Enforcing micro-segmentation policies for physical and virtual application components in data centers

US 10,547,644 B2
Filed: 06/30/2017
Issued: 01/28/2020
Est. Priority Date: 06/30/2017
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

one or more processors to;

receive policy information associated with a first application group and a second application group,the first application group including a first set of virtual application components and a first set of physical application components,the second application group including a second set of virtual application components and a second set of physical application components;

generate a logical group of virtual application components,the first set of virtual application components and the second set of virtual application components being included in the logical group of virtual application components based on the first set of virtual application components and the second set of virtual application components being virtual application components;

generate a logical group of physical application components,the first set of physical application components and the second set of physical application components being included in the logical group of physical application components based on the first set of physical application components and the second set of physical application components being physical application components;

receive network topology information associated with a network;

generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information,a virtual application component, of the first set of virtual application components, being connected to the virtual network device;

generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information,a physical application component, of the first set of physical application components, being connected to the physical network device;

provide, to the virtual network device of the network, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the virtual application component, of the first set of virtual application components, and the second set of virtual application components,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and

provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the physical application component, of the first set of physical application components, and another physical application component of the second set of physical application components,the second policy being provided to the physical network device based on the physical network device being a physical device type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive policy information associated with a first application group and a second application group. The device may receive network topology information associated with a network. The device may generate a first policy based on the policy information and the network topology information, and generate a second policy based on the policy information and the network topology information. The device may provide, to the virtual network device, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the first application group and the second application group. The device may provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the first application group and the second application group.

6 Citations

20 Claims

1. A device, comprising:
- one or more processors to;
  
  receive policy information associated with a first application group and a second application group,the first application group including a first set of virtual application components and a first set of physical application components,the second application group including a second set of virtual application components and a second set of physical application components;
  
  generate a logical group of virtual application components,the first set of virtual application components and the second set of virtual application components being included in the logical group of virtual application components based on the first set of virtual application components and the second set of virtual application components being virtual application components;
  
  generate a logical group of physical application components,the first set of physical application components and the second set of physical application components being included in the logical group of physical application components based on the first set of physical application components and the second set of physical application components being physical application components;
  
  receive network topology information associated with a network;
  
  generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information,a virtual application component, of the first set of virtual application components, being connected to the virtual network device;
  
  generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information,a physical application component, of the first set of physical application components, being connected to the physical network device;
  
  provide, to the virtual network device of the network, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the virtual application component, of the first set of virtual application components, and the second set of virtual application components,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and
  
  provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the physical application component, of the first set of physical application components, and another physical application component of the second set of physical application components,the second policy being provided to the physical network device based on the physical network device being a physical device type.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the one or more processors are further to:
    - determine, using the network topology information, that the virtual application component is connected to the virtual network device; and
      
      where the one or more processors, when providing the information associated with the first policy, are to;
      
      provide the information associated with the first policy based on determining that the virtual application component is connected to the virtual network device.
  - 3. The device of claim 1, where the one or more processors are further to:
    - determine, using the network topology information, that the physical application component is connected to the physical network device; and
      
      where the one or more processors, when providing the information associated with the second policy, are to;
      
      provide the information associated with the second policy based on determining that the physical application component is connected to the physical network device.
  - 4. The device of claim 1, where the one or more processors are further to:
    - determine, using the network topology information, that the virtual application component is a virtual device; and
      
      where the one or more processors, when generating the first policy, are to;
      
      generate the first policy based on determining that the virtual application component is the virtual device.
  - 5. The device of claim 1, where the one or more processors are further to:
    - determine that the virtual application component is not connected to the virtual network device; and
      
      provide, to the virtual network device, an instruction to remove the information associated with the first policy.
  - 6. The device of claim 1, where the physical network device is associated with a data center;
    - andwhere the network topology information includes information that identifies one or more of;
      
      the physical network device,connections between the physical network device and one or more other physical network devices in the data center,locations of the physical network device and one or more other physical network devices in the data center, ornetwork addresses of the physical network device and one or more other physical network devices in the data center.
  - 7. The device of claim 1, where the network topology information includes information that identifies one or more of:
    - a set of data associated with the virtual network device,a set of files associated with the virtual network device, ora set of messages associated with the virtual network device.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  receive policy information associated with a first application group and a second application group;
  
  generate a logical group of virtual application components,a set of virtual application components being included in the logical group of virtual application components based on the set of virtual application components being virtual application components;
  
  generate a logical group of physical application components,a set of physical application components being included in the logical group of physical application components based on the set of physical application components being physical application components;
  
  receive network topology information associated with a network;
  
  generate a first policy, to be provided to a virtual network device of the network, based on the policy information, the logical group of virtual application components, and the network topology information;
  
  generate a second policy, to be provided to a physical network device of the network, based on the policy information, the logical group of physical application components, and the network topology information,the first policy being different than the second policy;
  
  provide, to the virtual network device, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the first application group and the second application group,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and
  
  provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the first application group and the second application group,the second policy being provided to the physical network device based on the physical network device being a physical device type.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine, using the network topology information, that a virtual application component of the first application group is connected to the virtual network device; and
      
      where the one or more instructions, that cause the one or more processors to provide the information associated with the first policy, cause the one or more processors to;
      
      provide the information associated with the first policy based on determining that the virtual application component is connected to the virtual network device.
  - 10. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine, using the network topology information, that a physical application component of the first application group is connected to the physical network device; and
      
      where the one or more instructions, that cause the one or more processors to provide the information associated with the second policy, cause the one or more processors to;
      
      provide the information associated with the second policy based on determining that the physical application component of the first application group is connected to the physical network device.
  - 11. The non-transitory computer-readable medium of claim 8, where the second policy includes a set of rules to be implemented in association with network traffic transferred between a first set of physical application components of the first application group and a second set of physical application components of the second application group.
  - 12. The non-transitory computer-readable medium of claim 8,where the one or more instructions, that cause the one or more processors to generate the first policy, cause the one or more processors to:
    - generate the first policy after generating the logical group of virtual application components and the logical group of physical application components,the first policy including a set of rules associated with the logical group of virtual application components and the logical group of physical application components.
  - 13. The non-transitory computer-readable medium of claim 8,where the one or more instructions, that cause the one or more processors to generate the second policy, cause the one or more processors to:
    - generate the second policy after generating the logical group of virtual application components and the logical group of physical application components,the second policy including a first set of rules associated with the logical group of the physical application components, andthe second policy not including a second set of rules associated with the logical group of the virtual application components.
  - 14. The non-transitory computer-readable medium of claim 8, where the virtual network device is associated with a cloud platform, and the physical network device is associated with a data center.

15. A method, comprising:
- receiving, by a device, policy information associated with a set of application groups;
  
  generating, by the device, a logical group of virtual application components,a set of virtual application components being included in the logical group of virtual application components based on the set of virtual application components being virtual application components;
  
  generating, by the device, a logical group of physical application components,a set of physical application components being included in the logical group of physical application components based on the set of physical application components being physical application components;
  
  receiving, by the device, network topology information associated with a network;
  
  generating, by the device, a first policy, to be provided to a set of virtual network devices of the network, based on the policy information, the logical group of virtual application components, and the network topology information;
  
  generating, by the device, a second policy, to be provided to a set of physical network devices of the network, based on the policy information, the logical group of physical application components, and the network topology information;
  
  providing, by the device and to a virtual network device of the set of virtual network devices, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the set of application groups,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type; and
  
  providing, by the device and to a physical network device of the set of physical network devices, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the set of application groups,the second policy being provided to the physical network device based on the physical network device being a physical device type,the second policy including a set of rules associated with a set of physical application components of the set of application groups, andthe second policy not including another set of rules associated with a set of virtual application components of the set of application groups.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - determining that a virtual application component, of the set of virtual application components, is connected to the virtual network device; and
      
      where providing the information associated with the first policy comprises;
      
      providing the information associated with the first policy based on determining that the virtual application component is connected to the virtual network device.
  - 17. The method of claim 15, further comprising:
    - determining that a physical application component, of the set of physical application components, is connected to the physical network device; and
      
      where providing the information associated with the second policy comprises;
      
      providing the information associated with the second policy based on determining that the physical application component is connected to the physical network device.
  - 18. The method of claim 15, where the first policy includes a first set of rules, and where the second policy includes a subset of the first set of rules.
  - 19. The method of claim 15, where the first policy includes the set of rules associated with the set of virtual application components of the set of application groups.
  - 20. The method of claim 15, where the physical network device is associated with a data center;
    - where the network topology information includes information that identifies one or more of;
      
      the physical network device,connections between the physical network device and one or more other physical network devices in the data center,locations of the physical network device and one or more other physical network devices in the data center, ornetwork addresses of the physical network device and one or more other physical network devices in the data center; and
      
      where the network topology information includes information that identifies one or more of;
      
      a set of data associated with the virtual network device,a set of files associated with the virtual network device, ora set of messages associated with the virtual network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Nimmagadda, Srinivas, Kumar, Rakesh, Seshadri, Prakash T., Subramanian, Sriram
Primary Examiner(s)
Traore, Fatoumata

Application Number

US15/639,366
Publication Number

US 20190007456A1
Time in Patent Office

942 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Enforcing micro-segmentation policies for physical and virtual application components in data centers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing micro-segmentation policies for physical and virtual application components in data centers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links