Combined firewalls
First Claim
1. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:
- a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines, wherein each record in the connection table comprises;
a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
a destination port address, and a protocol of the connection; and
b) upon a particular virtual machine moving from the first host node to a second host node;
i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and
ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of providing a firewall to protect a set of virtual machines on a host node that is one of multiple host nodes that host virtual machines. The method stores a table of allowed connections for each virtual machine on the host node. Upon a particular virtual machine moving from the host node to another host node, the method deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines. Also upon the virtual machine moving, the method edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine.
-
Citations
21 Claims
-
1. For a system that hosts a plurality of virtual machines on a plurality of host nodes, a method of providing a firewall to protect a set of virtual machines on a first host node, the method comprising:
-
a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines, wherein each record in the connection table comprises;
a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
a destination port address, and a protocol of the connection; andb) upon a particular virtual machine moving from the first host node to a second host node; i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine. - View Dependent Claims (2, 3, 4)
-
-
5. A method of providing a firewall to protect a set of virtual machines on a first host node of a system that hosts a plurality of virtual machines, the method comprising:
-
a) storing a connection table of records of allowed connections for each virtual machine of said set of virtual machines on the first host node, wherein each record in the connection table comprises;
a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address, a destination port address, and a protocol of the connection;b) upon a particular virtual machine moving to the first host node from a second host node, retrieving from a firewall of the second host node a set of records of allowed connections that each identify the particular virtual machine; c) for each record of said set of records that identifies a connection that is also identified in a record in the connection table, adding an identifier of the particular virtual machine to the record in the connection table that identifies the same connection; and d) for each record of said set of records that does not identify a connection to any virtual machine on the first host node, adding the record to the connection table. - View Dependent Claims (6)
-
-
7. A method of providing firewall protection for a plurality of virtual machines on a first host node, the method comprising:
-
providing a firewall on a host node of the host system; when a packet addressed from a first virtual machine on the host node is sent to a second virtual machine on the host node, determining with the firewall whether a first set of policies that apply to the first virtual machine allows the first virtual machine to send the packet to the second virtual machine and whether a second set of policies that apply to the second virtual machine allow the second virtual machine to receive the packet from the first virtual machine; and blocking the packet with the firewall when at least one of the first and second sets of policies does not allow the packet to go from the first virtual machine to the second virtual machine, wherein blocking the packet comprises sending a reset packet to a virtual switch over which the packet passes. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable storage medium storing a computer program which when executed on a first host node on at least one processor implements a firewall on the first host node for securing a plurality of virtual machines on the first host node, the computer program comprising:
-
a) a set of instructions for saving, in a connection table, a set of records of allowed connections for each of the plurality of virtual machines on the first host node, wherein each record in the connection table comprises a first type of record comprising a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
a destination port address, and a protocol of the connection;b) a set of instructions for removing references to a particular virtual machine from the firewall upon the particular virtual machine moving from the first host node to a second host node by;
i) deleting records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines; and
ii) editing records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the plurality of virtual machines on the first host node, to remove an identifier of the particular virtual machine; andc) a set of instructions for sending a copy of the removed references to a firewall on the second host node upon the particular virtual machine moving from the first host node to the second host node. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a computing system having a plurality of host nodes that host a plurality of virtual machines; a connection table stored on the computing system, the connection table storing records of allowed connections for each virtual machine of said set of virtual machines, wherein each record in the connection table comprises;
a first IP address of a source of a connection, a second IP address of a destination of the connection, a source port address;
a destination port address, and a protocol of the connection; anda firewall coordinator that, upon a particular virtual machine moving from the first host node to a second host node, deletes records of a first set of allowed connections that each identify the particular virtual machine and do not identify any other virtual machine in the set of virtual machines and edits records of a second set of allowed connections, each identifying the particular machine and one other virtual machine in the set of virtual machines on the first host node, to remove an identifier of the particular virtual machine. - View Dependent Claims (21)
-
Specification