FIREWALL CONFIGURED WITH DYNAMIC MEMBERSHIP SETS REPRESENTING MACHINE ATTRIBUTES

US 20100333165A1
Filed: 06/24/2009
Published: 12/30/2010
Est. Priority Date: 06/24/2009
Status: Active Grant

First Claim

Patent Images

1. A method to control the flow of packets within a system that includes one or more computer networks comprising:

storing policy rules in machine readable storage media that set forth attribute dependent conditions for communications among machines on the one or more networks;

obtaining respective machine attributes and corresponding machine identifiers for respective machines on the one or more networks;

transforming the policy rules to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules; and

storing the firewall rules in machine readable storage media.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.

185 Citations

19 Claims

1. A method to control the flow of packets within a system that includes one or more computer networks comprising:
- storing policy rules in machine readable storage media that set forth attribute dependent conditions for communications among machines on the one or more networks;
  
  obtaining respective machine attributes and corresponding machine identifiers for respective machines on the one or more networks;
  
  transforming the policy rules to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules; and
  
  storing the firewall rules in machine readable storage media.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further including:
    - identifying an occurrence of one or more updates to at least one of the networks;
      
      wherein the act of obtaining machine attributes and corresponding machine identifiers is responsive to identification of an occurrence of one or more updates to the at least one of the networks.
  - 3. The method of claim 2,wherein at least one identified update includes a change in an attribute of a machine of the at least one of the networks.
  - 4. The method of claim 3,wherein the change in an attribute includes a change in software running on a machine from the at least one of the networks.
  - 5. The method of claim 3,wherein the change in an attribute includes a change in physical location of a machine from the at least one of the networks.
  - 6. The method of claim 3,wherein the change in an attribute includes a change in a network property of a machine from the at least one of the networks.
  - 7. The method of claim 2,wherein at least one identified update includes an addition of a machine to the at least one of the networks.
  - 8. The method of claim 2,wherein at least one identified update includes a deletion of a machine from the at least one of the networks.
  - 9. The method of claim 1,receiving from an machine attribute update gathering tool an indication of an occurrence of one or more updates to at least one of the networks;
    - wherein the act of obtaining machine attributes and corresponding machine identifiers is responsive to receiving such indication of an occurrence of one or more updates to the at least one of the networks.
  - 10. The method of claim 9 further including:
    - periodically sending an update inquiry to the machine attribute update gathering tool.
  - 11. The method of claim 1 further including:
    - identifying an occurrence of one or more manual updates to membership of a set of machines;
      
      wherein the act of obtaining machine attributes and corresponding machine identifiers is responsive to identification of an occurrence of one or more updates to the set of machines.
  - 12. The method of claim 1,wherein transforming the policy rules to firewall rules further includes:
    - matching an attribute condition within a policy rule with one or more obtained machine attributes; and
      
      generating at least one firewall rule for each machine identifier of a machine having all attributes required to satisfy the attribute condition within the policy rule.
  - 13. The method of claim 1,wherein transforming the policy rules to firewall rules further includes:
    - resolving at least one set operation within the attribute condition to produce a resolved attribute condition;
      
      generating at least one firewall rule for each machine identifier of a machine having all attributes required to satisfy the resolved attribute condition within the policy rule.
  - 14. The method of claim 13 further including:
    - matching an attribute condition within a policy rule with one or more obtained machine attributes;
  - 15. The method of claim 1 further including:
    - inspecting a packet en route within the system to identify a machine identifier associated with the packet;
      
      searching for a match between the identified machine identifier and a machine identifier within a stored firewall rule;
      
      configuring a firewall engine to pass the packet or to deny passage of the packet based at least in part upon whether one or more stored firewall rules includes a machine identifier that matches the identified machine identifier within the packet.

16. A method to control the flow of packets within a system that includes one or more computer networks comprising:
- storing policy rules in machine readable storage media that set forth attribute dependent conditions for communications among machines on the one or more networks;
  
  obtaining respective machine attributes and corresponding machine identifiers for respective machines on the one or more networks;
  
  transforming the policy rules to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules;
  
  wherein transforming the policy rules to firewall rules further includes,matching a source attribute condition within a policy rule with one or more obtained machine attributes,matching a destination attribute condition within a policy rule with one or more obtained machine attributes; and
  
  generating a firewall rule for each combination of a machine identifier of a machine having all attributes required to satisfy the source attribute condition within the policy rule and having a machine identifier of a machine having all attributes required to satisfy the destination attribute condition within the policy rule; and
  
  storing the firewall rules in machine readable storage media.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16,wherein transforming further includes:
    - resolving a source attribute condition within the firewall rule to produce a resolved source attribute condition;
      
      wherein the generated firewall rules include each source machine identifier of a source machine having all attributes required to satisfy the resolved source attribute condition within the policy rule.
  - 18. The method of claim 16,wherein transforming further includes:
    - resolving a destination attribute condition within the firewall rule to produce a resolved destination attribute condition;
      
      wherein the generated firewall rules include each destination machine identifier of a destination machine having all attributes required to satisfy the resolved destination attribute condition within the policy rule.

19. An article of manufacture including computer readable storage media encoded with program code to cause a processor to execute a process to control the flow of packets within a system that includes one or more computer networks comprising:
- storing policy rules in machine readable storage media that set forth attribute dependent conditions for communications among machines on the one or more networks;
  
  obtaining respective machine attributes and corresponding machine identifiers for respective machines on the one or more networks;
  
  transforming the policy rules to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules; and
  
  storing the firewall rules in machine readable storage media.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
BASAK, Debashis, Toshniwal, Rohit, Sequeira, Allwyn

Granted Patent

US 9,621,516 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/0263 Rule management

FIREWALL CONFIGURED WITH DYNAMIC MEMBERSHIP SETS REPRESENTING MACHINE ATTRIBUTES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

185 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

FIREWALL CONFIGURED WITH DYNAMIC MEMBERSHIP SETS REPRESENTING MACHINE ATTRIBUTES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links