Distributed firewall security system that extends across different cloud computing networks
First Claim
1. A method comprising:
- providing an application profile to manage security of an application deployed across two or more cloud computing networks;
allowing a user to define in the application profile a first server group, a second server group, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber;
generating a firewall rule based on the computing flow to the cloud chamber;
distributing the firewall rule to the first server group of the cloud chamber; and
distributing a copy of the firewall rule to the second server group of the cloud chamber, wherein the first server group is in a first cloud computing network of the two or more cloud computing networks, the second server group is in a second cloud computing network of the two or more cloud computing networks, andwherein the first cloud computing network is provided by a first cloud provider, and the second cloud computing network is provided by a second cloud provider, different from the first cloud provider.
1 Assignment
0 Petitions
Accused Products
Abstract
An application profile is provided to manage security of an application deployed across two or more cloud computing networks. A user can define in the application profile first and second server groups, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber. A firewall rule is generated based on the computing flow. The firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.
151 Citations
16 Claims
-
1. A method comprising:
-
providing an application profile to manage security of an application deployed across two or more cloud computing networks; allowing a user to define in the application profile a first server group, a second server group, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber; generating a firewall rule based on the computing flow to the cloud chamber; distributing the firewall rule to the first server group of the cloud chamber; and distributing a copy of the firewall rule to the second server group of the cloud chamber, wherein the first server group is in a first cloud computing network of the two or more cloud computing networks, the second server group is in a second cloud computing network of the two or more cloud computing networks, and wherein the first cloud computing network is provided by a first cloud provider, and the second cloud computing network is provided by a second cloud provider, different from the first cloud provider.
-
-
2. The method of claim 1 comprising:
-
receiving, at a first endpoint in the first server group of the cloud chamber, a first data packet specifying a particular destination port; evaluating the firewall rule distributed to the first server group to determine whether the first data packet should be denied or accepted; receiving, at a second endpoint in the second server group of the cloud chamber, a second data packet specifying the same particular destination port; and evaluating the copy of the firewall rule distributed to the second server group to determine whether the second data packet should be denied or accepted.
-
-
3. The method of claim 1 comprising:
-
receiving, at a first endpoint in the first server group of the cloud chamber, a first data packet specifying a particular protocol; evaluating the firewall rule distributed to the first server group to determine whether the first data packet should be denied or accepted; receiving, at a second endpoint in the second server group of the cloud chamber, a second data packet specifying the same particular protocol; and evaluating the copy of the firewall rule distributed to the second server group to determine whether the second data packet should be denied or accepted.
-
-
4. The method of claim 1 comprising:
-
programming the firewall rule distributed to the first server group into an operating system (OS) of an endpoint in the first server group; monitoring the firewall rule programmed into the OS to detect tampering; detecting tampering of the firewall rule programmed into the OS; and upon detecting the tampering, replacing the tampered firewall rule with the firewall rule distributed to the first server group.
-
-
5. The method of claim 4 comprising:
-
calculating a frequency of the tampering; determining whether the frequency exceeds a threshold frequency; and if the frequency exceeds the threshold frequency, generating an alert to add the endpoint to a listing of quarantined endpoints.
-
-
6. The method of claim 1 comprising:
-
programming the firewall rule distributed to the first server group into an operating system (OS) of an endpoint in the first server group; maintaining, in memory at the endpoint, a separate copy of the firewall rule that was programmed into the OS; periodically comparing the firewall rule programmed into the OS against the separate copy of the firewall rule maintained in the memory of the endpoint to detect tampering of the firewall rule programmed into the OS; and upon detecting tampering, copying back into the OS the separate copy of the firewall rule maintained in memory at the endpoint, and issuing an alert to a central security controller that is connected with the endpoint.
-
-
7. The method of claim 1 wherein the computing flow is a first computing flow and the method comprises:
-
allowing the user to define in the application profile a second computing flow from the cloud chamber; generating a second firewall rule based on the second computing flow from the cloud chamber; distributing the second firewall rule to the first server group of the cloud chamber; and distributing a copy of the second firewall rule to the second server group of the cloud chamber.
-
-
8. A method comprising:
-
providing an application profile to manage security of an application deployed across a first cloud computing network, and a second cloud computing network, the first and second cloud computing networks being connected by the Internet; allowing a user to define in the application profile a first server group, a second server group, a cloud chamber as including the first and second server groups, and a computing flow from the cloud chamber; generating a firewall rule based on the computing flow from the cloud chamber; distributing the firewall rule to the first server group of the cloud chamber; and distributing a copy of the firewall rule to the second server group of the cloud chamber, wherein the first server group is in the first cloud computing network, and the first cloud computing network belongs to a first cloud provider, and wherein the second server group is in the second cloud computing network, and the second cloud computing network belongs to a second cloud provider, different from the first cloud provider.
-
-
9. The method of claim 8 wherein the firewall rule distributed to the first server group specifies a particular destination Internet Protocol (IP) address, a particular destination port, a particular protocol, and a particular action to be performed when parameters of a data packet to be sent from the first server group matches the particular destination IP address, particular destination port, and particular protocol, and
wherein the copy of the firewall rule distributed to the second server group specifies the same particular destination IP address, particular destination port, particular protocol, and particular action.
-
10. The method of claim 8 wherein the first and second cloud computing networks are remote from each other.
-
11. The method of claim 8 wherein the firewall rule is received by an agent at an endpoint in the first server group, and
wherein the agent programs the firewall rule into an operating system (OS) at the endpoint, maintains a separate copy of the firewall rule in memory at the endpoint, and monitors the firewall rule programmed into the OS using the separate copy of the firewall rule maintained in the memory at the endpoint.
-
12. The method of claim 8 wherein the firewall rule is a first firewall rule and the method comprises:
-
allowing the user to define in the application profile a second computing flow to the cloud chamber; generating a second firewall rule based on the second computing flow to the cloud chamber; distributing the second firewall rule to the first server group of the cloud chamber; and distributing a copy of the second firewall rule to the second server group of the cloud chamber.
-
-
13. The method of claim 8 comprising:
-
receiving the firewall rule at an endpoint in the first server group; programming the firewall rule into an operating system (OS) at the endpoint; maintaining, in memory at the endpoint, an independent copy of the firewall rule programmed into the OS; monitoring the firewall rule programmed into the OS using the independent copy of the firewall rule maintained in the memory at the endpoint to detect tampering of the firewall rule programmed into the OS; and upon detection of tampering, replacing the tampered firewall rule with the independent copy of the firewall rule maintained in the memory at the endpoint.
-
-
14. A method comprising:
-
storing an application profile to manage security of an application deployed across a first cloud computing network, and a second cloud computing network, the first and second cloud computing networks being connected by the Internet; allowing a user to define in the application profile a first server group as being in the first cloud computing network, a second server group as being in the second cloud computing network, a cloud chamber as including the first and second server groups, a first computing flow to the cloud chamber, and a second computing flow from the cloud chamber; generating a first firewall rule based on the first computing flow to the cloud chamber; transmitting the first firewall rule to the first server group; transmitting a copy of the first firewall rule to the second server group; generating a second firewall rule based on the second computing flow from the cloud chamber; transmitting the second firewall rule to the first server group; and transmitting a copy of the second firewall rule to the second server group, wherein the first cloud computing network is owned by a first cloud provider, and the second cloud computing network is owned by a second cloud provider, different from the first cloud provider.
-
-
15. The method of claim 14 wherein the first firewall rule is received by an agent at an endpoint in the first server group, and
wherein the agent programs the first firewall rule into an operating system (OS) at the endpoint, maintains, in memory at the endpoint, a copy of the first firewall rule programmed into the OS, and upon detecting tampering of the first firewall rule programmed into the OS, replaces the tampered first firewall rule with the copy of the first firewall rule maintained in the memory at the endpoint.
-
16. The method of claim 14 comprising:
-
receiving the first and second firewall rules at an endpoint in the first server group; inserting the first and second firewall rules into an operating system (OS) at the endpoint for enforcement; monitoring the first and second firewall rules inserted into the OS to detect tampering; calculating a frequency of the tampering; determining whether the frequency exceeds a threshold frequency; and if the frequency exceeds the threshold frequency, generating an alert to place the endpoint into quarantine.
-
Specification