Applying firewalls to virtualized environments

US 20080022385A1
Filed: 06/30/2006
Published: 01/24/2008
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A system for applying separate firewall rules to one or more networks connected to a computer comprising:

a shared instance of an operating system comprising a shared filter engine and network stack shared by a plurality of virtualized environments on the computer, wherein a subset of a set of firewall rules stored in the filter engine is applied to traffic from or traffic to a network, based on a virtualized environment identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.

156 Citations

20 Claims

1. A system for applying separate firewall rules to one or more networks connected to a computer comprising:
- a shared instance of an operating system comprising a shared filter engine and network stack shared by a plurality of virtualized environments on the computer, wherein a subset of a set of firewall rules stored in the filter engine is applied to traffic from or traffic to a network, based on a virtualized environment identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein a virtualized environment of the plurality of virtualized environments is a compartment, comprising a network isolation mechanism.
  - 3. The system of claim 1, wherein a virtualization environment of the plurality of virtualized environments is a server silo, wherein the server silo restricts resources available to a process running in the server silo.
  - 4. The system of claim 3, wherein the server silo comprises a plurality of compartments comprising network isolation mechanisms.
  - 5. The system of claim 1, wherein the plurality of virtualization environments comprises a first virtualized environment connected to a first network associated with a first trust level and a second virtualized environment connected to a second network associated with a second trust level different than the first trust level.
  - 6. The system of claim 5, wherein the first network and the second network are an identical physical network.
  - 7. The system of claim 5, wherein the first network and the second network are different physical networks.
  - 8. The system of claim 5, wherein a first set of filters are applied to incoming and outgoing traffic on the first network and a second set of filters are applied to incoming and outgoing traffic on the second network, wherein the first set of filters is associated with the first virtualized environment and the second set of filters is associated with the second virtualized environment.

9. A method for assigning a filter to incoming and outgoing traffic on a network comprising:
- receiving a rule to be applied to incoming or outgoing traffic over a network; and
  
  determining that an administrator entering the rule to be applied to incoming or outgoing traffic over the network is an administrator of a virtualized environment, and in response thereto scoping the rule to the virtualized environment.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein the rule is scoped to the virtualized environment by tagging a filter implementing the rule with a unique identifier associated with the virtualized environment.
  - 11. The method of claim 10, further comprising applying the rule only to traffic sent to or received from a session executing in the virtualized environment.
  - 12. The method of claim 10, wherein the virtualized environment is a network isolation mechanism comprising a compartment or a server silo.
  - 13. The method of claim 9, wherein the network is a first network associated with a first trust level and a first set of rules is applied to the first network by tagging the first set of rules with a first virtualized environment identifier and a second set of rules is applied to a second network associated with a second trust level by tagging the second set of rules with a second virtualized environment identifier.
  - 14. The method of claim 13, wherein the first network and the second network are an identical physical network.

15. A removable computer-readable medium having program code stored thereon that, when executed by a computing environment, causes the computing environment to:
- receive incoming or outgoing traffic associated with a session running in a first virtualized environment on a computer, wherein the computer comprises a plurality of virtualized environments comprising the first virtualized environment and a second virtualized environment, wherein the plurality of virtualized environments on the computer share a single operating system image, a single filter engine and a single network stack, wherein the first virtualized environment is associated with a first set of rules to be applied to traffic on a first network connected to the computer and the second virtualized environment is associated with a second set of rules to be applied to a second network connected to the computer.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - determine the interface on which the incoming traffic came in;
      
      determine the virtualized environment associated with the interface; and
      
      apply the first set of rules to the incoming traffic by matching a unique identifier of the virtualized environment with an attribute present on the first set of rules, wherein only those rules having an attribute matching the unique identifier are applied.
  - 17. The computer-readable medium of claim 15, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - determine that a virtualized environment associated with the session originating the outgoing traffic is the first virtualized environment and in response thereto, apply the first set of rules to the outgoing traffic.
  - 18. The computer-readable medium of claim 17, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - determine an interface associated with the first virtualized environment, the interface connected to the first network.
  - 19. The computer-readable medium of claim 16, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - associate a unique identifier with the first virtualization environment and tag the first set of rules with the unique identifier.
  - 20. The computer-readable medium of claim 19, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - apply only a set of rules to the traffic based on matching the unique identifier with an identifier associated with the traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Crowell, Zachary Thomas, Khalidi, Yousef A., Talluri, Madhusudhan

Granted Patent

US 8,151,337 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

Applying firewalls to virtualized environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Applying firewalls to virtualized environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links