Using packet filters and network virtualization to restrict network communications
First Claim
1. A computing device comprising:
- a set of filters;
a mapping of virtual addresses to network addresses; and
a controller, coupled to the set of filters and the mapping, to,access, upon receipt of a data packet requested to be sent from the computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device,replace, based on the mapping, the target address in the data packet with a corresponding target network address;
forward the data packet to the target device at the target network address if it is determined the data packet can be sent to the target device;
prevent the computing device from modifying any of the filters in the set of filters, but allow the set of filters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, a first of the plurality of remote devices being a cluster operations management console for managing hardware operations of the computing device, a second of the plurality of remote devices being an application operations management console for managing software operations of the computing device; and
prevent the application operations management console from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management console.
2 Assignments
0 Petitions
Accused Products
Abstract
A network mediator corresponding to a computing device uses packet filters to restrict network communications. The network mediator includes a set of one or more filters, each filter having parameters that are compared to corresponding parameters of a data packet to be passed through the network mediator. The network mediator determines whether to allow the data packet through based on whether the data packet parameters match any filter parameters. The set of filters can be modified by a remote device, but cannot be modified by the computing device whose communications are being restricted. When a data packet is sent from the computing device, the data packet will include the virtual address which is changed to the network address by the network mediator prior to forwarding the packet on the network, and vice versa. By virtualizing the addresses, the computing device is restricted in accessing other devices over the network.
254 Citations
41 Claims
-
1. A computing device comprising:
-
a set of filters; a mapping of virtual addresses to network addresses; and a controller, coupled to the set of filters and the mapping, to, access, upon receipt of a data packet requested to be sent from the computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device, replace, based on the mapping, the target address in the data packet with a corresponding target network address; forward the data packet to the target device at the target network address if it is determined the data packet can be sent to the target device; prevent the computing device from modifying any of the filters in the set of filters, but allow the set of filters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, a first of the plurality of remote devices being a cluster operations management console for managing hardware operations of the computing device, a second of the plurality of remote devices being an application operations management console for managing software operations of the computing device; and prevent the application operations management console from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management console. - View Dependent Claims (2, 4)
-
-
3. A computing device as recited in 1, further comprising allowing the set of filters to be modified by a lower managerial level remote device only if the modifications are not less restrictive than modifications imposed by a higher managerial level remote device.
-
5. A method comprising:
-
maintaining, at a computing device, a set of filters that restrict the ability of the computing device to communicate with other computing devices; allowing the set of fitters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device, and an application operations management device for managing software operations of the computing device; preventing the application operations management device from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management device; and preventing the computing device from modifying the set of filters. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A network mediator comprising:
-
a set of filters; and a controller, coupled to the set of filters, to, access, upon receipt of a data packet requested to be sent from a computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device, prevent the computing device from modifying any of the filters in the set of filters but allow the set of filters to be modified by a remote cluster operations management console for managing hardware operations of the computing device and by a remote application operations management console for managing software operations of the computing device, and prevent the remote application operations management console from modifying the set of filters to be less restrictive than filters added by the remote cluster operations management console. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A method comprising:
-
maintaining a set of filters that restrict the ability of a computing device to communicate with other computing devices; allowing multiple remote computing devices, each corresponding to a different managerial level, to modify the set of filters, the multiple remote computing devices including a cluster operations management device for managing hardware operations of the computing device, and an application operations management device for managing software operations of the computing device; and preventing the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device. - View Dependent Claims (25, 27, 28, 29, 30)
-
-
26. A method as recited in 25, wherein the request to modify comprises one or more of:
- adding a filter to the set of filters, modifying a filter in the set of filters, and deleting a filter from the set of filters.
-
31. One or more computer-readable media having stored thereon a computer program to implement a multiple-level filter administration scheme and including a plurality of instructions that, when executed by one or more processors, causes the one or more processors to perform acts including:
-
allowing a cluster operations management device for managing hardware operations of a filtered device to modify a set of filters corresponding to the filtered device, the cluster operations management device operating at a first of the multiple levels; and allowing an application operations management device for managing software operations of the filtered device to modify the set of filters only if the modification is at least as restrictive as the filters imposed by the first computing device, the application operations management device operating at a second of the multiple levels. - View Dependent Claims (32, 33, 34)
-
-
35. A method comprising:
-
maintaining an association of virtual addresses and corresponding network addresses; making a computing device aware of the virtual addresses; hiding the network addresses from the computing device; receiving, from the computing device, a data packet intended for a target computing device corresponding to a target virtual address; replacing, based on the target virtual address, the target virtual address with the corresponding target network address; forwarding the data packet to the target computing device at the target network address; maintaining, at the computing device, a set of filters that further restrict the ability of the computing device to communicate with other computing devices; allowing the set of filters to be modified from a plurality of remote devices, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device and an application operations management device for managing software operations of the computing device; preventing the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device; and preventing the computing device from modifying the set of filters. - View Dependent Claims (36, 37, 38)
-
-
39. A network mediator comprising:
-
a mapping of virtual addresses to network addresses; a set of filters that restrict the ability of the computing device to communicate with other computing devices; and a controller, coupled to the mapping, to, make a corresponding computing device aware of the virtual addresses, hide the network addresses from the computing device, receive, from the computing device, a data packet intended for a target computing device corresponding to a target virtual address, replace, based on the target virtual address, the target virtual address with the corresponding target network address, forward the data packet to the target computing device at the target network address, allow the set of filters to be modified from a plurality of remote devices, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device and an application operations management device for managing software operations of the computing device, prevent the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device, and prevent the computing device from modifying the set of filters. - View Dependent Claims (40, 41)
-
Specification