ISOLATION AND SECURITY HARDENING AMONG WORKLOADS IN A MULTI-TENANT NETWORKED ENVIRONMENT
First Claim
1. A method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
- a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises a first processor of a first computer system or a first virtual machine running on a first processor of a first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device;
a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall;
said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device;
said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity;
said switch verifying said response and forwarding said verified response to said querying networked entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and associated systems for enhanced isolation and security hardening among multi-tenant workloads. An agent running on a processor of a networked computer system on which multicast and broadcast communications have been disabled captures an address-resolution query message from a querying tenant, converts the query message to a unicast message, and forwards the converted unicast query message to a switch. The switch forwards the converted unicast message to a redirection device and in response receives an address-resolution response message only after the redirection device verifies that the query and response messages comply with security policies. The switch forwards the address-resolution response to the querying tenant in conformance with security policies.
-
Citations
24 Claims
-
1. A method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
-
a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises a first processor of a first computer system or a first virtual machine running on a first processor of a first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device; a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall; said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device; said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity; said switch verifying said response and forwarding said verified response to said querying networked entity. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, said program code configured to be executed by a first processor of a first computer system to implement a method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
-
a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises said first processor of said first computer system or a first virtual machine running on said first processor of said first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device; a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch is comprises a virtual switch or a software firewall; said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device; said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity; said switch verifying said response and forwarding said verified response to said querying networked entity. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A first computer system comprising a first processor, a memory coupled to said first processor, and a computer-readable hardware storage device coupled to said first processor, said storage device containing program code configured to be run by said first processor via the memory to implement a method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
-
a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises a first processor of a first computer system or a first virtual machine running on a first processor of a first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device; a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall; said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device; said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity; said switch verifying said response and forwarding said verified response to said querying networked entity. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A process for supporting computer infrastructure, said process comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in a first computer system, wherein the program code in combination with said first computer system is configured to implement a method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
-
a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises said first computer system or a first virtual machine running on a first processor of said first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device; a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall; said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device; said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity; said switch verifying said response and forwarding said verified response to said querying networked entity. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification