ENFORCING MICRO-SEGMENTATION POLICIES FOR PHYSICAL AND VIRTUAL APPLICATION COMPONENTS IN DATA CENTERS

US 20200137123A1
Filed: 12/31/2019
Published: 04/30/2020
Est. Priority Date: 06/30/2017
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive policy information associated with a first application group and a second application group. The device may receive network topology information associated with a network. The device may generate a first policy based on the policy information and the network topology information, and generate a second policy based on the policy information and the network topology information. The device may provide, to the virtual network device, information associated with the first policy to permit the virtual network device to implement the first policy in association with network traffic transferred between the first application group and the second application group. The device may provide, to the physical network device, information associated with the second policy to permit the physical network device to implement the second policy in association with network traffic transferred between the first application group and the second application group.

Citations

40 Claims

1-20. -20. (canceled)

21. A device, comprising:
- a communication interface; and
  
  one or more processors to;
  
  receive network topology information associated with a network;
  
  identify a first application component as a physical application component of the network based on the network topology information;
  
  identify a second application component as a virtual application component of the network based on the network topology information;
  
  provide, to a virtual network device of the network, a first policy to permit the virtual network device to implement the first policy in association with network traffic transferred using the virtual application component,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type and being connected to the virtual application component; and
  
  provide, to a physical network device of the network, a second policy to permit the physical network device to implement the second policy in association with network traffic transferred using the physical application component,the second policy being provided to the physical network device based on the physical network device being a physical device type and being connected to the physical application component.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The device of claim 21, where the one or more processors are further to:
    - determine, using the network topology information, that the virtual application component is connected to the virtual network device; and
      
      where the one or more processors, when providing the first policy, are to;
      
      provide the first policy based on determining that the virtual application component is connected to the virtual network device.
  - 23. The device of claim 21, where the one or more processors are further to:
    - determine, using the network topology information, that the physical application component is connected to the physical network device; and
      
      where the one or more processors, when providing the second policy, are to;
      
      provide the information associated with the second policy based on determining that the physical application component is connected to the physical network device.
  - 24. The device of claim 21, where the one or more processors are further to:
    - determine, using the network topology information, that the virtual application component is a virtual device; and
      
      where the one or more processors, when generating the first policy, are to;
      
      generate the first policy based on determining that the virtual application component is the virtual device.
  - 25. The device of claim 21, where the physical network device is associated with a data center;
    - andwhere the network topology information includes information that identifies one or more of;
      
      the physical network device,connections between the physical network device and one or more other physical network devices in the data center,locations of the physical network device and one or more other physical network devices in the data center, ornetwork addresses of the physical network device and one or more other physical network devices in the data center.
  - 26. The device of claim 21, where the network topology information includes information that identifies one or more of:
    - a set of data associated with the virtual network device,a set of files associated with the virtual network device, ora set of messages associated with the virtual network device.
  - 27. The device of claim 21, where the one or more processors are further to:
    - generate a logical group of virtual application components of the network,the first policy being provided to the virtual network device based on the logical group of virtual application components; and
      
      generate a logical group of physical application components of the network,the second policy being provided to the physical network device based on the logical group of physical application components.

28. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  receive network topology information associated with a network;
  
  identify a first application component as a physical application component of the network based on the network topology information;
  
  identify a second application component as a virtual application component of the network based on the network topology information;
  
  provide, to a virtual network device of the network, a first policy to permit the virtual network device to implement the first policy in association with network traffic transferred using the virtual application component,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type and being connected to the virtual application component; and
  
  provide, to a physical network device of the network, a second policy to permit the physical network device to implement the second policy in association with network traffic transferred using the physical application component,the second policy being provided to the physical network device based on the physical network device being a physical device type and being connected to the physical application component.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The non-transitory computer-readable medium of claim 28, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine, using the network topology information, that the virtual application component is connected to the virtual network device; and
      
      where the one or more instructions, that cause the one or more processors to provide the first policy, cause the one or more processors to;
      
      provide the first policy based on determining that the virtual application component is connected to the virtual network device.
  - 30. The non-transitory computer-readable medium of claim 28, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine, using the network topology information, that the physical application component is connected to the physical network device; and
      
      where the one or more instructions, that cause the one or more processors to provide the second policy, cause the one or more processors to;
      
      provide the information associated with the second policy based on determining that the physical application component is connected to the physical network device.
  - 31. The non-transitory computer-readable medium of claim 28, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine, using the network topology information, that the virtual application component is a virtual device; and
      
      where the one or more instructions, that cause the one or more processors to generate the first policy, cause the one or more processors to;
      
      generate the first policy based on determining that the virtual application component is the virtual device.
  - 32. The non-transitory computer-readable medium of claim 28, where the physical network device is associated with a data center;
    - andwhere the network topology information includes information that identifies one or more of;
      
      the physical network device,connections between the physical network device and one or more other physical network devices in the data center,locations of the physical network device and one or more other physical network devices in the data center, ornetwork addresses of the physical network device and one or more other physical network devices in the data center.
  - 33. The non-transitory computer-readable medium of claim 28, where the network topology information includes information that identifies one or more of:
    - a set of data associated with the virtual network device,a set of files associated with the virtual network device, ora set of messages associated with the virtual network device.
  - 34. The non-transitory computer-readable medium of claim 28, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - generate a logical group of virtual application components of the network,the first policy being provided to the virtual network device based on the logical group of virtual application components; and
      
      generate a logical group of physical application components of the network,the second policy being provided to the physical network device based on the logical group of physical application components.

35. A method, comprising:
- receiving, by a device, network topology information associated with a network;
  
  identifying, by the device, a first application component as a physical application component of the network based on the network topology information;
  
  identifying, by the device, a second application component as a virtual application component of the network based on the network topology information;
  
  providing, by the device and to a virtual network device of the network, a first policy to permit the virtual network device to implement the first policy in association with network traffic transferred using the virtual application component,the first policy being provided to the virtual network device based on the virtual network device being a virtual device type and being connected to the virtual application component; and
  
  providing, by the device and to a physical network device of the network, a second policy to permit the physical network device to implement the second policy in association with network traffic transferred using the physical application component,the second policy being provided to the physical network device based on the physical network device being a physical device type and being connected to the physical application component.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The method of claim 35, further comprising:
    - determining, using the network topology information, that the virtual application component is connected to the virtual network device; and
      
      where providing the first policy includes;
      
      providing the first policy based on determining that the virtual application component is connected to the virtual network device.
  - 37. The method of claim 35, further comprisingdetermining, using the network topology information, that the physical application component is connected to the physical network device;
    - andwhere providing the second policy includes;
      
      providing the information associated with the second policy based on determining that the physical application component is connected to the physical network device.
  - 38. The method of claim 35, further comprising:
    - determining, using the network topology information, that the virtual application component is a virtual device; and
      
      where generating the first policy includes;
      
      generating the first policy based on determining that the virtual application component is the virtual device.
  - 39. The method of claim 35, where the physical network device is associated with a data center;
    - andwhere the network topology information includes information that identifies one or more of;
      
      the physical network device,connections between the physical network device and one or more other physical network devices in the data center,locations of the physical network device and one or more other physical network devices in the data center, ornetwork addresses of the physical network device and one or more other physical network devices in the data center.
  - 40. The method of claim 35, where the network topology information includes information that identifies one or more of:
    - a set of data associated with the virtual network device,a set of files associated with the virtual network device, ora set of messages associated with the virtual network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Nimmagadda, Srinivas, Kumar, Rakesh, Seshadri, Prakash T., Subramanian, Sriram

Granted Patent

US 11,457,043 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

ENFORCING MICRO-SEGMENTATION POLICIES FOR PHYSICAL AND VIRTUAL APPLICATION COMPONENTS IN DATA CENTERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

ENFORCING MICRO-SEGMENTATION POLICIES FOR PHYSICAL AND VIRTUAL APPLICATION COMPONENTS IN DATA CENTERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links