Introspection method and apparatus for network access filtering

US 10,606,626 B2
Filed: 07/30/2015
Issued: 03/31/2020
Est. Priority Date: 12/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method of filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the particular GVM executing an application, a guest introspector, a TCP/IP stack and an encryption module, the method comprising:

through the guest introspector installed on the particular GVM executing on the host computing device along with a plurality of other GVMs, capturing metadata regarding a data message associated with an attempt by the application to access a network resource, said metadata captured above the TCP/IP stack of the particular GVM before the data message is encrypted by the encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource;

using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device in order to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata;

through said examination, identifying a network access policy that requires a rejection of the network access;

directing the guest introspector to reject the network access; and

rejecting, at the guest introspector, the network access based on the identified network access policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for performing network access filtering and/or categorization through guest introspection on a device data compute node (DCN) that executes on a host is provided. The method, through a guest introspector installed on the DCN, intercepts a data message that the DCN is preparing to send. The method identifies a category of the network resource. The method uses the category of the network resource to examine a set of network access policies that are stored on the host in order to determine whether the network access should be allowed. The method identifies a network access policy that requires the rejection of the network access when the access to the network resource causes an aggregate bandwidth for accessing the identified category of network resource to exceed a bandwidth threshold. The method rejects the network access based on the identified network access policy.

188 Citations

19 Claims

1. A method of filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the particular GVM executing an application, a guest introspector, a TCP/IP stack and an encryption module, the method comprising:
- through the guest introspector installed on the particular GVM executing on the host computing device along with a plurality of other GVMs, capturing metadata regarding a data message associated with an attempt by the application to access a network resource, said metadata captured above the TCP/IP stack of the particular GVM before the data message is encrypted by the encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource;
  
  using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device in order to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata;
  
  through said examination, identifying a network access policy that requires a rejection of the network access;
  
  directing the guest introspector to reject the network access; and
  
  rejecting, at the guest introspector, the network access based on the identified network access policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the data message is a first data message, the network access is a first network access, and the metadata is a first set of metadata, the method further comprising:
    - through the guest introspector, capturing a second set of metadata, before the second set of metadata is encrypted by the encryption module of the particular GVM, regarding a second data message associated with a second network access attempt, wherein the second set of metadata comprises a second URL associated with the network resource associated with the second network access attempt;
      
      using, at the service module, the second URL in the captured second set of metadata to examine the set of network access policies to determine whether the second network access should be allowed; and
      
      allowing the second network access after the examination does not identify a network access policy that requires the rejection of the second network access attempt and sending the second data message to the encryption module.
  - 3. The method of claim 1, wherein the guest introspector is a network introspector that captures the metadata through a set of filters that is defined above the TCP/IP stack of the particular GVM.
  - 4. The method of claim 1, wherein the guest introspector is a network introspector that captures the metadata through a filter that is defined as a transport layer library filter.
  - 5. The method of claim 3, wherein the set of filters includes a filter that is defined in a library that handles layer 5 or higher layer communication protocol operations.
  - 6. The method of claim 1, wherein the service module is a service virtual machine.
  - 7. The method of claim 1, wherein the network resource is a website, wherein using the captured metadata further comprises using the captured metadata to determine whether accessing the website is allowed by the set of network access policies.
  - 8. The method of claim 1, wherein the network resource is a website, wherein using the captured metadata further comprises using the captured metadata to determine whether accessing the website by an application of the particular GVM that is attempting the network access is allowed by the set of network access policies.
  - 9. The method of claim 1, wherein the network resource is a website, wherein using the captured metadata further comprises using the captured metadata to determine whether accessing the website by a user that is using the particular GVM while the network access is being attempted is allowed by the set of network access policies.
  - 10. The method of claim 1, wherein the network resource is a file that contains content that is intended for the attempted network access, wherein using the captured metadata comprises determining whether accessing the file is allowed by the set of network access policies.
  - 11. The method of claim 1, wherein the network resource is a file that contains content that is intended for the attempted network access, wherein using the captured metadata comprises determining whether accessing the content of the file is allowed by the set of network access policies.

12. A non-transitory machine readable medium for storing a program for filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the program comprising sets of instructions for:
- capturing, through a guest introspector installed on the particular GVM, metadata regarding a data message associated with an attempt to access a network resource, said metadata captured above a TCP/IP stack of the particular GVM before the data message is encrypted by an encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource;
  
  using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device to identify a network access policy to analyze to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata;
  
  based on an identified network access policy, determining that the network access should be rejected;
  
  directing the guest introspector to reject the network access; and
  
  rejecting, at the guest introspector, the network access based on the identified network access policy.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The non-transitory machine readable medium of claim 12, wherein the data message is a first data message, the network access attempt is a first network access attempt, and the metadata is a first set of metadata, wherein the program further comprises sets of instructions for:
    - capturing, through the guest introspector, a second set of metadata regarding a second data message associated with a second network access attempt, said second set of metadata captured before the second data message is encrypted by the encryption module of the particular GVM, wherein the second set of metadata comprises a second URL associated with the network resource associated with the second network access attempt;
      
      using, at the service module, the second URL in said captured second set of metadata to examine the set of network access policies to identify a network access policy to analyze to determine whether the second network access should be allowed;
      
      allowing, at the guest introspector, the second network access after the examination using the second set of metadata does not identify a network access policy that requires the rejection of the second network access attempt; and
      
      providing the second data message to the encryption module.
  - 14. The non-transitory machine readable medium of claim 12, wherein the network resource is a website, wherein the set of instructions for using the URL in the captured metadata further comprises a set of instructions for using the URL in the captured metadata to determine whether accessing the website is allowed by the set of network access policies.
  - 15. The non-transitory machine readable medium of claim 12, wherein the network resource is a website, wherein the set of instructions for using the URL in the captured metadata comprises a set of instructions for using the URL in the captured metadata to determine whether accessing the website by an application of the particular GVM that is attempting the network access is allowed by the set of network access policies.
  - 16. The non-transitory machine readable medium of claim 12, wherein the network resource is a website, wherein the set of instructions for using the URL in the captured metadata further comprises a set of instructions for using the URL in the captured metadata to determine whether accessing the website by a user that is using the particular GVM while the network access is being attempted is allowed by the set of network access policies.
  - 17. The non-transitory machine readable medium of claim 12, wherein the network resource is a file that contains content that is intended for the attempted network access, wherein the set of instructions for using the URL in the captured metadata comprises a set of instructions for determining whether accessing the file is allowed by the set of network access policies.
  - 18. The non-transitory machine readable medium of claim 12, wherein the network resource is a file that contains content that is intended for the attempted network access, wherein the set of instructions for using the URL in the captured metadata comprises a set of instructions for determining whether accessing the content of the file is allowed by the set of network access policies.
  - 19. The non-transitory machine readable medium of claim 12, wherein the service module is a service virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Feroz, Azeem, Kumar, Vasantha, Wiese, James Christopher, Patil, Amit Vasant
Primary Examiner(s)
Naji, Younes
Assistant Examiner(s)
Ton, Da T

Application Number

US14/814,408
Publication Number

US 20160191413A1
Time in Patent Office

1,706 Days
Field of Search

709227-229, 726 1- 3, 726 11- 13, 726 22, 726 25, 713151-154
US Class Current
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 16/972   Access to data in other rep...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0236   Filtering by address, proto...

H04L 63/0281   Proxies

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Introspection method and apparatus for network access filtering

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

188 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Introspection method and apparatus for network access filtering

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links