Dynamic, load-based, auto-scaling network security microservices architecture

US 10,498,601 B2
Filed: 10/30/2018
Issued: 12/03/2019
Est. Priority Date: 06/14/2016
Status: Active Grant

First Claim

Patent Images

1. A method performed by a security system, the method comprising:

configuring a segment microservice to route network data to and from a datacenter, and a plurality of servers on which to run multiple instances of each of a hierarchy of security microservices, each level of which performs a different security operation;

using a configuration microservice to set security policies of the security microservices, a scaler to determine when to scale microservices in or out, and a database to store state information and security polices;

configuring microservice connectivity via a backplane;

processing flows of packets received from the datacenter; and

in response to a failure of a first server, moving a microservice from the first server to a second server at the same level of the hierarchy, and configuring the second server with state information and a security policy of the first server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System, methods, and apparatuses used to monitor network traffic of a datacenter and report security threats are described. For example, one embodiment selects a first microservice of a first hierarchy, configures the microservices of a second lower-level hierarchy to remove the first microservice from load balancing decisions to the first hierarchy, moves the first microservice to another server, configures data plane connectivity to the first microservice to reflect a change in server, and configures the microservices of the second hierarchy to include the first microservice in load balancing decisions to the first hierarchy.

10 Citations

View as Search Results

20 Claims

1. A method performed by a security system, the method comprising:
- configuring a segment microservice to route network data to and from a datacenter, and a plurality of servers on which to run multiple instances of each of a hierarchy of security microservices, each level of which performs a different security operation;
  
  using a configuration microservice to set security policies of the security microservices, a scaler to determine when to scale microservices in or out, and a database to store state information and security polices;
  
  configuring microservice connectivity via a backplane;
  
  processing flows of packets received from the datacenter; and
  
  in response to a failure of a first server, moving a microservice from the first server to a second server at the same level of the hierarchy, and configuring the second server with state information and a security policy of the first server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the segment microservice and the security microservices are part of a data plane of the security system, and the configuration microservice, the scaler, and the database are part of a management plane of the security system, the management plane further comprising a chassis microservice to instantiate and deploy microservices as requested by the scaler.
  - 3. The method of claim 1, wherein the segment microservice is coupled to the datacenter either in-line, such that the security system intercepts and blocks suspicious traffic before it arrives at the datacenter, or in a copy-only configuration, such that the security system monitors traffic, detects threats, and generates alerts, but does not intercept traffic before it arrives at the datacenter.
  - 4. The method of claim 1, wherein the segment microservice is to communicate packets with the datacenter according to transmission control protocol/internet protocol (TCP/IP), the communicated packets comprising 5-tuples that identify a source IP address and port, a destination IP address and port, and a protocol to use, and wherein the segment microservice adds a sixth tuple to each packet, the sixth tuple to include routing information about which security microservices are to receive the packet, and a unique identifier of the connection.
  - 5. The method of claim 4, wherein one of the security microservices, in response to detecting a threat in a packet flow of packets, uses the 5-tuples and the unique identifier to ask the segment microservice to discontinue the associated network connection.
  - 6. The method of claim 1, further comprising configuring and using an infrastructure discovery microservice to learn a configuration of the datacenter, and, in response, to suggest policies and microservices to use.

7. A non-transitory computer-readable medium containing instructions to which a security system is to respond by:
- configuring a segment microservice to route network data to and from a datacenter, and a plurality of servers on which to run multiple instances of each of a hierarchy of security microservices, each level of which performs a different security operation;
  
  using a configuration microservice to set security policies of the security microservices, a scaler to determine when to scale microservices in or out, and a database to store state information and security polices;
  
  configuring microservice connectivity via a backplane;
  
  processing flows of packets received from the datacenter; and
  
  in response to a failure of a first server, moving a microservice from the first server to a second server at the same level of the hierarchy, and configuring the second server with state information and a security policy of the first server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable medium of claim 7, wherein the segment microservice and the security microservices are part of a data plane of the security system, and the configuration microservice, the scaler, and the database are part of a management plane of the security system, the management plane further comprising a chassis microservice to instantiate and deploy microservices as requested by the scaler.
  - 9. The non-transitory computer-readable medium of claim 7, wherein the segment microservice is coupled to the datacenter either in-line, such that the security system intercepts and blocks suspicious traffic before it arrives at the datacenter, or in a copy-only configuration, such that the security system monitors traffic, detects threats, and generates alerts, but does not intercept traffic before it arrives at the datacenter.
  - 10. The non-transitory computer-readable medium of claim 7, wherein the segment microservice is to communicate packets with the datacenter according to transmission control protocol/internet protocol (TCP/IP), the communicated packets comprising 5-tuples that identify a source IP address and port, a destination IP address and port, and a protocol to use, and wherein the segment microservice adds a sixth tuple to each packet, the sixth tuple to include routing information about which security microservices are to receive the packet, and a unique identifier of the connection.
  - 11. The non-transitory computer-readable medium of claim 10, wherein one of the security microservices, in response to detecting a threat in a packet flow of packets, uses the 5-tuples and the unique identifier to ask the segment microservice to discontinue the associated network connection.
  - 12. The non-transitory computer-readable medium of claim 7, further comprising configuring and using an infrastructure discovery microservice to learn a configuration of the datacenter, and, in response, to suggest policies and microservices to use.

13. A security system comprising:
- a data plane comprising a segment microservice to route network data to and from a datacenter, and a plurality of servers on which to run multiple instances of each of a hierarchy of security microservices, each level of which performs a different security operation;
  
  a management plane comprising a configuration microservice to set security policies of the security microservices, a scaler to determine when to scale microservices in or out, and a database to store state information and security polices; and
  
  a backplane to provide microservice connectivity via a backplane;
  
  the security system to;
  
  process flows of packets received from the datacenter; and
  
  in response to a failure of a first server, move a microservice from the first server to a second server at the same level of the hierarchy, and configure the second server with state information and a security policy of the first server.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The security system of claim 13, wherein the segment microservice and the security microservices are part of a data plane of the security system, and the configuration microservice, the scaler, and the database are part of a management plane of the security system, the management plane further comprising a chassis microservice to instantiate and deploy microservices as requested by the scaler.
  - 15. The security system of claim 13, wherein the segment microservice is coupled to the datacenter either in-line, such that the security system intercepts and blocks suspicious traffic before it arrives at the datacenter, or in a copy-only configuration, such that the security system monitors traffic, detects threats, and generates alerts, but does not intercept traffic before it arrives at the datacenter.
  - 16. The security system of claim 13, wherein the segment microservice is to communicate packets with the datacenter according to transmission control protocol/internet protocol (TCP/IP), the communicated packets comprising 5-tuples that identify a source IP address and port, a destination IP address and port, and a protocol to use, and wherein the segment microservice adds a sixth tuple to each packet, the sixth tuple to include routing information about which security microservices are to receive the packet, and a unique identifier of the connection.
  - 17. The security system of claim 16, wherein one of the security microservices, in response to detecting a threat in a packet flow of packets, uses the 5-tuples and the unique identifier to ask the segment microservice to discontinue the associated network connection.
  - 18. The security system of claim 13, further comprising configuring and using an infrastructure discovery microservice to learn a configuration of the datacenter, and, in response, to suggest policies and microservices to use.
  - 19. The security system of claim 13, wherein the management plane further comprises a compiler microservice to receive remote cloud-based updates to the security policies.
  - 20. The security system of claim 13, wherein the data plane is further to route network data to be processed by an external security tool.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
ShieldX Networks, Inc. (Fortinet Inc.)
Inventors
Ahuja, Ratinder Paul Singh, Nedbal, Manuel
Primary Examiner(s)
Sall, El Hadji M

Application Number

US16/174,884
Publication Number

US 20190140903A1
Time in Patent Office

399 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 41/08   Configuration management of...

H04L 41/0803   Configuration setting

H04L 41/0816   the condition being an adap...

H04L 41/0895   Configuration of virtualise...

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

H04L 67/1001   for accessing one among a p...

H04L 67/1031   Controlling of the operatio...

H04L 67/51   Discovery or management the...

Dynamic, load-based, auto-scaling network security microservices architecture

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic, load-based, auto-scaling network security microservices architecture

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links