Applying firewalls to virtualized environments

US 8,151,337 B2
Filed: 06/30/2006
Issued: 04/03/2012
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A system for applying separate firewall rules to one or more networks connected to a computer, comprising:

a computing device comprising a processor; and

a memory coupled to said processor, said memory having stored thereon computer executable instructions that upon execution by the processor cause;

instantiating on the computer an operating system shared by a first virtualized environment and a second virtualized environment that execute on the computer;

instantiating on the computer a network stack comprising a filter engine, the filter engine storing a set of firewall rules, the filter engine being shared by the first and second virtualized environments;

receiving, by a network interface card (NIC) associated with the network stack, a first data from one of the one or more networks;

based on determining that the first data is directed to the first virtualized environment, modifying, by the NIC, the first data to identify the first virtualized environment;

sending the modified first data from the NIC to the operating system;

determining, by the operating system, based on the modified first data having been modified to identify the first virtualized environment, a first subset of the firewall rules;

applying, by the filter engine, the first subset of the firewall rules to the first data to produce a filtered first data;

sending the filtered first data to the first virtualized environment;

receiving, by the NIC, a second data from one of the one or more networks;

based on determining that the second data is directed to the second virtualized environment, modifying, by the NIC, the first data to identify the second virtualized environment;

sending the modified second data from the NIC to the operating system;

determining, by the operating system, based on the modified second data having been modified to identify the second virtualized environment, a second subset of the firewall rules;

applying, by the filter engine, the second subset of the firewall rules to the second data to produce a filtered second data; and

sending the filtered second data to the second virtualized environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.

25 Citations

View as Search Results

19 Claims

1. A system for applying separate firewall rules to one or more networks connected to a computer, comprising:
- a computing device comprising a processor; and
  
  a memory coupled to said processor, said memory having stored thereon computer executable instructions that upon execution by the processor cause;
  
  instantiating on the computer an operating system shared by a first virtualized environment and a second virtualized environment that execute on the computer;
  
  instantiating on the computer a network stack comprising a filter engine, the filter engine storing a set of firewall rules, the filter engine being shared by the first and second virtualized environments;
  
  receiving, by a network interface card (NIC) associated with the network stack, a first data from one of the one or more networks;
  
  based on determining that the first data is directed to the first virtualized environment, modifying, by the NIC, the first data to identify the first virtualized environment;
  
  sending the modified first data from the NIC to the operating system;
  
  determining, by the operating system, based on the modified first data having been modified to identify the first virtualized environment, a first subset of the firewall rules;
  
  applying, by the filter engine, the first subset of the firewall rules to the first data to produce a filtered first data;
  
  sending the filtered first data to the first virtualized environment;
  
  receiving, by the NIC, a second data from one of the one or more networks;
  
  based on determining that the second data is directed to the second virtualized environment, modifying, by the NIC, the first data to identify the second virtualized environment;
  
  sending the modified second data from the NIC to the operating system;
  
  determining, by the operating system, based on the modified second data having been modified to identify the second virtualized environment, a second subset of the firewall rules;
  
  applying, by the filter engine, the second subset of the firewall rules to the second data to produce a filtered second data; and
  
  sending the filtered second data to the second virtualized environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the first virtualized environment comprises a first compartment associated with a first network of the one or more networks, the second virtualized environment comprises a second compartment associated with a second network of the one or more networks, the first virtualized environment is configured to communicate with the first network but not the second network, and the second virtualized environment is configured to communicate with the second network but not the first network.
  - 3. The system of claim 1, wherein the first virtualized environment is a server silo, wherein the server silo restricts resources available to a process running in the server silo.
  - 4. The system of claim 3, wherein the server silo comprises a first compartment associated with a first network of the one or more networks, and a second compartment associated with a second network of the one or more networks, the first virtualized environment is configured to communicate with the first network but not the second network, and the second virtualized environment is configured to communicate with the second network but not the first network.
  - 5. The system of claim 1, wherein the first virtualized environment is connected to a first network associated with a first trust level and the second virtualized environment is connected to a second network associated with a second trust level different than the first trust level.
  - 6. The system of claim 5, wherein the first network and the second network are different physical networks.
  - 7. The system of claim 5, wherein a first set of filters are applied to incoming and outgoing traffic on the first network and a second set of filters are applied to incoming and outgoing traffic on the second network, wherein the first set of filters is associated with the first virtualized environment and the second set of filters is associated with the second virtualized environment.

8. A method for assigning a filter to incoming and outgoing traffic on a network comprising:
- receiving a first rule to be applied to incoming or outgoing traffic over a network;
  
  determining that an administrator entering the first rule is an administrator of a first virtualized environment but not a second virtualized environment and has not specified a virtualized environment within the first virtualized environment for the first rule, and in response thereto scoping the rule to the first virtualized environment but not the second virtualized environment;
  
  receiving a second rule to be applied to incoming or outgoing traffic over the network;
  
  determining that an administrator entering the second rule is an administrator of the first virtualized environment but not the second virtualized environment and has specified a third virtualized environment but not a fourth virtualized environment, the third and fourth virtualized environments executing within the first virtualized environment, and in response thereto scoping the second rule to the third virtualized environment but not the fourth virtualized environment;
  
  receiving a third rule to be applied to incoming or outgoing traffic over the network;
  
  determining that an administer entering the third rule is a system administrator, and has not specified a virtualized environment for the third rule, and in response thereto scoping the third rule to an outermost virtualized environment in which the first and third virtualized environments, the outermost virtualized environment not executing within another virtualized environment;
  
  receiving a fourth rule to be applied to incoming or outgoing traffic over the network;
  
  determining that an administer entering the fourth rule is a system administrator, and has specified the first virtualized environment but not the second virtualized environment for the fourth rule, and in response thereto scoping the fourth rule to the first virtualized environment but not the second virtualized environment; and
  
  applying the first, second, third and fourth rules to the incoming traffic by matching a unique identifier of the first, second, third, or fourth virtualized environments with an attribute present on the first, second third, or fourth rules when the rule has an attribute matching the unique identifier.
- View Dependent Claims (9, 10, 11, 12, 13, 19)
- - 9. The method of claim 8, wherein the rule is scoped to the first virtualized environment by tagging a filter implementing the rule with a unique identifier associated with the first virtualized environment.
  - 10. The method of claim 9, further comprising:
    - applying the rule only to traffic sent to or received from a session executing in the first virtualized environment, and not to traffic sent to or received from a session executing in the second virtualized environment.
  - 11. The method of claim 9, wherein the first virtualized environment comprises a first compartment associated with a first network of the one or more networks, the second virtualized environment comprises a second compartment associated with a second network of the one or more networks, the first virtualized environment is configured to communicate with the first network but not the second network, and the second virtualized environment is configured to communicate with the second network but not the first network.
  - 12. The method of claim 8, wherein the network is a first network associated with a first trust level and a first set of rules is applied to the first network by tagging the first set of rules with a first virtualized environment identifier and a second set of rules is applied to a second network associated with a second trust level by tagging the second set of rules with a second virtualized environment identifier.
  - 13. The method of claim 12, wherein the first network and the second network are an identical physical network.
  - 19. The method of claim 8, wherein the rules are applied by a filter engine executing as a user-mode process, and further comprising:
    - receiving a fifth rule to be applied to incoming or outgoing traffic over the network;
      
      in response to determining that the fifth rule originated within the first virtualized environment and that the fifth rule indicates a virtualized environment that is neither the first virtualized environment or executes within the first virtualized environment, determining not to implement the fifth rule;
      
      receiving a sixth rule to be applied to incoming or outgoing traffic over the network;
      
      in response to determining that the sixth rule originated within the first virtualized environment and that the sixth rule indicates either the first virtualized environment or a virtualized environment that executes within the first virtualized environment, determining to implement the sixth rule;
      
      applying the sixth rule but not the fifth rule to the incoming traffic by matching a unique identifier of the first, third, or fourth virtualized environments with an attribute present on the sixth rule but not the fifth rule when the rule has an attribute matching the unique identifier.

14. A computer-readable storage medium having program code stored thereon that, when executed by a computing environment, causes the computing environment to:
- receive incoming traffic on a first network interface card (NIC);
  
  determine, based on the incoming traffic being received on the first NIC, that the incoming traffic is associated with a first user session running in a first virtualized environment on a computer, the computer comprising an operating system in which the first virtualized environment and a second virtualized environment execute, wherein a second user session is running in the second virtualized environment, the second user session being isolated from the first user session, the plurality of virtualized environments on the computer sharing a single operating system image, a single filter engine and a single network stack;
  
  based on determining that the network traffic is associated with the first user session running in the first virtualized environment, modify, by the first NIC, the incoming traffic to identify the first user session and the first virtualized environment;
  
  send the modified incoming traffic from the first NIC to the operating system;
  
  determine, by the operating system, a first set of rules of a plurality of sets of rules with which to process the modified incoming traffic based on the modified incoming traffic being directed to the first user session;
  
  apply, by the OS, the first set of firewall rules to the modified incoming traffic by matching a unique identifier of the virtualized environment with an attribute present on the first set of firewall rules, wherein only those rules having an attribute matching the unique identifier are applied.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer-readable medium of claim 14, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - determine that a virtualized environment associated with a session originating outgoing traffic is the first virtualized environment and in response thereto, apply the first set of rules to the outgoing traffic.
  - 16. The computer-readable medium of claim 15, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - determine an interface associated with the first virtualized environment, the interface connected to a first network.
  - 17. The computer-readable medium of claim 14, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - associate a unique identifier with the first virtualization environment and tag the first set of rules with the unique identifier.
  - 18. The computer-readable medium of claim 17, having further program code stored thereon, that when executed by the computing environment, causes the computing environment to:
    - apply only the first set of rules to the incoming traffic based on matching the unique identifier with an identifier associated with the incoming traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Crowell, Zachary Thomas, Khalidi, Yousef A., Talluri, Madhusudhan
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Gregory, Shaun

Application Number

US11/479,458
Publication Number

US 20080022385A1
Time in Patent Office

2,104 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

Applying firewalls to virtualized environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Applying firewalls to virtualized environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links