COMBINED FIREWALLS
First Claim
1. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:
- a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines; and
b) upon a particular virtual machine moving from the first host node to a second host node;
i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and
ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of providing a firewall to protect a set of virtual machines on a host node that is one of multiple host nodes that host virtual machines. The method stores a table of allowed connections for each virtual machine on the host node. Upon a particular virtual machine moving from the host node to another host node, the method deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines. Also upon the virtual machine moving, the method edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.
-
Citations
23 Claims
-
1. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:
-
a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines; and b) upon a particular virtual machine moving from the first host node to a second host node; i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine. - View Dependent Claims (2, 3, 4, 5)
-
-
6. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:
-
a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines; b) upon a particular virtual machine moving to the first host node from a second host node, retrieving from a firewall of the second host node a set of records of allowed connections that each identify the particular virtual machine; c) for each record of said set of records that identifies a connection that is also identified in a record in the connection table adding an identifier of the particular virtual machine to the record in the connection table that identifies the same connection; and d) for each record of said set of records that does not identify a connection to any virtual machine on the first host node, adding the record to the connection table. - View Dependent Claims (7, 8)
-
-
9. A method of providing firewall protection for a plurality of virtual machines on a first host node, the method comprising:
-
providing a firewall on a host node of the host system, wherein when a packet addressed from a first virtual machine on the host node is sent to a second virtual machine on the host node, the firewall determines; whether a first set of policies that apply to the first virtual machine allows the first virtual machine to send the packet to the second virtual machine; and whether a second set of policies that apply to the second virtual machine allow the second virtual machine to receive the packet from the first virtual machine. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer readable storage medium storing a computer program which when executed on a first host node on at least one processor implements a firewall on the first host node for securing a plurality of virtual machines on the first host node, the computer program comprising:
-
a) a set of instructions for saving, in a connection table, a set of records of allowed connections for each of the plurality of virtual machines on the first host node; b) a set of instructions for removing references to a particular virtual machine from the firewall upon the particular virtual machine moving from the first host node to a second host node; and c) a set of instructions for sending a copy of the removed references to a firewall on the second host node upon the particular virtual machine moving from the first host node to the second host node. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification