MOVEABLE ACCESS CONTROL LIST (ACL) MECHANISMS FOR HYPERVISORS AND VIRTUAL MACHINES AND VIRTUAL PORT FIREWALLS

US 20080163207A1
Filed: 01/03/2007
Published: 07/03/2008
Est. Priority Date: 01/03/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of controlling network security of a virtual machine, comprising:

enforcing network security and routing at a hypervisor layer.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method (and system) which provides virtual machine migration with filtered network connectivity and control of network security of a virtual machine by enforcing network security and routing at a hypervisor layer at which the virtual machine partition is executed, and which is independent of guest operating systems.

452 Citations

28 Claims

1. A computer implemented method of controlling network security of a virtual machine, comprising:
- enforcing network security and routing at a hypervisor layer.

2. A computer implemented method of virtual machine migration with filtered network connectivity, comprising:
- enforcing network security and routing at a hypervisor layer which is independent of guest operating systems.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 3. The method according to claim 2, wherein said enforcing includes at least one of:
    - dynamic updating of routing controls initiated by a migration of said virtual machine from a first device to a second device, anddynamic updating of firewall network access controls initiated by a migration of said virtual machine from said first device to said second device.
  - 4. The method according to claim 3, wherein said firewall network access controls comprise at least one of:
    - filtering at least one of a network layer, a data link layer, and a physical layer, anda network address translation.
  - 5. The method according to claim 2, further comprising:
    - migrating said virtual machine from a first hardware device to a second hardware device.
  - 6. The method according to claim 5, further comprising:
    - establishing logical rules that govern an interaction of said migrated virtual machine with a network infrastructure.
  - 7. The method according to claim 2, further comprising:
    - storing network access control lists at least one of with a serialized representation of the virtual machine and in a central repository.
  - 8. The method according to claim 7, wherein said network access control lists are independent of guest operating systems.
  - 9. The method according to claim 2, further comprising:
    - storing a network section in a virtual machine description file which is stored to a disk when said virtual machine is serialized.
  - 10. The method according to claim 9, wherein said virtual machine description file further includes:
    - a media access control file.
  - 11. The method according to claim 5, wherein said migrating includes at least one of:
    - migrating a peripheral state of said virtual machine, wherein said peripheral states includes a hardware resource being emulated, andcapturing an application state of said virtual machine, wherein said application state includes at least one of a state of a firewall and a state of a routing of said virtual machine.
  - 12. The method according to claim 2, wherein said hypervisor layer includes a hypervisor at which a virtual machine partition is executed.
  - 13. The method according to claim 2, further comprising:
    - copying network security and routing for said virtual machine to said hypervisor layer;
      
      migrating said virtual machine from a first hardware device to a second hardware device;
      
      updating routing controls for said virtual machine at the hypervisor level;
      
      updating traffic filters for said virtual machine at the hypervisor level; and
      
      advertising said migration of said virtual machine from said first hardware device to said second hardware device.
  - 14. The method according to claim 13, further comprising at least one of:
    - routing network traffic for said virtual machine to said second hardware device based on said routing controls, andgranting access to said virtual machine on said second hardware device based on said traffic filters.
  - 15. The method according to claim 13, wherein said updating traffic filters includes:
    - setting hypervisor firewalls to permit network traffic for said virtual machine to access said second hardware device.
  - 16. The method according to claim 13, wherein said advertising is performed by said second hardware device.
  - 17. The method according to claim 13, wherein said virtual machine retains a same internet protocol address after said migrating.
  - 18. A method of deploying computing infrastructure in which computer-readable code is integrated into a computing system, and combines with said computing system to perform the method according to claim 2.
  - 19. A signal-bearing medium tangibly embodying a program of recordable, machine-readable instructions executable by a digital processing apparatus to perform the method according to claim 2.

20. A system for virtual machine migration with filtered network connectivity and controlling network security of a virtual machine by enforcing network security and routing at a hypervisor layer, comprising:
- a copying unit that copies network security and routing for said virtual machine to said hypervisor layer;
  
  a migrating unit that migrates said virtual machine from a first hardware device to a second hardware device;
  
  a first updating unit that updates routing controls for said virtual machine at the hypervisor level;
  
  a second updating unit that updates traffic filters for said virtual machine at the hypervisor level; and
  
  an advertising unit that advertises said migration of said virtual machine from said first hardware device to said second hardware device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The system of claim 20, further comprising:
    - at least one of a router that routs network traffic for said virtual machine to said second hardware device based on said routing controls, anda filter that grants access to said virtual machine on said second hardware device based on said traffic filters.
  - 22. The system according to claim 20, wherein said second hardware device includes said advertising unit.
  - 23. The system according to claim 20, wherein said first updating unit dynamically updates routing controls initiated by said migration of said virtual machine from the first device to the second device.
  - 24. The system according to claim 20, wherein said second updating unit dynamically firewall network access controls initiated by said migration of said virtual machine from said first device to said second device.
  - 25. The system according to claim 20, further comprising:
    - a logical rule unit that establishes logical rules that govern an interaction of said migrated virtual machine with a network infrastructure.
  - 26. The system according to claim 20, further comprising:
    - a storage unit for storing network access control lists at least one of with a serialized representation of the virtual machine and in a central repository.
  - 27. The system according to claim 20, further comprising:
    - a storage unit that stores a virtual machine description file when said virtual machine is serialized, said virtual machine description file including a network section and a media access control file.
  - 28. The system according to claim 20, wherein said hypervisor layer includes a hypervisor at which a virtual machine partition is executed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daedalus Blue LLC
Original Assignee
International Business Machines Corporation
Inventors
Sahu, Sambit, Saha, Debanjan, Reumann, John, Verma, Dinesh Chandra

Granted Patent

US 8,381,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

B81B 2201/0257   Microphones or microspeakers

B81B 7/0061   suitable for fluid transfer...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/5077   Logical partitioning of res...

H01L 2224/32225   the item being non-metallic...

H01L 2224/48091   Arched

H01L 2224/48137   the bodies being arranged n...

H01L 2224/48227   connecting the wire to a bo...

H01L 2224/73265   Layer and wire connectors

H01L 24/73   Means for bonding being of ...

H01L 2924/00   Indexing scheme for arrange...

H01L 2924/00012   Relevant to the scope of th...

H01L 2924/00014   the subject-matter covered ...

H01L 2924/01046   Palladium [Pd]

H01L 2924/01078   Platinum [Pt]

H01L 2924/01079   Gold [Au]

H01L 2924/19041   being a capacitor

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272 : Virtual private networks

H04L 63/101 : Access control lists [ACL]

H04L 63/20 : for managing network securi...

H04R 1/04 : Structural association of m...

H04R 1/2869 : Reduction of undesired reso...

H04R 19/005 : using semiconductor materials

H04R 31/006 : Interconnection of transduc...

View All

MOVEABLE ACCESS CONTROL LIST (ACL) MECHANISMS FOR HYPERVISORS AND VIRTUAL MACHINES AND VIRTUAL PORT FIREWALLS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

452 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

MOVEABLE ACCESS CONTROL LIST (ACL) MECHANISMS FOR HYPERVISORS AND VIRTUAL MACHINES AND VIRTUAL PORT FIREWALLS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

452 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links