Security enforcement in virtualized systems
First Claim
Patent Images
1. A method comprising:
- receiving, by a computer device, an instance request from a client device;
executing, by the computer device and based on the instance request, a first guest operating system (OS) of a virtual machine (VM);
probing, by an agent of the computer device, the first guest OS for first information and one or more other guest operating systems of the VM for other information,the first information comprising information identifying a user associated with the first guest OS, andthe user using the client device to interact with the first guest OS;
determining, by the computer device, whether particular criteria are met based on the information identifying the user;
receiving, by the computer device, traffic from the first guest OS after executing the first guest OS; and
allowing, by the computer device and when the particular criteria are met, the first guest OS to access a particular resource of a destination server by transmitting the traffic to the particular resource of the destination server.
1 Assignment
0 Petitions
Accused Products
Abstract
A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.
15 Citations
20 Claims
-
1. A method comprising:
-
receiving, by a computer device, an instance request from a client device; executing, by the computer device and based on the instance request, a first guest operating system (OS) of a virtual machine (VM); probing, by an agent of the computer device, the first guest OS for first information and one or more other guest operating systems of the VM for other information, the first information comprising information identifying a user associated with the first guest OS, and the user using the client device to interact with the first guest OS; determining, by the computer device, whether particular criteria are met based on the information identifying the user; receiving, by the computer device, traffic from the first guest OS after executing the first guest OS; and allowing, by the computer device and when the particular criteria are met, the first guest OS to access a particular resource of a destination server by transmitting the traffic to the particular resource of the destination server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by at least one processor of a policy engine server, cause the at least one processor to; receive, from a first agent of a first VM server, guest information for a guest operating system (OS) of the first VM server, the first agent collecting the guest information from the guest OS and other guest information from one or more other guest operating systems of the first VM server, and the guest information comprising information identifying a user associated with the guest OS of the first VM server; receive, from a second agent of a second VM server, application information for an instance of a second VM server; determine a type of access to allow the guest OS, to access the instance of the second VM server, based on the guest information and the application information; generate access control information based on the type of access; and provide the access control information to an enforcer without waiting to receive a request for the access control information from the enforcer, the enforcer allowing or denying transmission of traffic from the guest OS of the first VM server to the instance of the second VM server based on the access control information, and functionality of the enforcer being separate from the first VM server that includes the guest OS and separate from the policy engine server. - View Dependent Claims (10, 11, 12, 13)
-
14. A system comprising:
-
a virtual machine (VM) server comprising; a first guest operating system, a second guest operating system, and an agent to collect particular information from the first guest operating system and the second guest operating system, the particular information including information identifying a user associated with the first guest operating system; and a policy engine server, the policy engine server including a processor coupled to a memory, and the policy engine server being to; receive the particular information from the agent, generate, based on the particular information and after the first guest operating system is executed, access control information that indicates whether to allow the first guest operating system to access a particular destination, and configure an enforcer based on the access control information without waiting to receive a request for the access control information from the enforcer, the enforcer allowing or denying the first guest operating system access to the particular destination, and functionality of the enforcer being separate from the VM server and the policy engine server. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification