Firewall for controlling connections between a client machine and a network
First Claim
1. A firewall system for controlling connections between a client virtual machine and a network, the firewall system being adapted for location outside the client virtual machine, but is within the same physical machine, the firewall system comprising:
- at least one computer processor; and
a hypervisor to partition the at least one computer processor into separate virtual machines, one of the virtual machines including a client virtual machine; and
wherein the at least one computer processor configured to;
receive incoming and outgoing connections from the network and the client virtual machine respectively; and
in response to a connection request, initiate a connection between respective endpoints in the network and client virtual machine, route the connection via the hypervisor to a firewall machine, perform a security assessment comprising obtaining from at least one of the network and client virtual machine information indicative of the security state of the endpoint therein, and allow or inhibit the connection in dependence on the result of the security assessment;
for at least some connection requests, the security assessment performed by the processor includes allowing the connection, monitoring traffic on the connection and allowing or inhibiting continuance of the connection in dependence on the result of said monitoring.
7 Assignments
0 Petitions
Accused Products
Abstract
A firewall system adapted for location outside the client machine, preferably in the same data processing device as the client machine but outside a virtual machine containing the client machine. Control logic of the firewall system receives incoming and outgoing connections from the network and client machine respectively. In response to a connection request initiating a connection between respective endpoints in the network and client machine, the control logic performs a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allows or inhibits the connection in dependence on the result of the security assessment. The security assessment may be performed in accordance with a security policy of the system, and different security assessments may be performed for different connection requests in accordance with the security policy.
13 Citations
18 Claims
-
1. A firewall system for controlling connections between a client virtual machine and a network, the firewall system being adapted for location outside the client virtual machine, but is within the same physical machine, the firewall system comprising:
-
at least one computer processor; and a hypervisor to partition the at least one computer processor into separate virtual machines, one of the virtual machines including a client virtual machine; and wherein the at least one computer processor configured to; receive incoming and outgoing connections from the network and the client virtual machine respectively; and in response to a connection request, initiate a connection between respective endpoints in the network and client virtual machine, route the connection via the hypervisor to a firewall machine, perform a security assessment comprising obtaining from at least one of the network and client virtual machine information indicative of the security state of the endpoint therein, and allow or inhibit the connection in dependence on the result of the security assessment; for at least some connection requests, the security assessment performed by the processor includes allowing the connection, monitoring traffic on the connection and allowing or inhibiting continuance of the connection in dependence on the result of said monitoring. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-usable medium having embodied therein computer-readable program codes for causing a computer to implement a firewall system for controlling connections between a client virtual machine and a network, the firewall system being adapted for location outside the client virtual machine, but is within the same physical machine, the computer-readable program codes configured to:
-
partition at least one processor by a hypervisor into separate virtual machines, one of the virtual machines including a client virtual machine; receive incoming and outgoing connections from the network and the client virtual machine respectively; in response to a connection request, initiate a connection between respective endpoints in the network and the client virtual machine, route the connection via the hypervisor to a firewall machine, perform a security assessment comprising obtaining from at least one of the network and client virtual machine information indicative of the security state of the endpoint therein, and allow or inhibit the connection in dependence on the result of the security assessment; and for at least some connection requests, performing the security assessment includes allowing the connection, monitoring traffic on the connection and allowing or inhibiting continuance of the connection in dependence on the result of said monitoring. - View Dependent Claims (13)
-
-
14. A data processing system comprising a client virtual machine and a firewall system for controlling connections between the client virtual machine and a network, wherein the firewall system is located outside the client virtual machine, but is within the same physical machine and comprises control logic adapted for:
-
partitioning at least one processor by a hypervisor into separate virtual machines, one of the virtual machines including a client virtual machine; receiving incoming and outgoing connections from the network and the client virtual machine respectively; in response to a connection request initiating a connection between respective endpoints in the network and the client virtual machine, route the connection via the hypervisor to a firewall machine, performing a security assessment comprising obtaining from at least one of the network and client virtual machine information indicative of the security state of the endpoint therein, and allowing or inhibiting the connection in dependence on the result of the security assessment; and for at least some connection requests, performing the security assessment includes allowing the connection, monitoring traffic on the connection and allowing or inhibiting continuance of the connection in dependence on the result of said monitoring. - View Dependent Claims (15, 16, 17, 18)
-
Specification