Method and Apparatus for Dynamically Creating Encryption Rules
First Claim
1. A method of providing encryption services on a computer that executes a plurality of virtual machines (VMs), the method comprising:
- detecting an event on a particular VM;
generating an encryption rule for encrypting data messages that are sent from the particular VM; and
using the encryption rule to encrypt messages sent by the particular VM.
1 Assignment
0 Petitions
Accused Products
Abstract
For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.
40 Citations
18 Claims
-
1. A method of providing encryption services on a computer that executes a plurality of virtual machines (VMs), the method comprising:
-
detecting an event on a particular VM; generating an encryption rule for encrypting data messages that are sent from the particular VM; and using the encryption rule to encrypt messages sent by the particular VM. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory machine readable medium storing a program for providing encryption services on a computer that executes a plurality of virtual machines (VMs), the program comprising sets of instructions for:
-
detecting an event on a particular VM; examining a plurality of encryption policies to determine whether an encryption rule needs to be specified for the detected event; and specifying the encryption rule based on the examination of the encryption policies, said encryption rule for encrypting messages sent by the particular VM. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification
-
- Resources
-
Current AssigneeNicira Incorporated (Broadcom, Inc.)
-
Original AssigneeNicira Incorporated (Broadcom, Inc.)
-
InventorsThota, Kiran Kumar, Feroz, Azeem, Wiese, James C.
-
Application NumberUS14/320,581Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current1/1CPC Class CodesG06F 2009/45587 Isolation or security of vi...G06F 21/56 Computer malware detection ...G06F 21/568 eliminating virus, restorin...G06F 21/602 Providing cryptographic fac...G06F 21/6236 between heterogeneous systemsG06F 2221/034 Test or assess a computer o...G06F 9/45558 Hypervisor-specific managem...G06F 9/542 Event management; Broadcast...G09C 1/00 Apparatus or methods whereb...H04L 2209/24 Key scheduling, i.e. genera...H04L 63/0428 wherein the data content is...H04L 63/123 received data contents, e.g...H04L 63/1408 by monitoring network traff...H04L 63/1441 Countermeasures against mal...H04L 9/14 using a plurality of keys o...
