Firewalls in logical networks

US 9,015,823 B2
Filed: 11/15/2012
Issued: 04/21/2015
Est. Priority Date: 11/15/2011
Status: Active Grant

First Claim

Patent Images

1. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a particular node in a hosting system, the firewall application comprising sets of instructions for:

receiving a first firewall configuration for a first logical network along with a first identifier, the first logical network connecting a first plurality of machines at least one of which resides on the particular node of the hosting system;

receiving a second firewall configuration for a second logical network along with a second identifier, the second logical network connecting a second plurality of machines at least one of which resides on the particular node of the hosting system; and

processing packets, received from a managed switching element located at the node and tagged with the first identifier using the first firewall configuration while processing packets received from the managed switching element and tagged with the second identifier using the second firewall configuration, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

213 Citations

22 Claims

1. A machine readable medium storing a distributed firewall application for execution by at least one processing unit of a particular node in a hosting system, the firewall application comprising sets of instructions for:
- receiving a first firewall configuration for a first logical network along with a first identifier, the first logical network connecting a first plurality of machines at least one of which resides on the particular node of the hosting system;
  
  receiving a second firewall configuration for a second logical network along with a second identifier, the second logical network connecting a second plurality of machines at least one of which resides on the particular node of the hosting system; and
  
  processing packets, received from a managed switching element located at the node and tagged with the first identifier using the first firewall configuration while processing packets received from the managed switching element and tagged with the second identifier using the second firewall configuration, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The machine readable medium of claim 1, wherein the particular node is a first node, wherein the first logical network is a distributed, virtualized network that logically connects the first plurality of machines at least a second one of which resides on a second, different node of the hosting system.
  - 3. The machine readable medium of claim 2, wherein the second logical network is a distributed, virtualized network that logically connects the second plurality of machines at least a second one of which resides on a third node of the hosting system.
  - 4. The machine readable medium of claim 1, wherein the network controller assigns the first and second identifiers.
  - 5. The machine readable medium of claim 1, wherein the managed switching element adds one of the first and second identifiers to each packet before sending the packet to the distributed firewall application.
  - 6. The machine readable medium of claim 1, wherein the first logical network connects the first plurality of machines through a set of logical forwarding elements that logically forward packets between the first plurality of machines in the first logical network.
  - 7. The machine readable medium of claim 6, wherein a logical firewall defined by the first firewall configuration connects to at least one of the logical forwarding elements in the set of logical forwarding elements.
  - 8. The machine readable medium of claim 7, wherein the logical forwarding element to which the logical firewall connects is a logical router.
  - 9. The machine readable medium of claim 8, wherein the logical router comprises a set of routing policies that specifies rules for sending packets to the firewall application.
  - 10. The machine readable medium of claim 1, wherein each machine in the first and second plurality of machines is a virtual machine.
  - 11. The machine readable medium of claim 1, wherein the controller is a physical controller that manages the particular node of the hosting system.

12. A method for configuring a distributed firewall application implemented on a particular node in a hosting system, the method comprising:
- receiving a first firewall configuration for a first logical network along with a first identifier, the first logical network connecting a first plurality of machines at least one of which resides on the particular node of the hosting system;
  
  receiving a second firewall configuration for a second logical network along with a second identifier, the second logical network connecting a second plurality of machines at least one of which resides on the particular node of the hosting system; and
  
  processing packets, received from a managed switching element located at the node and tagged with the first identifier using the first firewall configuration while processing packets received from the managed switching element and tagged with the second identifier using the second firewall configuration, wherein the managed switching element and the distributed firewall application receive the first and second identifiers from a same network controller.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the particular node is a first node, wherein the first logical network is a distributed, virtualized network that logically connects the first plurality of machines at least a second one of which resides on a second, different node of the hosting system.
  - 14. The method of claim 13, wherein the second logical network is a distributed, virtualized network that logically connects the second plurality of machines at least a second one of which resides on a third node of the hosting system.
  - 15. The method of claim 12, wherein the network controller assigns the first and second identifiers.
  - 16. The method of claim 12, wherein the managed switching element adds one of the first and second identifiers to each packet before sending the packet to the distributed firewall application.
  - 17. The method of claim 12, wherein the first logical network connects the first plurality of machines through a set of logical forwarding elements that logically forward packets between the first plurality of machines in the first logical network.
  - 18. The method of claim 17, wherein a logical firewall defined by the first firewall configuration connects to at least one of the logical forwarding elements in the set of logical forwarding elements.
  - 19. The method of claim 18, wherein the logical forwarding element to which the logical firewall connects is a logical router.
  - 20. The method of claim 19, wherein the logical router comprises a set of routing policies that specifies rules for sending packets to the firewall application.
  - 21. The method of claim 12, wherein each machine in the first and second plurality of machines is a virtual machine.
  - 22. The method of claim 12, wherein the controller is a physical controller that manages the particular node of the hosting system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Koponen, Teemu, Zhang, Ronghua, Thakkar, Pankaj, Casado, Martin
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BELL, KALISH K

Application Number

US13/678,504
Publication Number

US 20130125230A1
Time in Patent Office

887 Days
Field of Search

726 1- 3, 726 11- 16, 726/27
US Class Current

726/13
CPC Class Codes

G06F 15/177   Initialisation or configura...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45595   Network integration; Enabli...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 41/08   Configuration management of...

H04L 41/0803   Configuration setting

H04L 41/0806   for initial configuration o...

H04L 41/0813   characterised by the condit...

H04L 41/0823   characterised by the purpos...

H04L 41/0889   Techniques to speed-up the ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 45/02   Topology update or discovery

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 49/15   Interconnection of switchin...

H04L 49/70 : Virtual switches

H04L 61/2503 : Translation of Internet pro...

H04L 61/2517 : using port numbers

H04L 61/2521 : Translation architectures o...

H04L 61/256 : NAT traversal

H04L 63/0218 : Distributed architectures, ...

H04L 67/1008 : based on parameters of serv...

View All

Firewalls in logical networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

213 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Firewalls in logical networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

213 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links