ISOLATION AND SECURITY HARDENING AMONG WORKLOADS IN A MULTI-TENANT NETWORKED ENVIRONMENT

US 20130347095A1
Filed: 06/25/2012
Published: 12/26/2013
Est. Priority Date: 06/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:

a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises a first processor of a first computer system or a first virtual machine running on a first processor of a first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device;

a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall;

said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device;

said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity;

said switch verifying said response and forwarding said verified response to said querying networked entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and associated systems for enhanced isolation and security hardening among multi-tenant workloads. An agent running on a processor of a networked computer system on which multicast and broadcast communications have been disabled captures an address-resolution query message from a querying tenant, converts the query message to a unicast message, and forwards the converted unicast query message to a switch. The switch forwards the converted unicast message to a redirection device and in response receives an address-resolution response message only after the redirection device verifies that the query and response messages comply with security policies. The switch forwards the address-resolution response to the querying tenant in conformance with security policies.

Citations

24 Claims

1. A method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
- a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises a first processor of a first computer system or a first virtual machine running on a first processor of a first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device;
  
  a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall;
  
  said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device;
  
  said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity;
  
  said switch verifying said response and forwarding said verified response to said querying networked entity.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said broadcast or multicast query conforms to a protocol comprising Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol.
  - 3. The method of claim 1, wherein a media-access control address of said querying networked entity changes at regular or irregular intervals.
  - 4. The method of claim 1, wherein said media-access control address that enables communication with said target networked entity is the media-access control address of a smart filtering entity, wherein said smart filtering entity intercepts and performs operations upon communications intended to be exchanged between said querying networked entity and said target networked entity, and wherein said filtering entity comprises a third virtual machine running on said first processor, a third processor of a third computer system, a third virtual machine running on a third processor of a third computer system, or a networked device.
  - 5. The method of claim 4, wherein said operation is a function of one or more rules of a plurality of rules, wherein said plurality of rules comprise:
    - dropping a broadcast packet;
      
      dropping a multicast packet;
      
      dropping a packet that identifies a media-access control address that falls outside a specified range of addresses;
      
      dropping a packet that does not identify said querying networked entity;
      
      forwarding a packet that conforms to a protocol that comprises Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol;
      
      logging information about said response; and
      
      determining whether to drop a data packet by evaluating other implementation-dependent criteria.
  - 6. The method of claim 5, wherein said plurality of rules is defined by said querying networked entity.

7. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, said program code configured to be executed by a first processor of a first computer system to implement a method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
- a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises said first processor of said first computer system or a first virtual machine running on said first processor of said first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device;
  
  a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch is comprises a virtual switch or a software firewall;
  
  said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device;
  
  said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity;
  
  said switch verifying said response and forwarding said verified response to said querying networked entity.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, wherein said broadcast or multicast query conforms to a protocol comprises Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol.
  - 9. The computer program product of claim 7, wherein a media-access control address of said querying networked entity changes at regular or irregular intervals.
  - 10. The computer program product of claim 7, wherein said media-access control address that enables communication with said target networked entity is the media-access control address of a smart filtering entity, wherein said smart filtering entity intercepts and performs operations upon communications intended to be exchanged between said querying networked entity and said target networked entity, and wherein said filtering entity comprises a third virtual machine running on said first processor, a third processor of a third computer system, a third virtual machine running on a third processor of a third computer system, or a networked device.
  - 11. The computer program product of claim 10, wherein said operation is a function of one or more rules of a plurality of rules, wherein said plurality of rules comprisedropping a broadcast packet;
    - dropping a multicast packet;
      
      dropping a packet that identifies a media-access control address that falls outside a specified range of addresses;
      
      dropping a packet that does not identify said querying networked entity;
      
      forwarding a packet that conforms to a protocol that comprises Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol;
      
      logging information about said response; and
      
      determining whether to drop a data packet by evaluating other implementation-dependent criteria.
  - 12. The computer program product of claim 11, wherein said plurality of rules is defined by said querying networked entity.

13. A first computer system comprising a first processor, a memory coupled to said first processor, and a computer-readable hardware storage device coupled to said first processor, said storage device containing program code configured to be run by said first processor via the memory to implement a method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
- a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises a first processor of a first computer system or a first virtual machine running on a first processor of a first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device;
  
  a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall;
  
  said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device;
  
  said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity;
  
  said switch verifying said response and forwarding said verified response to said querying networked entity.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein said broadcast or multicast query conforms to a protocol that comprises Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol.
  - 15. The system of claim 13, wherein a media-access control address of said querying networked entity changes at regular or irregular intervals.
  - 16. The system of claim 13, wherein said media-access control address that enables communication with said target networked entity is the media-access control address of a smart filtering entity, wherein said smart filtering entity intercepts and performs operations upon communications intended to be exchanged between said querying networked entity and said target networked entity, and wherein said filtering entity comprises a third virtual machine running on said first processor, a third processor of a third computer system, a third virtual machine running on a third processor of a third computer system, or a networked device.
  - 17. The system of claim 16, wherein said operation is a function of one or more rules of a plurality of rules, wherein said plurality of rules comprise:
    - dropping a broadcast packet;
      
      dropping a multicast packet;
      
      dropping a packet that identifies a media-access control address that falls outside a specified range of addresses;
      
      dropping a packet that does not identify said querying networked entity;
      
      forwarding a packet that conforms to a protocol that comprises Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol;
      
      logging information about said response; and
      
      determining whether to drop a data packet by evaluating other implementation-dependent criteria.
  - 18. The system of claim 17, wherein said plurality of rules is defined by said querying networked entity.

19. A process for supporting computer infrastructure, said process comprising providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in a first computer system, wherein the program code in combination with said first computer system is configured to implement a method for enhanced isolation and security hardening between workloads in a multi-tenant networked environment, said method comprising:
- a querying networked entity generating and transmitting a broadcast or multicast query, wherein said broadcast or multicast query requests a media-access control address of a target networked entity, wherein said querying networked entity comprises said first computer system or a first virtual machine running on a first processor of said first computer system, and wherein said target networked entity comprises a second virtual machine running on said first processor, a second processor of a second computer system, a second virtual machine running on a second processor of a second computer system, or a networked device;
  
  a virtual-machine agent running on said first processor receiving said broadcast or multicast query, translating said broadcast or multicast query into a unicast query, and sending said unicast query to a switch running on said first processor, wherein said switch comprises a virtual switch or a software firewall;
  
  said switch receiving and dropping said broadcast or multicast query, receiving and verifying said unicast query, and directly or indirectly forwarding said verified unicast query to a redirection device;
  
  said switch directly or indirectly receiving a response from said redirection device, wherein said response identifies a media-access control address that enables communication with said target networked entity;
  
  said switch verifying said response and forwarding said verified response to said querying networked entity.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method of claim 19, wherein said broadcast or multicast query conforms to a protocol comprising Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol.
  - 21. The method of claim 19, wherein a media-access control address of said querying networked entity changes at regular or irregular intervals.
  - 22. The method of claim 19, wherein said media-access control address that enables communication with said target networked entity is the media-access control address of a smart filtering entity, wherein said smart filtering entity intercepts and performs operations upon communications intended to be exchanged between said querying networked entity and said target networked entity, and wherein said filtering entity comprises a third virtual machine running on said first processor, a third processor of a third computer system, a third virtual machine running on a third processor of a third computer system, or a networked device.
  - 23. The method of claim 22, wherein said operation is a function of one or more rules of a plurality of rules, wherein said plurality of rules comprise:
    - dropping a broadcast packet;
      
      dropping a multicast packet;
      
      dropping a packet that identifies a media-access control address that falls outside a specified range of addresses;
      
      dropping a packet that does not identify said querying networked entity;
      
      forwarding a packet that conforms to a protocol comprising Internet Protocol v.4 Address Resolution Protocol or Internet Protocol v.6 Neighbor Discovery Protocol;
      
      logging information about said response; and
      
      determining whether to drop a data packet by evaluating other implementation-dependent criteria.
  - 24. The method of claim 23, wherein said plurality of rules is defined by said querying networked entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Barjatiya, Saurabh, Saripalli, Kanaka P.

Granted Patent

US 8,832,820 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 43/08   Monitoring or testing based...

H04L 61/103   across network layers, e.g....

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 67/025   for remote control or remot...

H04L 9/40   Network security protocols

ISOLATION AND SECURITY HARDENING AMONG WORKLOADS IN A MULTI-TENANT NETWORKED ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

ISOLATION AND SECURITY HARDENING AMONG WORKLOADS IN A MULTI-TENANT NETWORKED ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links