Security enforcement in virtualized systems

US 8,959,569 B2
Filed: 03/18/2011
Issued: 02/17/2015
Est. Priority Date: 03/18/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving, by a computer device, an instance request from a client device;

executing, by the computer device and based on the instance request, a first guest operating system (OS) of a virtual machine (VM);

probing, by an agent of the computer device, the first guest OS for first information and one or more other guest operating systems of the VM for other information,the first information comprising information identifying a user associated with the first guest OS, andthe user using the client device to interact with the first guest OS;

determining, by the computer device, whether particular criteria are met based on the information identifying the user;

receiving, by the computer device, traffic from the first guest OS after executing the first guest OS; and

allowing, by the computer device and when the particular criteria are met, the first guest OS to access a particular resource of a destination server by transmitting the traffic to the particular resource of the destination server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

15 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by a computer device, an instance request from a client device;
  
  executing, by the computer device and based on the instance request, a first guest operating system (OS) of a virtual machine (VM);
  
  probing, by an agent of the computer device, the first guest OS for first information and one or more other guest operating systems of the VM for other information,the first information comprising information identifying a user associated with the first guest OS, andthe user using the client device to interact with the first guest OS;
  
  determining, by the computer device, whether particular criteria are met based on the information identifying the user;
  
  receiving, by the computer device, traffic from the first guest OS after executing the first guest OS; and
  
  allowing, by the computer device and when the particular criteria are met, the first guest OS to access a particular resource of a destination server by transmitting the traffic to the particular resource of the destination server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where the first information further comprises at least one of health information of the first guest OS or current activity information of the first guest OS.
  - 3. The method of claim 1, where probing the first guest OS of the VM for the first information comprises at least one of:
    - scanning storage associated with the first guest OS,conducting a virus scan on the first guest OS, ortesting a firewall of the first guest OS.
  - 4. The method of claim 1,where the one or more other guest operating systems comprise a second guest OS,where the other information comprises second information for the second guest OS, andwhere the method further comprises:
    - determining whether particular criteria are met by the second guest OS based on the second information, andallowing the second guest OS to access the particular resource of the destination server when the particular criteria are met by the second guest OS.
  - 5. The method of claim 1, where the particular resource of the destination server is an access point to a private network.
  - 6. The method of claim 1,where determining whether particular criteria are met based on the first information comprises:
    - transmitting the first information to a policy engine; and
      
      receiving access control information from the policy engine, andwhere the access control information indicates whether the first guest OS is permitted to access the particular resource of the destination server.
  - 7. The method of claim 1, further comprising:
    - receiving application information about an application running on the destination server,determining whether the particular criteria are met being further based on the application information.
  - 8. The method of claim 1, where the method further comprises:
    - receiving, by the agent, notification of a particular change in the first guest OS;
      
      probing, based on the notification, the first guest OS for updated first information; and
      
      determining whether the particular criteria are met based on the updated first information.

9. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by at least one processor of a policy engine server, cause the at least one processor to;
  
  receive, from a first agent of a first VM server, guest information for a guest operating system (OS) of the first VM server,the first agent collecting the guest information from the guest OS and other guest information from one or more other guest operating systems of the first VM server, andthe guest information comprising information identifying a user associated with the guest OS of the first VM server;
  
  receive, from a second agent of a second VM server, application information for an instance of a second VM server;
  
  determine a type of access to allow the guest OS, to access the instance of the second VM server, based on the guest information and the application information;
  
  generate access control information based on the type of access; and
  
  provide the access control information to an enforcer without waiting to receive a request for the access control information from the enforcer,the enforcer allowing or denying transmission of traffic from the guest OS of the first VM server to the instance of the second VM server based on the access control information, andfunctionality of the enforcer being separate from the first VM server that includes the guest OS and separate from the policy engine server.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The non-transitory computer-readable medium of claim 9, where the second agent collects the application information from the instance of the second VM server and other application information from one or more other instances of the second VM server.
  - 11. The non-transitory computer-readable medium of claim 9, where the instructions further comprise:
    - one or more instructions that, when executed by the at least one processor, cause the at least one processor to;
      
      store the guest information or the access control information in association with an identifier of the guest OS; and
      
      identify, before providing the access control information, the access control information for the guest OS based on the identifier.
  - 12. The non-transitory computer-readable medium of claim 9, where the guest information comprises at least one of:
    - identity information of a client associated with the guest OS,anti-virus information about anti-virus software installed on the guest OS,security settings of the guest OS, ora patch level of the guest OS.
  - 13. The non-transitory computer-readable medium of claim 9, where the guest information further comprises:
    - information that indicates that the user is in a particular department of an organization.

14. A system comprising:
- a virtual machine (VM) server comprising;
  
  a first guest operating system,a second guest operating system, andan agent to collect particular information from the first guest operating system and the second guest operating system,the particular information including information identifying a user associated with the first guest operating system; and
  
  a policy engine server,the policy engine server including a processor coupled to a memory, andthe policy engine server being to;
  
  receive the particular information from the agent,generate, based on the particular information and after the first guest operating system is executed, access control information that indicates whether to allow the first guest operating system to access a particular destination, andconfigure an enforcer based on the access control information without waiting to receive a request for the access control information from the enforcer,the enforcer allowing or denying the first guest operating system access to the particular destination, andfunctionality of the enforcer being separate from the VM server and the policy engine server.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, where the VM server further comprises:
    - a hypervisor to;
      
      receive an instance request from a client device,execute, based on the instance request, the first guest operating system, andmanage the first guest operating system, the second guest operating system, and the agent.
  - 16. The system of claim 14,where the policy engine server is further to store one or more policies, andwhere the one or more policies specify requirements for accessing the particular destination.
  - 17. The system of claim 14,where the particular information comprises health information of the first guest operating system, andwhere, when generating the access control information, the policy engine server is to:
    - determine whether the health information meets requirements for accessing the particular destination, andprovide, in the access control information and when the health information meets the requirements, an indication to allow the first guest OS to access the particular destination.
  - 18. The system of claim 14,where the particular destination comprises a second VM server, andwhere the second VM server comprises:
    - one or more instances to provide access to an application or a web service to the first guest operating system and the second guest operating system, anda second agent to collect application information from the one or more instances.
  - 19. The system of claim 18,where the policy engine server is further to receive the application information from the second agent, andwhere, when generating the access control information, the policy engine server is to:
    - generate the access control information based on the particular information and the application information.
  - 20. The system of claim 14, where the particular information further includes information regarding a type of access that should be provided to the user associated with the first guest operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Narayanaswamy, Krishna, Chickering, Roger A., Malmskog, Steve
Primary Examiner(s)
LE, CHAU D

Application Number

US13/051,471
Publication Number

US 20120240182A1
Time in Patent Office

1,432 Days
Field of Search

726 1- 3, 726/11, 726/24, 726/29, 726/30
US Class Current

726/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/604   Tools and structures for ma...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Security enforcement in virtualized systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security enforcement in virtualized systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links