Applying firewalls to virtualized environments
First Claim
1. A system for applying separate firewall rules to one or more networks connected to a computer, comprising:
- a computing device comprising a processor; and
a memory coupled to said processor, said memory having stored thereon computer executable instructions that upon execution by the processor cause;
instantiating on the computer an operating system shared by a first virtualized environment and a second virtualized environment that execute on the computer;
instantiating on the computer a network stack comprising a filter engine, the filter engine storing a set of firewall rules, the filter engine being shared by the first and second virtualized environments;
receiving, by a network interface card (NIC) associated with the network stack, a first data from one of the one or more networks;
based on determining that the first data is directed to the first virtualized environment, modifying, by the NIC, the first data to identify the first virtualized environment;
sending the modified first data from the NIC to the operating system;
determining, by the operating system, based on the modified first data having been modified to identify the first virtualized environment, a first subset of the firewall rules;
applying, by the filter engine, the first subset of the firewall rules to the first data to produce a filtered first data;
sending the filtered first data to the first virtualized environment;
receiving, by the NIC, a second data from one of the one or more networks;
based on determining that the second data is directed to the second virtualized environment, modifying, by the NIC, the first data to identify the second virtualized environment;
sending the modified second data from the NIC to the operating system;
determining, by the operating system, based on the modified second data having been modified to identify the second virtualized environment, a second subset of the firewall rules;
applying, by the filter engine, the second subset of the firewall rules to the second data to produce a filtered second data; and
sending the filtered second data to the second virtualized environment.
2 Assignments
0 Petitions
Accused Products
Abstract
Each virtualized environment on a computer has its own set of firewall rules. The virtualized environments share a single instance of the operating system image, a filter engine and a single network stack. A virtualized environment may be a compartment or a server silo. A virtualized environment is a network isolation mechanism and may be used to prevent use of a computer to traverse network boundaries by creating a separate virtualized environment for each network, enabling a separate set of rules to be applied to each virtualized environment and the network interfaces within it. Virtualized environments may also be used to assign different trust levels to the same physical network. Firewall rules are applied by virtualized environment identifier (ID), enabling separate filters to be applied to each virtualized environment on a computer. A virtualized environment may include or be associated with one or more network interfaces.
25 Citations
19 Claims
-
1. A system for applying separate firewall rules to one or more networks connected to a computer, comprising:
-
a computing device comprising a processor; and a memory coupled to said processor, said memory having stored thereon computer executable instructions that upon execution by the processor cause; instantiating on the computer an operating system shared by a first virtualized environment and a second virtualized environment that execute on the computer; instantiating on the computer a network stack comprising a filter engine, the filter engine storing a set of firewall rules, the filter engine being shared by the first and second virtualized environments; receiving, by a network interface card (NIC) associated with the network stack, a first data from one of the one or more networks; based on determining that the first data is directed to the first virtualized environment, modifying, by the NIC, the first data to identify the first virtualized environment; sending the modified first data from the NIC to the operating system; determining, by the operating system, based on the modified first data having been modified to identify the first virtualized environment, a first subset of the firewall rules; applying, by the filter engine, the first subset of the firewall rules to the first data to produce a filtered first data; sending the filtered first data to the first virtualized environment; receiving, by the NIC, a second data from one of the one or more networks; based on determining that the second data is directed to the second virtualized environment, modifying, by the NIC, the first data to identify the second virtualized environment; sending the modified second data from the NIC to the operating system; determining, by the operating system, based on the modified second data having been modified to identify the second virtualized environment, a second subset of the firewall rules; applying, by the filter engine, the second subset of the firewall rules to the second data to produce a filtered second data; and sending the filtered second data to the second virtualized environment. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for assigning a filter to incoming and outgoing traffic on a network comprising:
-
receiving a first rule to be applied to incoming or outgoing traffic over a network; determining that an administrator entering the first rule is an administrator of a first virtualized environment but not a second virtualized environment and has not specified a virtualized environment within the first virtualized environment for the first rule, and in response thereto scoping the rule to the first virtualized environment but not the second virtualized environment; receiving a second rule to be applied to incoming or outgoing traffic over the network; determining that an administrator entering the second rule is an administrator of the first virtualized environment but not the second virtualized environment and has specified a third virtualized environment but not a fourth virtualized environment, the third and fourth virtualized environments executing within the first virtualized environment, and in response thereto scoping the second rule to the third virtualized environment but not the fourth virtualized environment; receiving a third rule to be applied to incoming or outgoing traffic over the network; determining that an administer entering the third rule is a system administrator, and has not specified a virtualized environment for the third rule, and in response thereto scoping the third rule to an outermost virtualized environment in which the first and third virtualized environments, the outermost virtualized environment not executing within another virtualized environment; receiving a fourth rule to be applied to incoming or outgoing traffic over the network; determining that an administer entering the fourth rule is a system administrator, and has specified the first virtualized environment but not the second virtualized environment for the fourth rule, and in response thereto scoping the fourth rule to the first virtualized environment but not the second virtualized environment; and applying the first, second, third and fourth rules to the incoming traffic by matching a unique identifier of the first, second, third, or fourth virtualized environments with an attribute present on the first, second third, or fourth rules when the rule has an attribute matching the unique identifier. - View Dependent Claims (9, 10, 11, 12, 13, 19)
-
-
14. A computer-readable storage medium having program code stored thereon that, when executed by a computing environment, causes the computing environment to:
-
receive incoming traffic on a first network interface card (NIC); determine, based on the incoming traffic being received on the first NIC, that the incoming traffic is associated with a first user session running in a first virtualized environment on a computer, the computer comprising an operating system in which the first virtualized environment and a second virtualized environment execute, wherein a second user session is running in the second virtualized environment, the second user session being isolated from the first user session, the plurality of virtualized environments on the computer sharing a single operating system image, a single filter engine and a single network stack; based on determining that the network traffic is associated with the first user session running in the first virtualized environment, modify, by the first NIC, the incoming traffic to identify the first user session and the first virtualized environment; send the modified incoming traffic from the first NIC to the operating system; determine, by the operating system, a first set of rules of a plurality of sets of rules with which to process the modified incoming traffic based on the modified incoming traffic being directed to the first user session; apply, by the OS, the first set of firewall rules to the modified incoming traffic by matching a unique identifier of the virtualized environment with an attribute present on the first set of firewall rules, wherein only those rules having an attribute matching the unique identifier are applied. - View Dependent Claims (15, 16, 17, 18)
-
Specification