule programmed into the OS using the independent copy of the firewall rule maintained in the memory at the endpoint to detect tampering of the firewall rule programmed into the OS; and
  
  upon detection of tampering, replacing the tampered firewall rule with the independent copy of the firewall rule maintained in the memory at the endpoint.

14. A method comprising:
- storing an application profile to manage security of an application deployed across a first cloud computing network, and a second cloud computing network, the first and second cloud computing networks being connected by the Internet;
  
  allowing a user to define in the application profile a first server group as being in the first cloud computing network, a second server group as being in the second cloud computing network, a cloud chamber as including the first and second server groups, a first computing flow to the cloud chamber, and a second computing flow from the cloud chamber;
  
  generating a first firewall rule based on the first computing flow to the cloud chamber;
  
  transmitting the first firewall rule to the first server group;
  
  transmitting a copy of the first firewall rule to the second server group;
  
  generating a second firewall rule based on the second computing flow from the cloud chamber;
  
  transmitting the second firewall rule to the first server group; and
  
  transmitting a copy of the second firewall rule to the second server group, wherein the first cloud computing network is owned by a first cloud provider, and the second cloud computing network is owned by a second cloud provider, different from the first cloud provider.

15. The method of claim 14 wherein the first firewall rule is received by an agent at an endpoint in the first server group, andwherein the agent programs the first firewall rule into an operating system (OS) at the endpoint,maintains, in memory at the endpoint, a copy of the first firewall rule programmed into the OS, andupon detecting tampering of the first firewall rule programmed into the OS, replaces the tampered first firewall rule with the copy of the first firewall rule maintained in the memory at the endpoint.

16. The method of claim 14 comprising:
- receiving the first and second firewall rules at an endpoint in the first server group;
  
  inserting the first and second firewall rules into an operating system (OS) at the endpoint for enforcement;
  
  monitoring the first and second firewall rules inserted into the OS to detect tampering;
  
  calculating a frequency of the tampering;
  
  determining whether the frequency exceeds a threshold frequency; and
  
  if the frequency exceeds the threshold frequency, generating an alert to place the endpoint into quarantine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zentera Systems, Inc.
Original Assignee
Zentera Systems, Inc.
Inventors
Lee, Jaushin, Lee, Hung Chuen Jason
Primary Examiner(s)
Powers, William S
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US15/487,327
Time in Patent Office

950 Days
Field of Search

726 14
US Class Current
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 67/10   in which an application is ...

H04L 67/30   Profiles

Distributed firewall security system that extends across different cloud computing networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

151 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed firewall security system that extends across different cloud computing networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links