Method and apparatus for dynamic switching and real time security control on virtualized systems
First Claim
1. A system for securing network traffic to a platform, comprising:
- a host processor on the platform having virtualization technology capability, the host processor coupled to a second processor on the platform to control network communication;
a virtual machine manager (VMM) to execute on the host processor to control a plurality of virtual machines (VMs) running on the host processor;
the second processor to send and receive network traffic to/from the plurality of virtual machines running on the host processor, the second processor to use at least one filter to determine when network traffic is suspect and to route suspect network traffic to a security virtual appliance for investigation, and when network traffic is not suspect, to route the non-suspect traffic to an intended recipient running on the host processor,wherein the security virtual appliance is to run in a first virtual machine and to investigate suspect network traffic, wherein when the suspect network traffic is identified as harmless, enabling the harmless traffic to be routed to the intended recipient running on the host processor, and when the network traffic is identified as not harmless, failing to forward the non-harmless traffic to the intended recipient on the host processor.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, the invention involves securing network traffic to and from a host processor. A system and method is disclosed which utilizes a second processor on a virtualization technology platform to send/receive and triage messages. The second processor is to forward suspect messages to a virtual appliance for further investigation before routing the suspect messages to one of a plurality of virtual machines running on the host processor. When messages are not suspect, use of the virtual appliance is avoided and messages are routed to one of a plurality of virtual machines via a virtual machine manager running on the host processor. Other embodiments are described and claimed.
-
Citations
18 Claims
-
1. A system for securing network traffic to a platform, comprising:
-
a host processor on the platform having virtualization technology capability, the host processor coupled to a second processor on the platform to control network communication; a virtual machine manager (VMM) to execute on the host processor to control a plurality of virtual machines (VMs) running on the host processor; the second processor to send and receive network traffic to/from the plurality of virtual machines running on the host processor, the second processor to use at least one filter to determine when network traffic is suspect and to route suspect network traffic to a security virtual appliance for investigation, and when network traffic is not suspect, to route the non-suspect traffic to an intended recipient running on the host processor, wherein the security virtual appliance is to run in a first virtual machine and to investigate suspect network traffic, wherein when the suspect network traffic is identified as harmless, enabling the harmless traffic to be routed to the intended recipient running on the host processor, and when the network traffic is identified as not harmless, failing to forward the non-harmless traffic to the intended recipient on the host processor. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method for securing network traffic to a host processor on a platform having virtualization technology capability, comprising:
-
receiving a network packet by a second processor on the platform, the second processor communicatively coupled to the host processor; determining by the second processor whether the network packet is of suspect status; when the network packet is determined to be suspect, the second processor indicating to a virtual machine manager (VMM) executing on the host processor the suspect status of the network packet; forwarding the suspect network packet to a security virtual appliance running in a virtual machine on the host processor; determining by the security virtual appliance whether the suspect network packet is to be considered harmless; and when the suspect packet is determined to be harmless, routing the network packet to an intended recipient on the host processor; when the suspect packet is determined to be non-harmless, failing to route the network packet to the host processor; and when the network packet is determined to be non-suspect, routing the network packet directly to the intended recipient via the VMM. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A machine readable storage medium having instructions stored therein for securing network traffic to a host processor on a platform having virtualization technology capability, that when the instructions are executed on the platform cause the platform to:
-
receive a network packet by a second processor on the platform, the second processor communicatively coupled to the host processor; determine by the second processor whether the network packet is of suspect status; when the network packet is determined to be suspect, the second processor indicates to a virtual machine manager (VMM) executing on the host processor the suspect status of the network packet; forward the suspect network packet to a security virtual appliance running in a virtual machine on the host processor; determine by the security virtual appliance whether the suspect network packet is to be considered harmless; and when the suspect packet is determined to be harmless, route the network packet to an intended recipient on the host processor; when the suspect packet is determined to be non-harmless, fail to route the network packet to the host processor; and when the network packet is determined to be non-suspect, route the network packet directly to the intended recipient via the VMM. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification