Moving security for virtual machines
First Claim
Patent Images
1. A method of maintaining a plurality of firewalls on a plurality of host nodes, each host node for running at least one virtual machine, the method comprising:
- for at least a first host node,a) maintaining a plurality of sets of policies for a plurality of virtual machines running on the first host node, andb) upon detecting that a particular virtual machine has been moved from the first host node to a second host node;
i) removing a set of policies associated with the particular virtual machine from a firewall of the first host node; and
ii) supplying the set of policies to a firewall of the second host node.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of maintaining multiple firewalls on multiple host nodes. Each host node runs one or more virtual machines. For at least a first host node, the method maintains multiple sets of policies for multiple virtual machines that run on the first host node. The method, upon detecting that a particular virtual machine has been moved from the first host node to a second host node, removes a set of policies associated with the particular virtual machine from the first host node and supplies the set of policies to the second host node.
91 Citations
31 Claims
-
1. A method of maintaining a plurality of firewalls on a plurality of host nodes, each host node for running at least one virtual machine, the method comprising:
-
for at least a first host node, a) maintaining a plurality of sets of policies for a plurality of virtual machines running on the first host node, and b) upon detecting that a particular virtual machine has been moved from the first host node to a second host node; i) removing a set of policies associated with the particular virtual machine from a firewall of the first host node; and ii) supplying the set of policies to a firewall of the second host node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A firewall coordinator that coordinates security for a plurality of virtual machines on a plurality of host nodes, the firewall coordinator comprising a processor configured to execute:
-
a) a virtual machine tracker that maintains records of the host node of each virtual machine of the plurality of virtual machines; b) a policy manager that receives and stores a set of policies for each virtual machine of the plurality of virtual machines; and c) a coordination manager that, when a particular virtual machine moves from a first host node to a second host node, sends an identification of the first host node to a firewall of the second host node to command the firewall of the second host node to retrieve a set of policies for the particular virtual machine from a firewall of the first host node. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable storage medium storing a computer program which when executed on at least one processor implements a firewall coordinator for coordinating security for virtual machines on a plurality of host nodes, the computer program comprising:
-
a) a set of instructions for receiving an identification of particular virtual machine from a firewall of a first host node; b) a set of instructions for determining whether the particular virtual machine had been moved to the first host node from a second host node on which a set of policies for the virtual machine are stored; c) a set of instructions for, when the particular virtual machine had been moved from the second host node to the first host node, sending an identifier of the second host node to the firewall of the first host node to command the firewall of the first host node to retrieve the set of policies from a firewall of the second host node; and d) a set of instructions for, when the particular virtual machine had not been moved from any host node to the first host node, sending the set of policies for the particular virtual machine to the firewall of the first host node. - View Dependent Claims (19, 20, 21)
-
-
22. A firewall comprising a processor configured to execute:
-
a) a virtual machine detector that determines that a received packet on a first host node is for a previously undetected virtual machine; and b) a migration coordinator that; i) requests an identity of a second host node on which the previously undetected virtual machine previously ran; and ii) retrieves policies for the previously undetected virtual machine from a second firewall of the second host node, wherein the policies are used to determine whether to allow or block the received packet. - View Dependent Claims (23, 24, 25, 26)
-
-
27. A non-transitory computer readable storage medium storing a computer program which when executed on at least one processor implements a firewall, the computer program comprising:
-
a) a set of instructions for determining that a received packet on a first host node is for a previously undetected virtual machine; b) a set of instructions for requesting an identity of a second host node on which the previously undetected virtual machine previously ran; and c) a set of instructions for retrieving policies for the previously undetected virtual machine from a second firewall of the second host node, the policies for determining whether to allow or block the received packet. - View Dependent Claims (28, 29, 30, 31)
-
Specification