Method and apparatus for dynamic switching and real time security control on virtualized systems

US 20090073895A1
Filed: 09/17/2007
Published: 03/19/2009
Est. Priority Date: 09/17/2007
Status: Active Grant

First Claim

Patent Images

1. A system for securing network traffic to a platform, comprising:

a host processor on the platform having virtualization technology capability, the host processor coupled to a second processor on the platform to control network communication;

a virtual machine manager (VMM) to execute on the host processor to control a plurality of virtual machines (VMs) running on the host processor;

the second processor to send and receive network traffic to/from the plurality of virtual machines running on the host processor, the second processor to use at least one filter to determine when network traffic is suspect and to route suspect network traffic to a security virtual appliance for investigation, and when network traffic is not suspect, to route the non-suspect traffic to an intended recipient running on the host processor,wherein the security virtual appliance is to run in a first virtual machine and to investigate suspect network traffic, wherein when the suspect network traffic is identified as harmless, enabling the harmless traffic to be routed to the intended recipient running on the host processor, and when the network traffic is identified as not harmless, failing to forward the non-harmless traffic to the intended recipient on the host processor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention involves securing network traffic to and from a host processor. A system and method is disclosed which utilizes a second processor on a virtualization technology platform to send/receive and triage messages. The second processor is to forward suspect messages to a virtual appliance for further investigation before routing the suspect messages to one of a plurality of virtual machines running on the host processor. When messages are not suspect, use of the virtual appliance is avoided and messages are routed to one of a plurality of virtual machines via a virtual machine manager running on the host processor. Other embodiments are described and claimed.

Citations

18 Claims

1. A system for securing network traffic to a platform, comprising:
- a host processor on the platform having virtualization technology capability, the host processor coupled to a second processor on the platform to control network communication;
  
  a virtual machine manager (VMM) to execute on the host processor to control a plurality of virtual machines (VMs) running on the host processor;
  
  the second processor to send and receive network traffic to/from the plurality of virtual machines running on the host processor, the second processor to use at least one filter to determine when network traffic is suspect and to route suspect network traffic to a security virtual appliance for investigation, and when network traffic is not suspect, to route the non-suspect traffic to an intended recipient running on the host processor,wherein the security virtual appliance is to run in a first virtual machine and to investigate suspect network traffic, wherein when the suspect network traffic is identified as harmless, enabling the harmless traffic to be routed to the intended recipient running on the host processor, and when the network traffic is identified as not harmless, failing to forward the non-harmless traffic to the intended recipient on the host processor.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as recited in claim 1, wherein the second processor comprises a manageability engine having active management technology architecture.
  - 3. The system as recited in claim 2, wherein the second processor is coupled to an input/output controller hub (ICH) via one of a memory controller hub (MCH) or input/output hub (IOH), and wherein the ICH is coupled to a network interface device for sending and receiving the network traffic.
  - 4. The system as recited in claim 1, wherein the VMM comprises a networking advocate component for resetting a message route for network traffic to one of the intended recipient or the security virtual appliance, andwherein the second processor comprises a network director to monitor network traffic and to direct the networking advocate to direct received network traffic, wherein the networking advocate uses the at least one filter to determine whether the network traffic should be routed to the intended recipient or to the security virtual appliance.
  - 5. The system as recited in claim 4, wherein network drivers to be used by the plurality of virtual machines are virtualized to utilize a network interface communicatively coupled to the second processor.
  - 6. The system as recited in claim 1, wherein investigation by the security appliance is to route the suspect network traffic to a second virtual machine to observe behavior of the suspect network traffic to help in identifying whether the network traffic is harmless or non-harmless.

7. A computer implemented method for securing network traffic to a host processor on a platform having virtualization technology capability, comprising:
- receiving a network packet by a second processor on the platform, the second processor communicatively coupled to the host processor;
  
  determining by the second processor whether the network packet is of suspect status;
  
  when the network packet is determined to be suspect,the second processor indicating to a virtual machine manager (VMM) executing on the host processor the suspect status of the network packet;
  
  forwarding the suspect network packet to a security virtual appliance running in a virtual machine on the host processor;
  
  determining by the security virtual appliance whether the suspect network packet is to be considered harmless; and
  
  when the suspect packet is determined to be harmless,routing the network packet to an intended recipient on the host processor;
  
  when the suspect packet is determined to be non-harmless,failing to route the network packet to the host processor; and
  
  when the network packet is determined to be non-suspect, routing the network packet directly to the intended recipient via the VMM.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method as recited in claim 7, wherein the determining whether the network packet is of suspect status, comprises:
    - filtering the received network packet through at least one filter stored in a protected area of flash memory inaccessible to the host processor, wherein the flash memory is coupled to both the host processor and the second processor.
  - 9. The method as recited in claim 7, wherein a network packet has a suspect status when the network packet breaches a predetermined policy or is deemed to behave in a questionable manner, wherein the predetermined policy and rules outlining questionable behavior are accessible to the second processor and stored a protected area of memory on the platform.
  - 10. The method as recited in claim 7, further comprising:
    - notifying a user when a packet is received that is determined to be non-harmless.
  - 11. The method as recited in claim 7, wherein routing of a non-harmless network packet is determined by a predetermined policy.
  - 12. The method as recited in claim 7, wherein the determining by the security virtual appliance whether the suspect network packet is to be considered harmless further comprises:
    - sending the suspect packet to a test virtual machine on the platform;
      
      observing, by the virtual appliance, the result of sending the suspect packet to the test virtual machine; and
      
      identifying the suspect packet as one of harmless or non-harmless based on the results of sending the suspect packet to the test virtual machine.

13. A machine readable storage medium having instructions stored therein for securing network traffic to a host processor on a platform having virtualization technology capability, that when the instructions are executed on the platform cause the platform to:
- receive a network packet by a second processor on the platform, the second processor communicatively coupled to the host processor;
  
  determine by the second processor whether the network packet is of suspect status;
  
  when the network packet is determined to be suspect,the second processor indicates to a virtual machine manager (VMM) executing on the host processor the suspect status of the network packet;
  
  forward the suspect network packet to a security virtual appliance running in a virtual machine on the host processor;
  
  determine by the security virtual appliance whether the suspect network packet is to be considered harmless; and
  
  when the suspect packet is determined to be harmless,route the network packet to an intended recipient on the host processor;
  
  when the suspect packet is determined to be non-harmless,fail to route the network packet to the host processor; and
  
  when the network packet is determined to be non-suspect, route the network packet directly to the intended recipient via the VMM.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The medium as recited in claim 13, wherein the determining whether the network packet is of suspect status, comprises instructions that when executed:
    - filter the received network packet through at least one filter stored in a protected area of flash memory inaccessible to the host processor, wherein the flash memory is coupled to both the host processor and the second processor.
  - 15. The medium as recited in claim 13, wherein a network packet has a suspect status when the network packet breaches a predetermined policy or is deemed to behave in a questionable manner, wherein the predetermined policy and rules outlining questionable behavior are accessible to the second processor and stored a protected area of memory on the platform.
  - 16. The medium as recited in claim 13, further comprising instructions that when executed:
    - notify a user when a packet is received that is determined to be non-harmless.
  - 17. The medium as recited in claim 13, wherein routing of a non-harmless network packet is determined by a predetermined policy.
  - 18. The medium as recited in claim 13, wherein the determining by the security virtual appliance whether the suspect network packet is to be considered harmless further comprises instructions that when executed:
    - send the suspect packet to a test virtual machine on the platform;
      
      observe, by the virtual appliance, the result of sending the suspect packet to the test virtual machine; and
      
      identify the suspect packet as one of harmless or non-harmless based on the results of sending the suspect packet to the test virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Morgan, Dennis, Ross, Alan D.

Granted Patent

US 8,250,641 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/255
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

Method and apparatus for dynamic switching and real time security control on virtualized systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for dynamic switching and real time security control on virtualized systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links