Systems and Methods for Providing Network Access Control in Virtual Environments

US 20110225624A1
Filed: 03/15/2010
Published: 09/15/2011
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

injecting a transient security agent into a virtual machine that is running on a host machine;

receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies;

controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.

346 Citations

20 Claims

1. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- injecting a transient security agent into a virtual machine that is running on a host machine;
  
  receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies;
  
  controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - the transient security agent is injected into the virtual machine by an injection module on the host machine.
  - 3. The method of claim 2, wherein injecting the transient security agent into the virtual machine comprises:
    - inserting, into an exception handler memory location of the virtual machine, one or more computer-executable instructions configured to facilitate transfer of control from the virtual machine to the injection module;
      
      triggering an exception during execution of the virtual machine to cause the one or more computer-executable instructions in the exception handler memory location to be executed;
      
      obtaining control from the virtual machine after the at least one computer-executable instruction executes;
      
      inserting the transient security agent into the virtual machine.
  - 4. The method of claim 1, wherein:
    - the indication of whether the virtual machine complies with the one or more network access control policies is received at a network access control module on the host machine;
      
      the indication of whether the virtual machine complies with the one or more network access control policies is sent to the network access control module via an inter-process communication;
      
      the network access control module comprises a network communication filter that controls network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
  - 5. The method of claim 1, wherein:
    - the indication of whether the virtual machine complies with the one or more network access control policies is received at a network access control server that is remote from the host machine;
      
      the network access control server controls network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
  - 6. The method of claim 1, further comprising:
    - removing the transient security agent from the virtual machine.
  - 7. The method of claim 6, wherein:
    - the transient security agent is removed from the virtual machine when the virtual machine no longer needs network access.
  - 8. The method of claim 1, tangibly embodied as computer-executable instructions on at least one computer-readable-storage medium.

9. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- providing a security agent in a virtual machine that is running on a host machine;
  
  providing a network communication filter that resides on the host machine but is external to the virtual machine;
  
  receiving, at an access-control module that controls the network communication filter, an indication of whether the virtual machine complies with one or more network access control policies, the indication being sent from the security agent to the access control module via an inter-process communication;
  
  using the network communication filter to control network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein:
    - providing the security agent in the virtual machine comprises injecting the security agent into the virtual machine;
      
      an injection module on the host machine injects the security agent into the virtual machine.
  - 11. The method of claim 9, wherein:
    - providing the security agent in the virtual machine comprises installing the security agent on the virtual machine;
      
      the security agent is installed on the virtual machine using an installation process of the virtual machine.
  - 12. The method of claim 9, wherein:
    - the indication is sent from the security agent to the access control module via an inter-virtual-machine communication.
  - 13. The method of claim 9, wherein:
    - the indication is sent from the security agent to the access control module by storing the indication in a memory location shared by the security agent and the access control module.
  - 14. The method of claim 9, wherein:
    - the indication indicates that the virtual machine is not in compliance with the one or more network access control policies;
      
      the network communication filter controls network access of the virtual machine by blocking one or more network communications of the virtual machine.
  - 15. The method of claim 14, further comprising:
    - remediating the virtual machine to bring the virtual machine into compliance with the one or more network access control policies, wherein the network communication filter allows the virtual machine access to one or more network resources used to remediate the virtual machine.
  - 16. The method of claim 9, tangibly embodied as computer-executable instructions on at least one computer-readable-storage medium.

17. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a virtual machine running on a host machine;
  
  providing a network communication filter that resides on the host machine and is external to the virtual machine;
  
  inspecting, using a process executing on the host machine and external to the virtual machine, one or more resources of the virtual machine to determine whether the virtual machine complies with one or more network access control policies;
  
  receiving, at an access control module that controls the network communication filter, an indication of whether the virtual machine complies with the one or more network access control policies;
  
  using the network communication filter to control network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein:
    - inspecting the one or more resources of the virtual machine comprises reading disk space and memory of the virtual machine.
  - 19. The method of claim 17, wherein:
    - the indication indicates that the virtual machine is not in compliance with the one or more network access control policies;
      
      the network communication filter controls network access of the virtual machine by blocking one or more network communications of the virtual machine.
  - 20. The method of claim 17, tangibly embodied as computer-executable instructions on at least one computer-readable-storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sawhney, Sanjay, Montague, Bruce, Conover, Matthew

Granted Patent

US 8,938,782 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

Systems and Methods for Providing Network Access Control in Virtual Environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

346 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Providing Network Access Control in Virtual Environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

346 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links