INFRASTRUCTURE LEVEL LAN SECURITY
First Claim
1. A computer-implemented method of providing group key-based encryption, comprising:
- receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled;
generating an encryption key for the secure wire;
receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire; and
encrypting communications between the one or more vNICs using the encryption key generated for the secure wire.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.
-
Citations
20 Claims
-
1. A computer-implemented method of providing group key-based encryption, comprising:
-
receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled; generating an encryption key for the secure wire; receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire; and encrypting communications between the one or more vNICs using the encryption key generated for the secure wire. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable storage medium embodying computer program instructions for providing group key-based encryption, the computer program instructions implementing operations comprising:
-
receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled; generating an encryption key for the secure wire; receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire; and encrypting communications between the one or more vNICs using the encryption key generated for the secure wire. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system, comprising:
-
a processor; and a memory, wherein the memory includes a program for providing group key-based encryption, the program being configured to perform operations comprising; receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled, generating an encryption key for the secure wire, receiving a selection of one or more virtual network interface cards (vNICs) to add to the secure wire, and encrypting communications between the one or more vNICs using the encryption key generated for the secure wire.
-
Specification