Systems involving firewall of virtual machine traffic and methods of processing information associated with same

US 9,264,402 B2
Filed: 02/20/2013
Issued: 02/16/2016
Est. Priority Date: 02/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:

enabling, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network, the firewall configured to detect undesired traffic based on a list of rules associated with communication between the one or more virtual machines and the network; and

controlling a virtual machine in response to the firewall detecting undesired traffic via monitoring and filtering traffic at layer 2 (link layer) during forwarding but prior to routing, including;

detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include a MAC address not associated with the virtual machine based on information included in the list of rules;

detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include an IP address not associated with the virtual machine based on information included in the list of rules;

detecting a rogue dynamic host communication protocol (DHCP) attack and blocking traffic having data frames or cells that include a DHCP offer based on information included in the list of rules; and

stopping the virtual machine and/or blocking all traffic from the virtual machine in response to the detecting of at least one attack;

performing processing regarding rebooting the virtual machine after detection of the undesired traffic, the processing including;

processing an instruction to the firewall to restart the virtual machine;

processing instructions regarding transmission, by the virtual machine, of a request for a network address to the network;

processing information regarding receipt, by the virtual machine, of a valid response in reply to the request; and

processing information regarding transmission, by an agent component, of an instruction to the firewall to lock the IP address with the virtual machine;

wherein the undesired traffic is discarded at the virtual hardware level prior to the undesired traffic reaching a switch or another virtual machine within the compute node;

wherein the list of rules includes forwarding data associated with communication between the compute node and the virtual machine as well as data associated with other compute node and other virtual machines associate with the other compute nodes;

wherein the firewall is configured to;

allow DHCP requests and virtual machine responses;

drop and or otherwise block DHCP requests from the virtual machine;

inspect DHCP packet headers to determine whether the address of the DHCP packet is valid;

lock the list of rules to only deliver packets to and from IP address associated with a valid DHCP address; and

lock the list of rules to only forward ARP packets from an associated IP address.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods involve compute nodes configured to define and/or otherwise process information associated with one or more virtual machines. In one exemplary implementation, a compute node may be configured to enable a firewall between the virtual machine and at least a portion of a network. Moreover, the firewall may be configured to detect undesired traffic based on a list of rules or an Ethernet bridge table associated with communication between the virtual machine and the network. Various features may also relate to the compute node being configured to lock the virtual machine in response to the firewall detecting undesired traffic associated with the virtual machine.

Citations

26 Claims

1. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:
- enabling, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network, the firewall configured to detect undesired traffic based on a list of rules associated with communication between the one or more virtual machines and the network; and
  
  controlling a virtual machine in response to the firewall detecting undesired traffic via monitoring and filtering traffic at layer 2 (link layer) during forwarding but prior to routing, including;
  
  detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include a MAC address not associated with the virtual machine based on information included in the list of rules;
  
  detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include an IP address not associated with the virtual machine based on information included in the list of rules;
  
  detecting a rogue dynamic host communication protocol (DHCP) attack and blocking traffic having data frames or cells that include a DHCP offer based on information included in the list of rules; and
  
  stopping the virtual machine and/or blocking all traffic from the virtual machine in response to the detecting of at least one attack;
  
  performing processing regarding rebooting the virtual machine after detection of the undesired traffic, the processing including;
  
  processing an instruction to the firewall to restart the virtual machine;
  
  processing instructions regarding transmission, by the virtual machine, of a request for a network address to the network;
  
  processing information regarding receipt, by the virtual machine, of a valid response in reply to the request; and
  
  processing information regarding transmission, by an agent component, of an instruction to the firewall to lock the IP address with the virtual machine;
  
  wherein the undesired traffic is discarded at the virtual hardware level prior to the undesired traffic reaching a switch or another virtual machine within the compute node;
  
  wherein the list of rules includes forwarding data associated with communication between the compute node and the virtual machine as well as data associated with other compute node and other virtual machines associate with the other compute nodes;
  
  wherein the firewall is configured to;
  
  allow DHCP requests and virtual machine responses;
  
  drop and or otherwise block DHCP requests from the virtual machine;
  
  inspect DHCP packet headers to determine whether the address of the DHCP packet is valid;
  
  lock the list of rules to only deliver packets to and from IP address associated with a valid DHCP address; and
  
  lock the list of rules to only forward ARP packets from an associated IP address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising enabling or defining a virtual machine.
  - 3. The method of claim 1 wherein the controlling of the virtual machine includes one or both of:
    - locking or blocking network traffic to and/or from the virtual machine at a host layer by shutting down a virtual Ethernet connection; and
      
      stopping traffic, via the firewall, associated with the undesired traffic, wherein the stopping traffic includes stopping data frames or cells that include a DHCP offer and/or a MAC address not associated with the virtual machine.
  - 4. The method of claim 1 further comprising performing processing regarding the rebooting the virtual machine after detection of the undesired traffic, the processing further including:
    - processing instruction(s) from a manager component to reboot the virtual machine; and
      
      rebooting the virtual machine.
  - 5. The method of claim 1 further comprising performing processing to handle a rogue DHCP attack, the processing including:
    - detecting, via an agent component, an attempt by the virtual machine to send a DHCP request to the network infrastructure via the firewall, wherein the virtual machine acts like a DHCP server; and
      
      processing instructions for the firewall to stop or block all traffic from the virtual machine.
  - 6. The method of claim 1 further comprising defining, via a manager component and an agent component, a manager-agent relationship.
  - 7. The method of claim 6 wherein the manager component includes and/or is configured to operate with a program that enables a customer, a network administrator, and/or a management component to request and/or provision virtual machines within the network.
  - 8. The method of claim 6 wherein the agent component that provides instructions to the firewall, the agent component being configured to send an instruction to the firewall to lock the virtual machine such that all traffic from the virtual machine is blocked.
  - 9. The method of claim 1 wherein the firewall is configured to monitor and filter traffic at the link layer, prior to routing, via a packet capture mechanism that captures network packets as the network packets travel over the network.
  - 10. The method of claim 9 wherein the packet capture mechanism includes a Linux Kernel pcap.
  - 11. The method of claim 10 wherein the list of rules is defined and/or populated by snooping on flood traffic within network.
  - 12. The method of claim 11 wherein the compute node include a software-based bridge and/or switch that may be configured to include or access the list of rules, wherein the bridge and/or switch is configured to forward, but not route, packets.
  - 13. The method of claim 12 wherein the firewall is configured to monitor traffic through an associated switch, detect undesired traffic, and/or block traffic from a source and/or to a destination in accordance with the list of rules.
  - 14. The method of claim 13 further comprising performing a process of defining the firewall including defining the list of rules such that, in addition to broadcast packets, only packets sent from the media access control (MAC) address of the virtual machine are allowed.

15. A method for handling traffic over a network regarding communications between one or more virtual machines and the network, the method comprising:
- processing information related to enabling or defining, via a compute node, a firewall between the one or more virtual machine and at least a portion of a network;
  
  processing information related to detecting, via the firewall, undesired traffic based on an Ethernet bridge table associated with communication between the one or more virtual machines and the network; and
  
  processing information related to controlling a virtual machine in response to the detection of undesired traffic via monitoring and filtering traffic at layer 2 (link layer) during forwarding but prior to routing, including;
  
  detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include a MAC address not associated with the virtual machine based on information included in the Ethernet bridge table;
  
  detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include an IP address not associated with the virtual machine based on information included in the Ethernet bridge table;
  
  detecting a rogue dynamic host communication protocol (DHCP) attack and blocking traffic having data frames or cells that include a DHCP offer based on information included in the Ethernet bridge table; and
  
  stopping the virtual machine and/or blocking all traffic from the virtual machine;
  
  performing processing regarding rebooting the virtual machine after detection of the undesired traffic, the processing including;
  
  processing an instruction to the firewall to restart the virtual machine;
  
  processing instructions regarding transmission, by the virtual machine, of a request for a network address to the network;
  
  processing information regarding receipt, by the virtual machine, of a valid response in reply to the request;
  
  or processing information regarding transmission, by an agent component, of an instruction to the firewall to lock the IP address with the virtual machine;
  
  or any combination thereof;
  
  wherein the undesired traffic is discarded at the virtual hardware level prior to the undesired traffic reaching a switch or another virtual machine within the compute node;
  
  wherein the Ethernet bridge table includes forwarding data associated with communication between the compute node and the virtual machine as well as data associated with other compute node and other virtual machines associate with the other compute nodes;
  
  wherein the firewall is configured to;
  
  allow DHCP requests and virtual machine responses;
  
  drop and/or otherwise block DHCP requests from the virtual machine;
  
  inspect DHCP packet headers to determine whether the address of the DHCP packet is valid;
  
  lock the Ethernet bridge table to only deliver packets to and from IP address associated with a valid DHCP address; and
  
  lock the Ethernet bridge table to only forward ARP packets from an associated IP address.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15 wherein the compute node comprises a manager component and an agent component configured to define a manager-agent relationship.
  - 17. The method of claim 16 wherein the agent component includes and/or is configured to operate with a program that enables a compute node to define virtual machines, firewalls and/or tables.
  - 18. The method of claim 15 wherein the Ethernet bridge table is defined and/or populated by snooping on flood traffic within network.
  - 19. The method of claim 15 wherein the compute node include a software-based bridge and/or switch that may be configured to include or access the Ethernet bridge table, wherein the bridge and/or switch is configured to forward, but not route, packets.
  - 20. The method of claim 15 wherein the firewall is configured to monitor traffic through an associated switch, detect undesired traffic, and/or block traffic from a source and/or to a destination in accordance with the Ethernet bridge table.
  - 21. The method of claim 15 further comprising performing a process of defining the firewall including defining the Ethernet bridge table such that, in addition to broadcast packets, only packets sent from the media access control (MAC) address of the virtual machine are allowed.

22. A system comprising:
- a compute node comprising a memory and/or a processing component, the computer node also comprising or having access to a list of rules, the compute node configured to;
  
  define one or more virtual machines;
  
  enable a firewall between at least one virtual machine and at least a portion of a network, the firewall being configured to detect undesired traffic based on the list of rules associated with communication between the at least one virtual machine and the at least a portion of the network;
  
  control the virtual machine in response to the detection of the undesired traffic via monitoring and filtering traffic at layer 2 (link layer) during forwarding but prior to routing, including;
  
  detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include a MAC address not associated with the virtual machine based on information included in the list of rules;
  
  detecting a spoof attack of an IP address of another compute node and blocking traffic having data frames or cells that include an IP address not associated with the virtual machine based on information included in the list of rules;
  
  detecting a rogue dynamic host communication protocol (DHCP) attack and blocking traffic having data frames or cells that include a DHCP offer based on information included in the list of rules; and
  
  locking, stopping or blocking network traffic to and/or from the virtual machine in response to the firewall detecting the undesired traffic; and
  
  perform processing regarding rebooting the virtual machine after detection of the undesired traffic, the processing including;
  
  processing an instruction to the firewall to restart the virtual machine;
  
  processing instructions regarding transmission, by the virtual machine, of a request for a network address to the network;
  
  processing information regarding receipt, by the virtual machine, of a valid response in reply to the request;
  
  or processing information regarding transmission, by an agent component, of an instruction to the firewall to lock the IP address with the virtual machine;
  
  or any combination thereof;
  
  wherein the undesired traffic is discarded at the virtual hardware hardware/machine level prior to the undesired traffic reaching a switch or another virtual machine within the compute node;
  
  wherein the list of rules includes forwarding data associated with communication between the compute node and the virtual machine as well as data associated with other compute node and other virtual machines associate with the other compute nodes;
  
  wherein the firewall is configured to;
  
  allow DHCP requests and virtual machine responses;
  
  drop and or otherwise block DHCP requests from the virtual machine;
  
  inspect DHCP packet headers to determine whether the address of the DHCP packet is valid;
  
  lock the list of rules to only deliver packets to and from IP address associated with a valid DHCP address; and
  
  lock the list of rules to only forward ARP packets from an associated IP address.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22 wherein stopping traffic includes stopping data frames or cells that include a MAC address not associated with the virtual machine.
  - 24. The apparatus of claim 22 wherein the compute node or firewall detects the undesired traffic and blocks the traffic associated with the undesired traffic based on information included in the list of rules.
  - 25. The apparatus of claim 22 wherein the compute node comprises an agent component that provides instructions to the firewall, the agent component being configured to send an instruction to lock the virtual machine such that all traffic from the virtual machine is blocked.
  - 26. The apparatus of claim 22 wherein the compute node is further configured to:
    - enable and/or define the firewall on the compute node or on a switch; and
      
      /orinstruct an associated switch to enable and/or otherwise define the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VIRTUSTREAM IP HOLDING COMPANY LLC (Dell Technologies Inc.)
Original Assignee
Virtustream Canada Holdings, Inc (Dell Technologies Inc.)
Inventors
Anderson, Derek
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/772,090
Publication Number

US 20130227674A1
Time in Patent Office

1,091 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Systems involving firewall of virtual machine traffic and methods of processing information associated with same

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems involving firewall of virtual machine traffic and methods of processing information associated with same

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links