ENFORCING LABEL-BASED RULES ON A PER-USER BASIS IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM

US 20170237745A1
Filed: 02/15/2017
Published: 08/17/2017
Est. Priority Date: 02/16/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method of managing security of services executing on servers in a network domain, the method comprising:

receiving information describing one or more user groups, each user group containing one or more users associated with the network domain;

receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set;

determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set;

generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and

sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

State information is received from a server indicating an identity of a user logged into the server. An administrative domain wide policy is determined that specifies a relationship between user a group and services or servers accessible to users belonging to the user group. Relevant servers are sent updated management instructions corresponding to rules of the administrative domain wide policy. Such rules provide access to a service or server to users belonging to user groups related to the service. As a result, the servers allow communications that provide access to users based on the specified relationships.

Citations

20 Claims

1. A method of managing security of services executing on servers in a network domain, the method comprising:
- receiving information describing one or more user groups, each user group containing one or more users associated with the network domain;
  
  receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set;
  
  determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set;
  
  generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and
  
  sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - receiving an indication of a user logging in to the server;
      
      identifying one or more user groups containing the user; and
      
      wherein the management instructions generated for the server provide the user, access to services and servers related to the one or more user groups by the administrative domain wide policy.
  - 3. The method of claim 2, further comprising:
    - storing, by the server, the management instructions in memory;
      
      receiving an indication of the user logging out of the server; and
      
      responsive to receiving the indication of the user logging out of the server, disabling the management instructions stored in the memory.
  - 4. The method of claim 3, wherein the user logging in represents a first user login:
    - receiving an indication of a second user login, the second user login is performed after the user logging out of the server; and
      
      responsive to determining that the user is logged in again, enabling the management instructions stored in memory.
  - 5. The method of claim 1, further comprising:
    - receiving, from a server, information identifying a plurality of users logged into the server; and
      
      for each user from the plurality of users;
      
      identifying one or more user groups associated with the user; and
      
      providing the user, access to services and servers related to the one or more user groups by the administrative domain wide policy.
  - 6. The method of claim 1, further comprising:
    - receiving, from a server, information indicating that a first user logged into the server;
      
      generating a first set of management instructions regulating communications between the first user and labeled entities related to user groups containing the first user;
      
      sending the first set of management instructions to the server;
      
      receiving, from the server, information indicating that a second user logged into the server;
      
      generating a second set of management instructions regulating communications between the second user and labeled entities related to user groups containing the second user; and
      
      sending the second set of management instructions to the server.
  - 7. The method of claim 1, wherein the set of labeled entities includes a service associated with a provider server and a consumer server,wherein generating management instructions comprises generating a first set of instructions for the consumer server, the first set of instructions configured to regulate communications between a user logged into the consumer server and one or more labeled entities, andwherein sending the management instructions comprises sending the first set of management instructions to the consumer server.
  - 8. The method of claim 7,wherein generating management instructions comprises generating a second set of management instructions for the provider server, the second set of instructions configured to regulate communications between the provider server and one or more other servers, wherein each of the one or more other servers has at least a user logged in, wherein the user logged in belongs to a user group allowed to access the service provided by the provider server, andwherein sending the management instructions comprises sending the second set of instructions to the provider server.
  - 9. The method of claim 8, further comprising:
    - receiving, from the server, an indication of the user logging out of the server;
      
      sending a request to the consumer server to disable the first set of management instructions; and
      
      sending a request to the provider server to disable the second set of management instructions.
  - 10. The method of claim 1, wherein the administrative domain wide policy comprises a rule associated with a service, the rule having a provided by portion and a used by portion, wherein the provided by portion specifies a label set matching servers that provide the service and the used by portion specifies a label set comprising one or more labels identifying one or more user groups.
  - 11. The method of claim 1, wherein the management instructions configure a server to block a communication responsive to receiving a request for a communication to another server providing a service that is not associated with the user group of the user currently logged in to the server.
  - 12. The method of claim 11, further comprising:
    - receiving an alert responsive to the server blocking the communication, the alert indicating a request for an unauthorized access.
  - 13. The method of claim 1, wherein the management instructions are sent to a particular server that allows users to connect and interact with one or more services provided by servers of the administrative domain.
  - 14. The method of claim 1, wherein the information describing one or more user groups is received from a directory and identity service.
  - 15. The method of claim 14, further comprising:
    - periodically synchronizing with the directory and identity service to receive updated information describing the one or more user groups.

16. A non-transitory computer readable storage medium storing executable instructions for:
- receiving information describing one or more user groups, each user group containing one or more users associated with the network domain;
  
  receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set;
  
  determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set;
  
  generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and
  
  sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the stored instructions further comprise instructions for:
    - receiving, from a server, information identifying a plurality of users logged into the server; and
      
      for each user from the plurality of users;
      
      identifying one or more user groups associated with the user; and
      
      providing the user, access to services and servers related to the one or more user groups by the administrative domain wide policy.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the stored instructions further comprise instructions for:
    - receiving, from a server, information indicating that a first user logged into the server;
      
      generating a first set of management instructions regulating communications between the first user and labeled entities related to user groups containing the first user;
      
      sending the first set of management instructions to the server;
      
      receiving, from the server, information indicating that a second user logged into the server;
      
      generating a second set of management instructions regulating communications between the second user and labeled entities related to user groups containing the second user; and
      
      sending the second set of management instructions to the server.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein the set of labeled entities includes a service associated with a provider server and a consumer server,wherein generating management instructions comprises generating a first set of instructions for the consumer server, the first set of instructions configured to regulate communications between a user logged into the consumer server and one or more labeled entities, andwherein generating management instructions comprises generating a second set of management instructions for the provider server, the second set of instructions configured to regulate communications between the provider server and one or more other servers, wherein each of the one or more other servers has at least a user logged in, wherein the user logged in belongs to a user group allowed to access the service provided by the provider server.

20. A computer system comprising:
- one or more processors;
  
  a computer readable non-transitory storage medium storing executable instructions for execution by the one or more processors, wherein the stored instructions comprise instructions for;
  
  receiving information describing one or more user groups, each user group containing one or more users associated with the network domain;
  
  receiving an association between the user group and a set of labeled entities, wherein a labeled entity is a service or a server, the association indicating that users of the user group are permitted to access the labeled entities of the set;
  
  determining an administrative domain wide policy based on the received association, the administrative domain wide policy specifying a relationship between the user group and the set of labeled entities, the relationship allowing users of the user group to access a service or a server represented by a labeled entity of the set;
  
  generating management instructions regulating communications between servers of the network domain based on the administrative domain wide policy; and
  
  sending, to one or more servers, the management instructions to configure each of the one or more servers to implement the administrative domain wide policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Illumio, Inc.
Original Assignee
Illumio, Inc.
Inventors
Desai, Anish V., Glenn, Matthew, Gupta, Mukesh, Kirner, Paul J., Fandli, Juraj G.

Application Number

US15/433,949
Publication Number

US 20170237745A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

H04L 67/51   Discovery or management the...

H04L 67/53   using third party service p...

ENFORCING LABEL-BASED RULES ON A PER-USER BASIS IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ENFORCING LABEL-BASED RULES ON A PER-USER BASIS IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links