Virtual firewall load balancer

US 9,497,165 B2
Filed: 03/26/2015
Issued: 11/15/2016
Est. Priority Date: 03/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system for load balancing between a virtual component within a virtual environment and a Host Intrusion Prevention System (HIPS), comprising:

one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage medium, and program instructions stored on at least one of the one or more tangible storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, wherein the computer system is capable of performing a method comprising;

receiving a trusted connection table from the HIPS, wherein the trusted connection table contains a plurality of trusted connection information;

receiving a network packet from a virtual switch, wherein the network packet has a plurality of connection information;

determining if the plurality of connection information matches the plurality of trusted connection information;

sending the network packet to a destination based on determining that the plurality of connection information matches the plurality of trusted connection information; and

sending the network packet to the HIPS based on determining that the plurality of connection information does not match the plurality of trusted connection information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one exemplary embodiment, a method for load balancing between a virtual component within a virtual environment and a Host Intrusion Prevention System (HIPS) is provided. The method may include receiving a trusted connection table from the HIPS, wherein the trusted connection table contains a plurality of trusted connection information. The method may also include receiving a network packet from a virtual switch, wherein the network packet has a plurality of connection information. The method may then include determining if the plurality of connection information matches the plurality of trusted connection information. The method may further include sending the network packet to a destination based on determining that the plurality of connection information matches the plurality of trusted connection information. The method may include sending the network packet to the HIPS based on determining that the plurality of connection information does not match the plurality of trusted connection information.

27 Citations

View as Search Results

11 Claims

1. A computer system for load balancing between a virtual component within a virtual environment and a Host Intrusion Prevention System (HIPS), comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable tangible storage medium, and program instructions stored on at least one of the one or more tangible storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, wherein the computer system is capable of performing a method comprising;
  
  receiving a trusted connection table from the HIPS, wherein the trusted connection table contains a plurality of trusted connection information;
  
  receiving a network packet from a virtual switch, wherein the network packet has a plurality of connection information;
  
  determining if the plurality of connection information matches the plurality of trusted connection information;
  
  sending the network packet to a destination based on determining that the plurality of connection information matches the plurality of trusted connection information; and
  
  sending the network packet to the HIPS based on determining that the plurality of connection information does not match the plurality of trusted connection information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1, wherein the virtual environment comprises a virtual input output server (VIOS), a hypervisor and a plurality of virtual Ethernet adapters.
  - 3. The computer system of claim 2, wherein the virtual component is a trusted firewall running within the VIOS or the trusted firewall running within the hypervisor.
  - 4. The computer system of claim 1, wherein receiving the trusted connection table from the HIPS comprises the virtual component within the virtual environment receiving a trusted message containing the trusted connection table from the HIPS.
  - 5. The computer system of claim 4, wherein the trusted message comprises sending a plurality of data according to at least one of a Simple Network Management Protocol version 3 (SNMPv3) and a Network Configuration Protocol (NETCONF).
  - 6. The computer system of claim 1, wherein the HIPS comprises a physical firewall connected to the virtual environment by a communication network.
  - 7. The computer system of claim 1, wherein the plurality of connection information comprises a source Internet Protocol (IP) address, a destination IP address, a source port, a destination port, and a protocol.
  - 8. The computer system of claim 7, wherein the plurality of trusted connection information comprises a trusted source IP address, a trusted destination IP address, a trusted source port, a trusted destination port, and a trusted protocol.
  - 9. The computer system of claim 8, wherein determining if the plurality of connection information matches the plurality of trusted connection information comprises matching the source IP with the trusted source IP address, matching the destination IP address to the trusted destination IP address, matching the source port to the trusted destination port, matching the destination port to the trusted destination port, and matching the protocol with the trusted protocol.

10. A computer program product for load balancing between a virtual component within a virtual environment and a Host Intrusion Prevention System (HIPS), comprising:
- one or more non-transitory computer-readable storage medium and program instructions stored on at least one of the one or more non-transitory computer-readable storage medium, the program instructions executable by a processor, the program instructions comprising;
  
  program instructions to receive a trusted connection table from the HIPS, wherein the trusted connection table contains a plurality of trusted connection information;
  
  program instructions to receive a network packet from a virtual switch, wherein the network packet has a plurality of connection information;
  
  program instructions to determine if the plurality of connection information matches the plurality of trusted connection information;
  
  program instructions to send the network packet to a destination based on determining that the plurality of connection information matches the plurality of trusted connection information; and
  
  program instructions to send the network packet to the HIPS based on determining that the plurality of connection information does not match the plurality of trusted connection information.
- View Dependent Claims (11)
- - 11. The computer program product of claim 10, wherein the virtual environment comprises a virtual input output server (VIOS), a hypervisor and a plurality of virtual Ethernet adapters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Keohane, Susann M., McBrearty, Gerald F., Mullen, Shawn P., Murillo, Jessica C., Shieh, Johnny M.
Primary Examiner(s)
Shepperd, Eric W

Application Number

US14/669,277
Publication Number

US 20160285828A1
Time in Patent Office

600 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 49/70   Virtual switches

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/1425   Traffic logging, e.g. anoma...

Virtual firewall load balancer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Virtual firewall load balancer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others