SYSTEMS INVOLVING FIREWALL OF VIRTUAL MACHINE TRAFFIC AND METHODS OF PROCESSING INFORMATION ASSOCIATED WITH SAME

US 20130227674A1
Filed: 02/20/2013
Published: 08/29/2013
Est. Priority Date: 02/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:

enabling, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network, the firewall configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the one or more virtual machines and the network; and

locking/stopping/blocking a virtual machine in response to the firewall detecting undesired traffic.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed involving compute nodes configured to define and/or otherwise processing information associated with one or more virtual machines. In one exemplary implementation, a compute node may be configured to enable a firewall between the virtual machine and at least a portion of a network. Moreover, the firewall may be configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the virtual machine and the network. Various features may also relate to the compute node being configured to lock the virtual machine in response to the firewall detecting undesired traffic associated with the virtual machine.

Citations

26 Claims

1. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:
- enabling, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network, the firewall configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the one or more virtual machines and the network; and
  
  locking/stopping/blocking a virtual machine in response to the firewall detecting undesired traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising enabling or defining a virtual machine.
  - 3. The method of claim 1 where the locking/stopping/blocking of the virtual machine includes stopping traffic, via the firewall, associated with the undesired traffic, wherein the stopping traffic includes stopping data frames or cells that include a DHCP offer and/or a MAC address not associated with the virtual machine.
  - 4. The method of claim 1 further comprising performing processing regarding rebooting the virtual machine after detection of the undesired traffic, the processing related to one or more of:
    - processing instruction(s) from a manager component to reboot the virtual machine;
      
      rebooting the virtual machine;
      
      processing an instruction to the firewall to unlock the virtual machine;
      
      processing instructions regarding transmission, by the virtual machine, of a request for a network address to the network;
      
      processing information regarding receipt, by the virtual machine, of a valid response in reply to the request; and
      
      /orprocessing information regarding transmission, by an agent component, of an instruction to the firewall to lock the IP address with the virtual machine.
  - 5. The method of claim 1 further comprising performing processing to handle a rogue DHCP attack, the processing including:
    - detecting, via an agent component, an attempt by the virtual machine to send a DHCP request to the network infrastructure via the firewall, wherein the virtual machine acts like a DHCP server; and
      
      processing instructions for the firewall to stop or block all traffic from the virtual machine.
  - 6. The method of claim 1 further comprising defining, via a manager component and an agent component, a manager-agent relationship.
  - 7. The method of claim 6 wherein the manager component includes and/or is configured to operate with a program that enables a customer, a network administrator, and/or a management component to request and/or provision virtual machines within the network.
  - 8. The method of claim 6 wherein the agent component that provides instructions to the firewall, the agent component being configured to send an instruction to the firewall to lock the virtual machine such that all traffic from the virtual machine is blocked.
  - 9. The method of claim 1 wherein the firewall is configured to monitor and/or otherwise filter traffic at the link layer (layer-2), such that the firewall may monitor and/or otherwise filter virtual machine traffic during forwarding, but prior to routing.
  - 10. The method of claim 9 wherein undesired traffic is discarded at the virtual hardware/machine level prior to the undesired traffic reaching a switch or another virtual machine within the compute node.
  - 11. The method of claim 9 wherein the firewall is configured to monitor and/or otherwise filter traffic at the link layer, prior to routing, via one or more of using link layer information such as MAC address, using other information, such as IP address or DHCP address, performing deep packet inspection, and/or by using a packet capture mechanism, such as a Linux Kernal pcap.

12. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:
- processing information related to enabling or defining, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network;
  
  processing information related to detecting, via the firewall, undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the one or more virtual machines and the network; and
  
  processing information related to locking/stopping/blocking a virtual machine in response to the detection of undesired traffic.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12 wherein the compute node comprises a manager component and an agent component configured to define a manager-agent relationship.
  - 14. The method of claim 13 wherein the agent component includes and/or is configured to operate with a program that enables a compute node to define virtual machines, firewalls and/or tables.
  - 15. The method of claim 12 wherein the list of rules or the Ethernet bridge table includes forwarding data associated with communication between the compute node and the virtual machine as well as data associated with other compute node and other virtual machines associate with the other compute nodes.
  - 16. The method of claim 12 wherein the list of rules or the Ethernet bridge table is defined and/or populated by snooping on flood traffic within network.
  - 17. The method of claim 12 wherein the compute node include a software-based bridge and/or switch that may be configured to include or access the list of rules or the Ethernet bridge table, wherein the bridge and/or switch is configured to forward, but not route, packets.
  - 18. The method of claim 12 wherein the firewall is configured to monitor traffic through an associated switch, detect undesired traffic, and/or block traffic from a source and/or to a destination in accordance with the list of rules or the Ethernet bridge table.
  - 19. The method of claim 12 further comprising performing a process of defining the firewall including defining the list of rules or the Ethernet bridge table such that, in addition to broadcast packets, only packets sent from the media access control (MAC) address of the virtual machine are allowed.
  - 20. The method of claim 12 wherein the firewall is configured to allow DHCP requests and virtual machine responses and is configured to drop and or otherwise block DHCP requests from the virtual machine, and/or is configured to inspect DHCP packet headers to determine whether the address of the DHCP packet is valid.
  - 21. The method of claim 12 wherein the firewall is configured to:
    - lock the list of rules or the Ethernet bridge table to only deliver packets to and from IP address associated with a valid DHCP address; and
      
      /orlock the Ethernet bridge table to only forward ARP packets from an associated IP address.

22. An system comprising:
- a compute node comprising a memory and/or a processing component, the computer node also comprising or having access to a list of rules or an Ethernet bridge table, the compute node configured to;
  
  define one or more virtual machines;
  
  enable a firewall between at least one virtual machine and at least a portion of a network, the firewall being configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the at least one virtual machine and the at least a portion of the network; and
  
  lock, stop or block a virtual machine in response to the firewall detecting undesired traffic.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22 wherein stopping traffic includes stopping data frames or cells that include a MAC address not associated with the virtual machine.
  - 24. The apparatus of claim 22 wherein the compute node/firewall detects the undesired traffic and blocks the traffic associated with the undesired traffic based on information included in the list of rules or the Ethernet bridge table of agent(s).
  - 25. The apparatus of claim 22 wherein the compute node comprises an agent component that provides instructions to the firewall, the agent component being configured to send an instruction to lock the virtual machine such that all traffic from the virtual machine is blocked.
  - 26. The apparatus of claim 22 wherein the compute node is further configured to:
    - enable and/or define the firewall on the compute node or on a switch; and
      
      /orinstruct an associated switch to enable and/or otherwise define the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIRTUSTREAM IP HOLDING COMPANY LLC (Dell Technologies Inc.)
Original Assignee
Virtustream Canada Holdings, Inc (Dell Technologies Inc.)
Inventors
ANDERSON, DEREK

Granted Patent

US 9,264,402 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

SYSTEMS INVOLVING FIREWALL OF VIRTUAL MACHINE TRAFFIC AND METHODS OF PROCESSING INFORMATION ASSOCIATED WITH SAME

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS INVOLVING FIREWALL OF VIRTUAL MACHINE TRAFFIC AND METHODS OF PROCESSING INFORMATION ASSOCIATED WITH SAME

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links