MOVING SECURITY FOR VIRTUAL MACHINES
First Claim
1. A method of maintaining a plurality of firewalls on a plurality of host nodes, each host node for running at least one virtual machine, the method comprising:
- for at least a first host node,a) maintaining a plurality of sets of policies for a plurality of virtual machines running on the first host node, andb) upon detecting that a particular virtual machine has been moved from the first host node to a second host node;
i) removing a set of policies associated with the particular virtual machine from a firewall of the first host node; and
ii) supplying the set of policies to a firewall of the second host node.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of maintaining multiple firewalls on multiple host nodes. Each host node runs one or more virtual machines. For at least a first host node, the method maintains multiple sets of policies for multiple virtual machines that run on the first host node. The method, upon detecting that a particular virtual machine has been moved from the first host node to a second host node, removes a set of policies associated with the particular virtual machine from the first host node and supplies the set of policies to the second host node.
-
Citations
31 Claims
-
1. A method of maintaining a plurality of firewalls on a plurality of host nodes, each host node for running at least one virtual machine, the method comprising:
for at least a first host node, a) maintaining a plurality of sets of policies for a plurality of virtual machines running on the first host node, and b) upon detecting that a particular virtual machine has been moved from the first host node to a second host node; i) removing a set of policies associated with the particular virtual machine from a firewall of the first host node; and ii) supplying the set of policies to a firewall of the second host node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A firewall coordinator for coordinating security for a plurality of virtual machines on a plurality of host nodes, the firewall coordinator comprising:
-
a) a virtual machine tracker for maintaining records of the host node of each virtual machine of the plurality of virtual machines; b) a policy manager for receiving and storing a set of policies for each virtual machine of the plurality of virtual machines; and c) a coordination manager for, when a particular virtual machine moves from a first host node to a second host node, sending an identification of the first host node to a firewall of the second host node to command the firewall of the second host node to retrieve a set of policies for the particular virtual machine from a firewall of the first host node. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer readable storage medium storing a computer program which when executed on at least one processor implements a firewall coordinator for coordinating security for virtual machines on a plurality of host nodes, the computer program comprising:
-
a) a set of instructions for receiving an identification of particular virtual machine from a firewall of a first host node; b) a set of instructions for determining whether the particular virtual machine had been moved to the first host node from a second host node on which a set of policies for the virtual machine are stored; c) a set of instructions for, when the particular virtual machine had been moved from the second host node to the first host node, sending an identifier of the second host node to the firewall of the first host node to command the firewall of the first host node to retrieve the set of policies from a firewall of the second host node; and d) a set of instructions for, when the particular virtual machine had not been moved from any host node to the first host node, sending the set of policies for the particular virtual machine to the firewall of the first host node. - View Dependent Claims (19, 20, 21)
-
-
22. A firewall comprising:
-
a) a virtual machine detector for determining that a received packet on a first host node is for a previously undetected virtual machine; b) a migration coordinator for; i) requesting an identity of a second host node on which the previously undetected virtual machine previously ran; and ii) retrieving policies for the previously undetected virtual machine from a second firewall of the second host node, the policies for determining whether to allow or block the received packet. - View Dependent Claims (23, 24, 25, 26)
-
-
27. A computer readable storage medium storing a computer program which when executed on at least one processor implements a firewall, the computer program comprising:
-
a) a set of instructions for determining that a received packet on a first host node is for a previously undetected virtual machine; b) a set of instructions for requesting an identity of a second host node on which the previously undetected virtual machine previously ran; and c) a set of instructions for retrieving policies for the previously undetected virtual machine from a second firewall of the second host node, the policies for determining whether to allow or block the received packet. - View Dependent Claims (28, 29, 30, 31)
-
Specification