VIRTUAL SECURITY BOUNDARY FOR PHYSICAL OR VIRTUAL NETWORK DEVICES

US 20130117801A1
Filed: 11/03/2011
Published: 05/09/2013
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for use by a security gateway in a network topology in which the security gateway interfaces one or more virtual machines running on one or more network devices to a network, the method comprising:

receiving, by the security gateway, information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, the information identifying the virtual machine as one previously assigned to a security boundary;

determining, by the security gateway, that access to the virtual machine at the first physical location was permitted by the security gateway;

assigning the virtual machine at the second physical location to the security boundary; and

applying, by the security gateway, a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.

42 Citations

View as Search Results

18 Claims

1. A method for use by a security gateway in a network topology in which the security gateway interfaces one or more virtual machines running on one or more network devices to a network, the method comprising:
- receiving, by the security gateway, information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, the information identifying the virtual machine as one previously assigned to a security boundary;
  
  determining, by the security gateway, that access to the virtual machine at the first physical location was permitted by the security gateway;
  
  assigning the virtual machine at the second physical location to the security boundary; and
  
  applying, by the security gateway, a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.
- View Dependent Claims (2, 3, 4, 5, 6, 12)
- - 2. The method defined in claim 1 wherein the second physical location has a different Internet Protocol (IP) address than the first physical location.
  - 3. The method defined in claim 1 wherein the information comprises an IP address.
  - 4. The method defined in claim 1 wherein the information comprises a security patch level.
  - 5. The method defined in claim 1 further comprising storing a data structure that specifies one or more security boundaries and an associated security policy for each of the one or more security boundaries and a virtual machine associated with at least one of the one or more security boundaries.
  - 6. The method defined in claim 5 wherein the data structure comprises a table.
  - 12. The security gateway defined in claim 5 wherein the data structure comprises a table.

7. A security gateway for using a network, the security gateway to be located between the network and one or more systems, at least one of the one or more systems having one or more virtual machines running thereon, the security gateway comprising:
- a memory;
  
  a network interface to receive network traffic;
  
  a processor operable to receive information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, the information identifying the virtual machine as one previously assigned to a security boundary;
  
  determine that access to the virtual machine at the first physical location was permitted by the security gateway;
  
  assign the virtual machine at the second physical location to the security boundary; and
  
  apply a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The security gateway defined in claim 7 wherein the second physical location has a different Internet Protocol (IP) address than the first physical location.
  - 9. The security gateway defined in claim 7 wherein the information comprises an IP address.
  - 10. The security gateway defined in claim 7 wherein the information comprises a security patch level.
  - 11. The security gateway defined in claim 7 wherein the memory stores a data structure that specifies one or more security boundaries and an associated security policy for each of the one or more security boundaries and a virtual machine associated with at least one of the one or more security boundaries.

13. An article of manufacture having one or more non-transitory computer readable media storing instructions thereon which, when executed by a device in a network that is located between the network and one or more systems which have at least one or more virtual machines running thereon, causes the device to perform a method comprising:
- receiving, by the device, information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, the information identifying the virtual machine as one previously assigned to a security boundary;
  
  determining, by the device, that access to the virtual machine at the first physical location was permitted by the device;
  
  assigning the virtual machine at the second physical location to the security boundary; and
  
  applying, by the device, a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The article of manufacture defined in claim 13 wherein the second physical location has a different Internet Protocol (IP) address than the first physical location.
  - 15. The article of manufacture defined in claim 13 wherein the information comprises an IP address.
  - 16. The article of manufacture defined in claim 13 wherein the information comprises a security patch level.
  - 17. The article of manufacture defined in claim 13 wherein the method further comprises maintaining a data structure that specifies one or more security boundaries and an associated security policy for each of the one or more security boundaries and a virtual machine associated with at least one of the one or more security boundaries.
  - 18. The article of manufacture defined in claim 17 wherein the data structure comprises a table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Shieh, Choung-Yaw Michael, Lian, Jia-Jyi Roger

Granted Patent

US 8,813,169 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

VIRTUAL SECURITY BOUNDARY FOR PHYSICAL OR VIRTUAL NETWORK DEVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

VIRTUAL SECURITY BOUNDARY FOR PHYSICAL OR VIRTUAL NETWORK DEVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others