Introspection method and apparatus for network access filtering
First Claim
1. A method of filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the particular GVM executing an application, a guest introspector, a TCP/IP stack and an encryption module, the method comprising:
- through the guest introspector installed on the particular GVM executing on the host computing device along with a plurality of other GVMs, capturing metadata regarding a data message associated with an attempt by the application to access a network resource, said metadata captured above the TCP/IP stack of the particular GVM before the data message is encrypted by the encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource;
using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device in order to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata;
through said examination, identifying a network access policy that requires a rejection of the network access;
directing the guest introspector to reject the network access; and
rejecting, at the guest introspector, the network access based on the identified network access policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for performing network access filtering and/or categorization through guest introspection on a device data compute node (DCN) that executes on a host is provided. The method, through a guest introspector installed on the DCN, intercepts a data message that the DCN is preparing to send. The method identifies a category of the network resource. The method uses the category of the network resource to examine a set of network access policies that are stored on the host in order to determine whether the network access should be allowed. The method identifies a network access policy that requires the rejection of the network access when the access to the network resource causes an aggregate bandwidth for accessing the identified category of network resource to exceed a bandwidth threshold. The method rejects the network access based on the identified network access policy.
188 Citations
19 Claims
-
1. A method of filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the particular GVM executing an application, a guest introspector, a TCP/IP stack and an encryption module, the method comprising:
-
through the guest introspector installed on the particular GVM executing on the host computing device along with a plurality of other GVMs, capturing metadata regarding a data message associated with an attempt by the application to access a network resource, said metadata captured above the TCP/IP stack of the particular GVM before the data message is encrypted by the encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource; using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device in order to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata; through said examination, identifying a network access policy that requires a rejection of the network access; directing the guest introspector to reject the network access; and rejecting, at the guest introspector, the network access based on the identified network access policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory machine readable medium for storing a program for filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the program comprising sets of instructions for:
-
capturing, through a guest introspector installed on the particular GVM, metadata regarding a data message associated with an attempt to access a network resource, said metadata captured above a TCP/IP stack of the particular GVM before the data message is encrypted by an encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource; using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device to identify a network access policy to analyze to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata; based on an identified network access policy, determining that the network access should be rejected; directing the guest introspector to reject the network access; and rejecting, at the guest introspector, the network access based on the identified network access policy. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification