Combined firewalls

US 8,146,147 B2
Filed: 01/05/2009
Issued: 03/27/2012
Est. Priority Date: 03/27/2008
Status: Active Grant

First Claim

Patent Images

1. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:

a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines, wherein each record in the connection table comprises;

a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;

a destination port address, and a protocol of the connection; and

b) upon a particular virtual machine moving from the first host node to a second host node;

i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and

ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of providing a firewall to protect a set of virtual machines on a host node that is one of multiple host nodes that host virtual machines. The method stores a table of allowed connections for each virtual machine on the host node. Upon a particular virtual machine moving from the host node to another host node, the method deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines. Also upon the virtual machine moving, the method edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.

Citations

21 Claims

1. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:
- a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines, wherein each record in the connection table comprises;
  
  a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
  
  a destination port address, and a protocol of the connection; and
  
  b) upon a particular virtual machine moving from the first host node to a second host node;
  
  i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and
  
  ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising:
    - a) sending a copy of the records of the first set of allowed connections to a firewall of the second host node; and
      
      b) sending a copy of the records of the second set of allowed connections to the firewall of the second host node.
  - 3. The method of claim 2 further comprising editing the copy of the records of the second set of allowed connections, to remove identifiers of other virtual machines on the first host node, before sending said copy of the records of the second set of allowed connections to the firewall of the second host node.
  - 4. The method of claim 1, wherein when the source or destination of a particular connection is a virtual machine on the host node, the record of the particular connection further comprises an identifier of the virtual machine on the host node.

5. A method of providing a firewall to protect a set of virtual machines on a first host node of a system that hosts a plurality of virtual machines, the method comprising:
- a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines on the first host node, wherein each record in the connection table comprises;
  
  a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address, a destination port address, and a protocol of the connection;
  
  b) upon a particular virtual machine moving to the first host node from a second host node, retrieving from a firewall of the second host node a set of records of allowed connections that each identify the particular virtual machine;
  
  c) for each record of said set of records that identifies a connection that is also identified in a record in the connection table, adding an identifier of the particular virtual machine to the record in the connection table that identifies the same connection; and
  
  d) for each record of said set of records that does not identify a connection to any virtual machine on the first host node, adding the record to the connection table.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein each record of said set of records that identifies a connection that is also identified in a record in the connection table comprises:
    - a same source IP address as the IP address of the source of the connection in the record in the connection table;
      
      a same destination IP address as the IP address of the destination of the connection in the record in the connection table;
      
      a same source port address as the port address of the source of the connection in the record in the connection table;
      
      a same destination port address as the port address of the destination of the connection in the record in the connection table; and
      
      a same protocol as the protocol of the connection in the record in the connection table.

7. A method of providing firewall protection for a plurality of virtual machines on a first host node, the method comprising:
- providing a firewall on a host node of the host system;
  
  when a packet addressed from a first virtual machine on the host node is sent to a second virtual machine on the host node, determining with the firewall whether a first set of policies that apply to the first virtual machine allows the first virtual machine to send the packet to the second virtual machine and whether a second set of policies that apply to the second virtual machine allow the second virtual machine to receive the packet from the first virtual machine; and
  
  blocking the packet with the firewall when at least one of the first and second sets of policies does not allow the packet to go from the first virtual machine to the second virtual machine, wherein blocking the packet comprises sending a reset packet to a virtual switch over which the packet passes.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein when both the first set of policies and the second set of policies allow the packet to go from the first virtual machine to the second, the firewall stores a record that the packet was allowed to go from the first virtual machine to the second virtual machine, the record comprising an identifier of the first virtual machine as the sender of the packet and an identifier of the second virtual machine as the receiver of the packet.
  - 9. The method of claim 8, wherein when the first virtual machine is removed from the host node, the identifier of the first virtual machine as the sender of the packet is removed from the record on the host node.
  - 10. The method of claim 8, wherein when the first virtual machine is moved to a second host node, the firewall sends an edited copy of the record to the second host node, wherein the edited copy of the record does not comprise an identifier of the second virtual machine.
  - 11. The method of claim 8, wherein when the first and second virtual machines are removed from the host node the record is deleted from the firewall.
  - 12. The method of claim 7, wherein when a first packet addressed to a first virtual machine on the host node is received from outside the host node, the firewall determines whether to allow said first packet to reach the first virtual machine and when a second packet addressed from the first virtual machine on the host node is sent to a destination outside the host node, the firewall determines whether to allow said second packet to leave the host node.
  - 13. The method of claim 7, wherein when the first virtual machine is moved to a second host node, the firewall sends the first set of policies to a firewall of the second host node.

14. A non-transitory computer readable storage medium storing a computer program which when executed on a first host node on at least one processor implements a firewall on the first host node for securing a plurality of virtual machines on the first host node, the computer program comprising:
- a) a set of instructions for saving, in a connection table, a set of records of allowed connections for each of the plurality of virtual machines on the first host node, wherein each record in the connection table comprises a first type of record comprising a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
  
  a destination port address, and a protocol of the connection;
  
  b) a set of instructions for removing references to a particular virtual machine from the firewall upon the particular virtual machine moving from the first host node to a second host node by;
  
  i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and
  
  ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the plurality of virtual machines on the first host node, to remove an identifier of the particular virtual machine; and
  
  c) a set of instructions for sending a copy of the removed references to a firewall on the second host node upon the particular virtual machine moving from the first host node to the second host node.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer readable storage medium of claim 14, wherein the set of instructions for saving a set of records of allowed connections comprise:
    - a) a set of instructions for saving a first type of record of allowed connections between the particular virtual machine and the other virtual machines on the host node, each record of said first type of record comprising a source address of the connection, a destination address of the connection, an identifier of the particular virtual machine, and an identifier of another virtual machine in the connection; and
      
      b) a set of instructions for saving a second type of record of allowed connections between the particular virtual machine and a contact outside the host node, each record of said second type of record comprising a source address of the connection, a destination address of the connection, and an identifier of the particular virtual machine.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein the set of instructions for removing references comprises:
    - a) a set of instructions for removing all records of the second type from the connection table; and
      
      b) a set of instructions for removing the identifier of the particular virtual machine from all records of the first type of record in the connection table.
  - 17. The non-transitory computer readable storage medium of claim 14, wherein the computer program further comprises a set of instructions for, upon a new virtual machine entering the first host node from the second host node, retrieving a set of records of allowed connections for the new virtual machine from a firewall of the second host node.
  - 18. The non-transitory computer readable storage medium of claim 17, wherein the computer program further comprises a set of instructions for merging the retrieved set of records of allowed connections for the new virtual machine with the connection table of the first host node.
  - 19. The non-transitory computer readable storage medium of claim 18, wherein said set of instructions for merging comprises:
    - a) a set of instructions for adding the records of connections between the new virtual machine and contacts outside the host node in the retrieved set of records to the connection table; and
      
      b) a set of instructions for adding an identifier of the new virtual machine to each corresponding record, in the connection table, of a connection between the other virtual machines on the node and the new virtual machine.

20. A system comprising:
- a computing system having a plurality of host nodes that host a plurality of virtual machines;
  
  a connection table stored on the computing system, the connection table storing records of allowed connections for each virtual machine of said set of virtual machines, wherein each record in the connection table comprises;
  
  a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
  
  a destination port address, and a protocol of the connection; and
  
  a firewall coordinator that, upon a particular virtual machine moving from the first host node to a second host node, deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines and edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.
- View Dependent Claims (21)
- - 21. The system of claim 20, wherein the firewall coordinator sends a copy of the records of the first set of allowed connections to a firewall of the second host node, and sends a copy of the records of the second set of allowed connections to the firewall of the second host node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Litvin, Moshe, Benjamini, Gilad
Primary Examiner(s)
Smithers, Matthew

Application Number

US12/348,894
Publication Number

US 20090249470A1
Time in Patent Office

1,177 Days
Field of Search

726/11
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

Combined firewalls

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Combined firewalls

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links