Hierarchical firewalls
First Claim
Patent Images
1. A method of implementing a virtual machine firewall on a host node to protect at least one virtual machine on the host node, the method comprising:
- receiving, with the firewall, a layer of firewall policies from each of a plurality of entities with different levels of authority over the at least one virtual machine on the host node;
maintaining, with the firewall, a first layer of policies received from a first entity with a first level of authority and a second layer of policies received from a second entity with a second level of authority for the virtual machine, wherein the first level of authority is higher than the second level of authority;
evaluating, with the firewall, a packet received by the host node for the virtual machine based on the first layer of policies with the first level of authority prior to evaluating the packet based on the second level of authority associated with the second layer of policies; and
in response to the evaluation of the packet based on the first layer of policies for the virtual machine, determining to one of allow the received packet through the firewall to the virtual machine, block the received packet from the virtual machine, or delegate a decision of whether to allow or block the received packet to the second layer of policies for the virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of implementing a firewall that receives a layer of policies from each of multiple entities with different levels of authority. The method evaluates received packets based on the received layers of policies. A layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.
47 Citations
20 Claims
-
1. A method of implementing a virtual machine firewall on a host node to protect at least one virtual machine on the host node, the method comprising:
-
receiving, with the firewall, a layer of firewall policies from each of a plurality of entities with different levels of authority over the at least one virtual machine on the host node; maintaining, with the firewall, a first layer of policies received from a first entity with a first level of authority and a second layer of policies received from a second entity with a second level of authority for the virtual machine, wherein the first level of authority is higher than the second level of authority; evaluating, with the firewall, a packet received by the host node for the virtual machine based on the first layer of policies with the first level of authority prior to evaluating the packet based on the second level of authority associated with the second layer of policies; and in response to the evaluation of the packet based on the first layer of policies for the virtual machine, determining to one of allow the received packet through the firewall to the virtual machine, block the received packet from the virtual machine, or delegate a decision of whether to allow or block the received packet to the second layer of policies for the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of controlling passage of data packets to and from a plurality of virtual machines on a plurality of host nodes, the method comprising:
-
coordinating firewall policies, with a firewall coordinator, for each of the plurality of virtual machines running on the plurality of host nodes, wherein coordinating the firewall policies comprises accepting policies for a particular virtual machine from a plurality of users with different authority levels over the virtual machine, and maintaining a first policy of a first user with a first authority level and a second policy of a second user with a second authority level, wherein the first authority level is higher than the second authority level; and implementing, with a plurality of firewalls implemented on the plurality of host nodes, the firewall policies of the users, wherein implementing the policies for the particular virtual machine comprises implementing the first policy of the first user with the higher authority level to control passage of a packet sent to the particular virtual machine, wherein the first policy contradicts the second policy of the second user with the lower authority level.
-
-
9. A security system for controlling passage of data packets to and from a plurality of virtual machines on a plurality of host nodes, the security system comprising one or more microprocessors configured to operate as:
-
a firewall coordinator to coordinate firewall policies for each of the plurality of virtual machines running on the plurality of host nodes, wherein the firewall coordinator comprises a policy manager for accepting policies for a particular virtual machine from a plurality of users with different authority levels over the virtual machine, and maintaining a first policy of a first user with a first authority level and a second policy of a second user with a second authority level, wherein the first authority level is higher than the second authority level; and a plurality of firewalls implemented on the plurality of host nodes, wherein the firewalls implement the firewall policies of the users, wherein, for the particular virtual machine, the firewalls implement the first policy of the first user with the higher authority level to control passage of a packet sent to the particular virtual machine, wherein the first policy contradicts the second policy of the second user with the lower authority level. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable storage medium storing a computer program which when executed by at least one processor implements a virtual machine firewall on a host node to protect at least one virtual machine on the host node, the computer program comprising a set of instructions that cause the processor to:
-
receive a layer of firewall policies from each of a plurality of entities with different levels of authority over the at least one virtual machine on the host node; maintain a first layer of policies received from a first entity with a first level of authority and a second layer of policies received from a second entity with a second level of authority for the virtual machine, wherein the first level of authority is higher than the second level of authority; evaluate a packet received by the host node for the virtual machine based on the first layer of policies with the first level of authority prior to evaluating the packet based on the second level of authority associated with the second layer of policies; and based on the evaluation based on the first layer of policies for the virtual machine, determine to one of allow the received packet through the firewall to the virtual machine, block the received packet from the virtual machine, or delegate a decision of whether to allow or block the received packet to the second layer of policies for the virtual machine. - View Dependent Claims (18, 19)
-
-
20. A method of applying a set of firewall policies with a virtual machine firewall on a host node to protect at least one virtual machine on the host node, the method comprising:
-
receiving, with the firewall, a first packet and determining based on a first level of authority associated with the set of firewall policies to allow the first packet to pass the firewall to the virtual machine; receiving, with the firewall, a second packet and determining based on the first level of authority associated with the set of firewall policies to block the second packet from the virtual machine; receiving, with the firewall, a third packet, and determining based on the first level of authority associated with the set of firewall policies to delegate the determination of whether to allow the third packet to pass the firewall to a second level of authority associated with the set of firewall policies, wherein the first level of authority is higher than the second level of authority; and determining, with the firewall, based on the second level of authority associated with the set of firewall policies whether to allow the third packet to pass the firewall to the virtual machine.
-
Specification