System and method for network virtualization and security using computer systems and software
First Claim
1. A system for network security, comprising:
- a protected network comprising at least one protected server, wherein the protected server is configured to provide at least one protected service; and
a virtual network residing on an operating system within a singular machine, physical or otherwise, and configured to emulate a physical security zone network, the virtual network comprising one or more virtual servers;
wherein each of the one or more virtual servers is configured to provide an isolated ghost service, the ghost service being separated from other isolated ghost services located in other virtual servers such that the ghost service does not directly share any resources with the other ghost services,wherein the ghost service is a partial copy of the at least one protected service, andwherein each of the one or more virtual servers is configured to provide the ghost service by;
receiving a service request;
running an inspection of the received service request;
determining whether additional information from one or more of the other isolated ghost services or one or more of the at least one protected service is needed for execution of the service request;
requesting additional information from one or more of the other isolated ghost services for the execution of the service request in response to determining that the additional information from the one or more of the other isolated ghost services is needed for execution of the service request;
requesting additional information from one or more of the at least one protected service for the execution of the service request in response to determining that the additional information from the one or more of the at least one protected service is needed for execution of the service request;
in response to the service request passing inspection, completing the execution of the service request based on the received service request, wherein the execution of the service request is further based on;
(i) the additional information from the one or more of the other isolated ghost services in response to requesting the additional information from the one or more of the other isolated ghost services, and (ii) the additional information from the one or more of the at least one protected service in response to requesting the additional information from the one or more of the at least one protected service; and
in response to detecting an error in the inspected service request, transmitting a response to the service request, the response being indicative of the detected error.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are provided for network security. In one embodiment, the method involves receiving a data packet (e.g., from a firewall). The method also involves running an inspection of the received data packet within a virtual network, the virtual network duplicating at least a portion (e.g., servers(s) and/or application(s)) of a protected network. The method further involves sending the inspected data packet, or portion and/or modified version thereof, to the protected network, in response to the data packet passing the inspection within the virtual network. The method also involves blocking passage of the data packet to the protected network, in response to the data packet failing the inspection.
15 Citations
34 Claims
-
1. A system for network security, comprising:
-
a protected network comprising at least one protected server, wherein the protected server is configured to provide at least one protected service; and a virtual network residing on an operating system within a singular machine, physical or otherwise, and configured to emulate a physical security zone network, the virtual network comprising one or more virtual servers; wherein each of the one or more virtual servers is configured to provide an isolated ghost service, the ghost service being separated from other isolated ghost services located in other virtual servers such that the ghost service does not directly share any resources with the other ghost services, wherein the ghost service is a partial copy of the at least one protected service, and wherein each of the one or more virtual servers is configured to provide the ghost service by; receiving a service request; running an inspection of the received service request; determining whether additional information from one or more of the other isolated ghost services or one or more of the at least one protected service is needed for execution of the service request; requesting additional information from one or more of the other isolated ghost services for the execution of the service request in response to determining that the additional information from the one or more of the other isolated ghost services is needed for execution of the service request; requesting additional information from one or more of the at least one protected service for the execution of the service request in response to determining that the additional information from the one or more of the at least one protected service is needed for execution of the service request; in response to the service request passing inspection, completing the execution of the service request based on the received service request, wherein the execution of the service request is further based on;
(i) the additional information from the one or more of the other isolated ghost services in response to requesting the additional information from the one or more of the other isolated ghost services, and (ii) the additional information from the one or more of the at least one protected service in response to requesting the additional information from the one or more of the at least one protected service; andin response to detecting an error in the inspected service request, transmitting a response to the service request, the response being indicative of the detected error. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method operable by a virtual entity in a network system, comprising:
-
receiving a service request; running an inspection of the received service request within a virtual network, the virtual network residing on an operating system within a singular machine, physical or otherwise, and configured to emulate a physical security zone network, the virtual network comprising one or more virtual servers, each of the one or more virtual servers being configured to provide an isolated ghost service, the ghost service being separated from other ghost services located in other virtual servers such that the ghost service does not directly share any resources with the other ghost services, wherein the ghost service is a partial copy of at least one protected service provided by at least one protected server; determining whether additional information from one or more of the other isolated ghost services or one or more of the at least one protected service is needed for execution of the service request; requesting additional information from one or more of the other isolated ghost services for the execution of the service request in response to determining that the additional information from the one or more of the other isolated ghost services is needed for execution of the service request; requesting additional information from one or more of the at least one protected service for the execution of the service request in response to determining that the additional information from the one or more of the at least one protected service is needed for execution of the service request; in response to the service request passing the inspection, completing, via the virtual network, the execution of the service request based on the received service request, wherein the execution of the service request is further based on;
(i) the additional information from the one or more of the other isolated ghost services in response to requesting the additional information from the one or more of the other isolated ghost services, and (ii) the additional information from the one or more of the at least one protected service in response to requesting the additional information from the one or more of the at least one protected service; andin response to detecting an error in the inspected service request, transmitting a response to the service request, the response being indicative of the detected error. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable medium comprising code for causing a computer to:
-
receive a service request; run an inspection of the received service request within a virtual network, the virtual network residing on an operating system within a singular machine, physical or otherwise, and configured to emulate a physical security zone network, the virtual network comprising one or more virtual servers, each of the virtual servers being configured to provide an isolated ghost service, the ghost service being separated from other ghost services located in other virtual servers such that the ghost service does not directly share any resources with the other ghost services, wherein the ghost service is a partial copy of at least one protected service provided by at least one protected server; determine whether additional information from one or more of the other isolated ghost services or one or more of the at least one protected service is needed for execution of the service request; request additional information from one or more of the other isolated ghost services for the execution of the service request in response to determining that the additional information from the one or more of the other isolated ghost services is needed for execution of the service request; request additional information from one or more of the at least one protected service for the execution of the service request in response to determining that the additional information from the one or more of the at least one protected service is needed for execution of the service request; in response to the service request passing the inspection, complete, via the virtual network, the execution of the service request based on the received service request, wherein the execution of the service request is further based on;
(i) the additional information from the one or more of the other isolated ghost services in response to requesting the additional information from the one or more of the other isolated ghost services, and the additional information from the one or more of the at least one protected service in response to requesting the additional information from the one or more of the at least one protected service; andin response to detecting an error in the inspected service request transmit a response to the service request, the response being indicative of the detected error. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification