×

Systems involving firewall of virtual machine traffic and methods of processing information associated with same

  • US 9,264,402 B2
  • Filed: 02/20/2013
  • Issued: 02/16/2016
  • Est. Priority Date: 02/20/2012
  • Status: Active Grant
First Claim
Patent Images

1. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:

  • enabling, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network, the firewall configured to detect undesired traffic based on a list of rules associated with communication between the one or more virtual machines and the network; and

    controlling a virtual machine in response to the firewall detecting undesired traffic via monitoring and filtering traffic at layer 2 (link layer) during forwarding but prior to routing, including;

    detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include a MAC address not associated with the virtual machine based on information included in the list of rules;

    detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include an IP address not associated with the virtual machine based on information included in the list of rules;

    detecting a rogue dynamic host communication protocol (DHCP) attack and blocking traffic having data frames or cells that include a DHCP offer based on information included in the list of rules; and

    stopping the virtual machine and/or blocking all traffic from the virtual machine in response to the detecting of at least one attack;

    performing processing regarding rebooting the virtual machine after detection of the undesired traffic, the processing including;

    processing an instruction to the firewall to restart the virtual machine;

    processing instructions regarding transmission, by the virtual machine, of a request for a network address to the network;

    processing information regarding receipt, by the virtual machine, of a valid response in reply to the request; and

    processing information regarding transmission, by an agent component, of an instruction to the firewall to lock the IP address with the virtual machine;

    wherein the undesired traffic is discarded at the virtual hardware level prior to the undesired traffic reaching a switch or another virtual machine within the compute node;

    wherein the list of rules includes forwarding data associated with communication between the compute node and the virtual machine as well as data associated with other compute node and other virtual machines associate with the other compute nodes;

    wherein the firewall is configured to;

    allow DHCP requests and virtual machine responses;

    drop and or otherwise block DHCP requests from the virtual machine;

    inspect DHCP packet headers to determine whether the address of the DHCP packet is valid;

    lock the list of rules to only deliver packets to and from IP address associated with a valid DHCP address; and

    lock the list of rules to only forward ARP packets from an associated IP address.

View all claims
  • 7 Assignments
Timeline View
Assignment View
    ×
    ×