METHODS FOR EFFECTIVE NETWORK-SECURITY INSPECTION IN VIRTUALIZED ENVIRONMENTS
First Claim
1. A method for effective network-security inspection in virtualized environments, the method comprising the steps of:
- (a) providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch;
(b) intercepting said data packet by a sending security agent associated with said sending virtual machine;
(c) injecting said data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses said virtual switch;
(d) forwarding said data packet to said security virtual machine by employing a packet-forwarding mechanism;
(e) determining, by said security virtual machine, whether said data packet is allowed for transmission;
(f) upon determining said data packet is allowed, injecting said data packet back into said sending security agent via said direct transmission channel; and
(g) forwarding said data packet to said receiving virtual machine via said virtual switch.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention discloses methods for effective network-security inspection in virtualized environments, the methods including the steps of: providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; intercepting the data packet by a sending security agent associated with the sending virtual machine; injecting the data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses the virtual switch; forwarding the data packet to the security virtual machine by employing a packet-forwarding mechanism; determining, by the security virtual machine, whether the data packet is allowed for transmission; upon determining the data packet is allowed, injecting the data packet back into the sending security agent via the direct transmission channel; and forwarding the data packet to the receiving virtual machine via the virtual switch.
49 Citations
18 Claims
-
1. A method for effective network-security inspection in virtualized environments, the method comprising the steps of:
-
(a) providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; (b) intercepting said data packet by a sending security agent associated with said sending virtual machine; (c) injecting said data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses said virtual switch; (d) forwarding said data packet to said security virtual machine by employing a packet-forwarding mechanism; (e) determining, by said security virtual machine, whether said data packet is allowed for transmission; (f) upon determining said data packet is allowed, injecting said data packet back into said sending security agent via said direct transmission channel; and (g) forwarding said data packet to said receiving virtual machine via said virtual switch. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
-
(a) program code for intercepting a data packet embodied in machine-readable signals, said data packet being sent from a sending virtual machine to a receiving virtual machine, by a sending security agent associated with said sending virtual machine via a virtual switch; (b) program code for injecting said data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses said virtual switch; (c) program code for forwarding said data packet to said security virtual machine by employing a packet-forwarding mechanism; (d) program code for determining, by said security virtual machine, whether said data packet is allowed for transmission; and (e) program code for, upon determining said data packet is allowed, injecting said data packet back into said sending security agent via said direct transmission channel; and (f) program code for forwarding said data packet to said receiving virtual machine via said virtual switch. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification