Zone-Based Firewall Policy Model for a Virtualized Data Center

US 20130019277A1
Filed: 07/12/2011
Published: 01/17/2013
Est. Priority Date: 07/12/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a virtual network device, defining and storing information representing a first security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the first security zone;

defining and storing information representing a first firewall rule for the first security zone comprising first conditions for matching common attributes of applications associated with the first security zone, and an action to be performed on application traffic;

receiving parameters associated with the application traffic;

determining if the application traffic parameters satisfy the first conditions of the first firewall rule; and

in response to determining that the first conditions are satisfied, performing the action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Citations

23 Claims

1. A method comprising:
- at a virtual network device, defining and storing information representing a first security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the first security zone;
  
  defining and storing information representing a first firewall rule for the first security zone comprising first conditions for matching common attributes of applications associated with the first security zone, and an action to be performed on application traffic;
  
  receiving parameters associated with the application traffic;
  
  determining if the application traffic parameters satisfy the first conditions of the first firewall rule; and
  
  in response to determining that the first conditions are satisfied, performing the action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein performing comprises performing the action to permit the application traffic to be sent to or from an application associated with the first security zone.
  - 3. The method of claim 1, further comprising:
    - for the first firewall rule, defining and storing information representing second conditions for matching common attributes of applications associated with a second security zone;
      
      determining if the application traffic parameters satisfy the second conditions of the first firewall rule; and
      
      in response to determining that the first conditions and the second conditions are satisfied, performing the action.
  - 4. The method of claim 3, wherein performing comprises performing the action to permit the application traffic to traverse the first and second security zones for support of bidirectional application traffic.
  - 5. The method of claim 1, further comprising:
    - defining and storing information representing a second security zone for the virtual firewall policy comprising one or more common attributes of applications associated with the second security zone;
      
      defining and storing information representing a second firewall rule for the second security zone comprising second conditions for matching common attributes of applications associated with the second security zone, and an action to be performed on application traffic;
      
      determining if the application traffic parameters satisfy the second conditions of the second firewall rule; and
      
      in response to determining that the first conditions and the second conditions are satisfied, performing the action defined in the second firewall rule.
  - 6. The method of claim 5, wherein performing comprises performing the action defined in the first and second firewall rules to permit application traffic to traverse the first and second security zones.
  - 7. The method of claim 1, further comprising:
    - defining and storing information representing a port profile comprising network parameters configured to permit inter-application communication;
      
      storing information that associates the virtual firewall policy with the port profile; and
      
      provisioning an application with the port profile such that when the application migrates from one device to another device the associated virtual firewall policy remains with the application.
  - 8. The method of claim 1, further comprising:
    - assigning a rule identifier to the first firewall rule;
      
      assigning an attribute identifier to each of the one or more common attributes;
      
      associating the rule identifier with each of the one or more common attribute identifiers; and
      
      wherein storing the information representing the first security zone comprises storing the attribute identifiers and the associated rule identifier in a database associated with a firewall policy specific lookup engine.
  - 9. The method of claim 8, further comprising:
    - generating data representing an ordered tree mathematical structure for each of the one or more common attributes; and
      
      wherein storing the information representing the first security zone comprises storing the data representing the ordered tree mathematical structure as attribute specific data structures for looking up rules associated with common attributes.
  - 10. The method of claim 8, further comprising:
    - generating a policy lookup request comprising at least one lookup attribute identifier and an associated lookup attribute value based on the application traffic parameters;
      
      determining if the at least one lookup attribute identifier and lookup attribute value match an attribute identifier and an attribute value stored in the information representing the first security zone;
      
      in response to determining that a match exists, returning the rule identifier associated with the attribute identifier and the attribute value; and
      
      retrieving the first firewall rule based on the rule identifier prior to determining if the application traffic parameters satisfy the first conditions of the first firewall rule.
  - 11. The method of claim 10, further comprising caching the attribute identifier, the attribute value, and the rule identifier.

12. An apparatus comprising:
- one or more virtual interfaces; and
  
  a processor configured to;
  
  define and store information representing a first security management zone for a virtual firewall policy comprising one or more common attributes of applications/virtual machines associated with the first security zone;
  
  define and store information representing a first firewall rule for the first security zone comprising first conditions for matching common attributes of applications associated with the first security zone, and an action to be performed on application traffic;
  
  receive parameters associated with the application traffic;
  
  determine if the application traffic parameters satisfy the first conditions of the first firewall rule; and
  
  perform the action when it is determined that the first conditions are satisfied.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The apparatus of claim 12, wherein the processor is configured to perform the action to permit the application traffic to be sent to or from an application associated with the first security zone.
  - 14. The apparatus of claim 12, wherein the processor is further configured to:
    - for the first firewall rule, define and store information representing second conditions for matching common attributes of applications associated with a second security zone;
      
      determine if the application traffic parameters satisfy the second conditions of the first firewall rule; and
      
      perform the action when the first conditions and the second conditions are satisfied.
  - 15. The apparatus of claim 14, wherein the processor is configured to perform the action to permit the application traffic to traverse the first and second security zones.
  - 16. The apparatus of claim 12, wherein the processor is further configured to:
    - define and store information representing a second security zone for the virtual firewall policy comprising one or more common attributes of applications associated with the second security zone;
      
      define and store information representing a second firewall rule for the second security zone comprising second conditions for matching common attributes of applications associated with the second security zone, and an action to be performed on application traffic;
      
      determine if the application traffic parameters satisfy the second conditions of the second firewall rule; and
      
      perform the action defined in the second firewall rule when the first conditions and the second conditions are satisfied.
  - 17. The apparatus of claim 12, wherein the processor is further configured to:
    - define and store information representing a port profile comprising network parameters configured to permit inter-application communication;
      
      store information that associates the virtual firewall policy with the port profile; and
      
      provision an application with the port profile such that when the application migrates from one device to another device the associated virtual firewall policy remains with the application.
  - 18. The apparatus of claim 12, wherein the processor is further configured to:
    - assign a rule identifier to the first firewall rule;
      
      assign an attribute identifier to each of the one or more common attributes;
      
      associate the rule identifier with each of the one or more common attribute identifiers; and
      
      store the attribute identifiers and the associated rule identifier in a database associated with a firewall policy specific lookup engine.

19. One or more computer readable media storing instructions that, when executed by a processor, cause the processor to:
- define and store information representing a first security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the first security zone;
  
  define and store information representing a first firewall rule for the first security zone comprising first conditions for matching common attributes of applications associated with the first security zone, and an action to be performed on application traffic;
  
  receive parameters associated with the application traffic;
  
  determine if the application traffic parameters satisfy the first conditions of the first firewall rule; and
  
  perform the action when it is determined that the first conditions are satisfied.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer readable media of claim 19, further comprising instructions that, when executed by the processor, cause the processor to:
    - for the first firewall rule, define and store information representing second conditions for matching common attributes of applications associated with a second security zone;
      
      determine if the application traffic parameters satisfy the second conditions of the first firewall rule; and
      
      perform the action when the first conditions and the second conditions are satisfied.
  - 21. The computer readable media of claim 19, further comprising instructions that, when executed by the processor, cause the processor to:
    - define and store information representing a second security zone for the virtual firewall policy comprising one or more common attributes of applications associated with the second security zone;
      
      define and store information representing a second firewall rule for the second security zone comprising second conditions for matching common attributes of applications associated with the second security zone, and an action to be performed on application traffic;
      
      determine if the application traffic parameters satisfy the second conditions of the second firewall rule; and
      
      perform the action defined in the second firewall rule when the first conditions and the second conditions are satisfied.
  - 22. The computer readable media of claim 19, further comprising instructions that, when executed by the processor, cause the processor to:
    - define and store information representing a port profile comprising network parameters configured to permit inter-application communication;
      
      store information that associates the virtual firewall policy with the port profile; and
      
      provision an application with the port profile such that when the application migrates from one device to another device the associated virtual firewall policy remains with the application.
  - 23. The computer readable medium of claim 19, further comprising instructions that, when executed by the processor, cause the processor to:
    - assign a rule identifier to the first firewall rule;
      
      assign an attribute identifier to each of the one or more common attributes;
      
      associate the rule identifier with each of the one or more common attribute identifiers; and
      
      store the attribute identifiers and the associated rule identifier in a database associated with a firewall policy specific lookup engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chang, David, Bagepalli, Nagaraj, Patra, Abhijit, Sethuraghavan, Rajesh Kumar

Granted Patent

US 8,516,241 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 49/356   for storage area networks

H04L 49/70   Virtual switches

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 67/303   Terminal profiles

H04L 67/63   Routing a service request d...

Zone-Based Firewall Policy Model for a Virtualized Data Center

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Zone-Based Firewall Policy Model for a Virtualized Data Center

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links