Network policy implementation in a tag-based policy architecture

US 10,652,281 B1
Filed: 08/31/2017
Issued: 05/12/2020
Est. Priority Date: 08/31/2017
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors coupled to a network of a virtualized computing environment;

a control plane executable by at least one of the one or more processors, the control plane configured to implement a network policy of the virtualized computing environment by associating the network policy to a global firewall and apportioning the global firewall into one or more individual firewalls, the control plane further configured to translate the network policy associated with the global firewall into rules of an individual firewall; and

a packet filter module executable by at least one processor of a first computer node, the packet filter module configured to receive the rules from the control plane and implement the individual firewall to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the packet filter module is a component of the intermediary manager, wherein the packet filter module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique implements network policy deployed in a tag-based policy architecture of a virtualized computing environment. One or more virtual machine instances (VMIs) may be provided by a virtual data center (VDC) of the environment, wherein each VMI includes an intermediary manager of a computing cell that also includes a guest operating system (OS) and associated applications. The tag-based policy architecture may be configured to enforce the network policy in the virtualized computing environment using cryptographically-verifiable metadata to authenticate compute resources, such as the VMIs, coupled to a computer network and to authorize access to protected resources, such as virtualized network resources of the VDC.

Citations

20 Claims

1. A system comprising:
- one or more processors coupled to a network of a virtualized computing environment;
  
  a control plane executable by at least one of the one or more processors, the control plane configured to implement a network policy of the virtualized computing environment by associating the network policy to a global firewall and apportioning the global firewall into one or more individual firewalls, the control plane further configured to translate the network policy associated with the global firewall into rules of an individual firewall; and
  
  a packet filter module executable by at least one processor of a first computer node, the packet filter module configured to receive the rules from the control plane and implement the individual firewall to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the packet filter module is a component of the intermediary manager, wherein the packet filter module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1 wherein the network policy is defined as a tuple that includes a source and a destination, and wherein the source and the destination are identified using one or more tags.
  - 3. The system of claim 2 wherein the tag is a key-value pair embedded within a payload of a token data structure that enables attachment of the network policy to the intermediary manager.
  - 4. The system of claim 1 wherein the intermediary manager is a metavisor, and operates as a transparent intermediary between the guest operating system and the hypervisor.
  - 5. The system of claim 1 wherein the network policy includes a logical construct translated into a physical construct present in the network traffic.
  - 6. The system of claim 5 wherein the logical construct is a tag embedded within a payload of a token data structure that enables attachment of the network policy to the intermediary manager.
  - 7. The system of claim 5 wherein the physical construct is a network address that forms a basis of the rules of the individual firewall.
  - 8. The system of claim 1 wherein each rule includes a policy condition and an action, and wherein the network policy comprises a set of matched policy conditions that trigger corresponding actions by examination of the rules of the individual firewall.
  - 9. The system of claim 8 wherein the policy condition describes the rule to compare with content of the packets and the action describes an operation to perform on the packets if the content results in a matched policy condition.
  - 10. The system of claim 9 wherein the operation to perform on the packets is one of allow and encrypt.
  - 11. The system of claim 8 further comprising an encryption/decryption module executable by the first computer node, the encryption/decryption module configured to one of encrypt and decrypt the packets of the network traffic based on the network policy.
  - 12. The system of claim 11 wherein the rules of the individual firewall are organized as an address-based data structure accessed via a single lookup operation by the packet filter module for the policy condition of each rule and for the action of the rule performed by the encryption/decryption module.
  - 13. The system of claim 12 wherein the packet filter module performs the lookup operation into the address-based data structure to determine a matched policy condition and whether an encryption action should be performed on a packet of the network traffic.
  - 14. The system of claim 13 wherein, in response to the matched policy condition, the packet filter module applies an internal action flag to the packet and the encryption/decryption module is invoked to process the packet according to the encryption action.
  - 15. The system of claim 14 wherein the internal action flag is a software construct instructing the action encrypt.
  - 16. The system of claim 14 wherein the packet is decrypted prior to application of the rules so that the individual firewall operates on non-encrypted network flow information.

17. A method comprising:
- implementing a network policy of a virtualized computing environment by associating the network policy to a global firewall at a control plane coupled to a network of the virtualized computing environment;
  
  apportioning the global firewall into one or more individual firewalls;
  
  translating the network policy associated with the global firewall into rules of an individual firewall;
  
  receiving the rules from the control plane at a module executed on a first computer node coupled to the network; and
  
  implementing the individual firewall at the module to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the module is a component of the intermediary manager, wherein the module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17 further comprising:
    - defining the network policy as a tuple that includes a source and a destination; and
      
      identifying the source and the destination using one or more tags.
  - 19. The method of claim 18 wherein the tag is a key-value pair embedded within a payload of a token data structure that enables attachment of the network policy to the intermediary manager.

20. A non-transitory computer readable media containing instructions for execution on a processor for a method comprising:
- implementing a network policy of a virtualized computing environment by associating the network policy to a global firewall at a control plane coupled to a network of the virtualized computing environment;
  
  apportioning the global firewall into one or more individual firewalls;
  
  translating the network policy associated with the global firewall into rules of an individual firewall;
  
  receiving the rules from the control plane at a module executed on a first computer node coupled to the network; and
  
  implementing the individual firewall at the module to enforce the network policy on packets of network traffic as a respective portion of the global firewall, wherein the first computer node is configured to execute a hypervisor and a virtual machine instance (VMI), wherein the VMI is managed by the hypervisor, wherein a guest operating system and an intermediary manager run in the VMI, wherein the module is a component of the intermediary manager, wherein the module is configured to enforce the network policy on the packets when passed between the hypervisor and the guest operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Moolenaar, Marcel, Ramdass, Dennis, Olichandran, Ramya
Primary Examiner(s)
Lemma, Samson B

Application Number

US15/692,890
Time in Patent Office

985 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/20   for managing network securi...

Network policy implementation in a tag-based policy architecture

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network policy implementation in a tag-based policy architecture

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links