Providing a virtual security appliance architecture to a virtual cloud infrastructure

US 9,571,507 B2
Filed: 10/21/2012
Issued: 02/14/2017
Est. Priority Date: 10/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the method comprising:

detecting a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure;

determining a policy of one or more security policies requires a security control for the guest VM;

determining whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM;

upon determining there is not the already present VSA running in the second virtual server, performing a process comprising;

initiating the guest VM in the second virtual server and sending a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure;

creating the new VSA on the second virtual server and running the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and

routing, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and

upon determining there is the already present VSA running in the second virtual server, running the guest VM in the second virtual server and routing the packet stream associated with the guest VM through the already present VSA.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.

Citations

23 Claims

1. A method for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the method comprising:
- detecting a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure;
  
  determining a policy of one or more security policies requires a security control for the guest VM;
  
  determining whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM;
  
  upon determining there is not the already present VSA running in the second virtual server, performing a process comprising;
  
  initiating the guest VM in the second virtual server and sending a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure;
  
  creating the new VSA on the second virtual server and running the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and
  
  routing, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and
  
  upon determining there is the already present VSA running in the second virtual server, running the guest VM in the second virtual server and routing the packet stream associated with the guest VM through the already present VSA.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the routing of the packet stream is performed, at least in part, via an intercept mechanism created in the second virtual server to intercept the network packets from the guest VM.
  - 3. The method of claim 2, wherein the creating the intercept mechanism includes:
    - reconfiguring logic of a virtual switch connected to the guest VM to force the network packets from the guest VM to a physical network interface card; and
      
      reconfiguring logic of a virtual network interface card (vNIC) to prevent the network packets from passing through the vNIC.
  - 4. The method of claim 1, wherein the one or more security policies further identify one or more additional VSAs to process the network packets from the guest VM.
  - 5. The method of claim 4, wherein the one or more security policies identify an order for the one or more additional VSAs to process the network packets from the guest VM.

6. An apparatus for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the apparatus comprising:
- at least one processor; and
  
  at least one computer-readable storage medium comprising instructions stored thereon, the instructions when executed by the at least one processor, cause the apparatus to;
  
  detect a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure;
  
  determine a policy of one or more security policies requires a security control for the guest VM;
  
  determine whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM;
  
  upon determining there is not the already present VSA running in the second virtual server, further causing the apparatus to;
  
  initiate the guest VM in the second virtual server and send a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure;
  
  create the new VSA on the second virtual server and run the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and
  
  route, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and
  
  upon determining there is the already present VSA running in the second virtual server, run the guest VM in the second virtual server and route the packet stream associated with the guest VM through the already present VSA.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the routing of the packet stream is performed, at least in part, via an intercept mechanism created in the second virtual server to intercept the network packets from the guest VM.
  - 8. The apparatus of claim 7, wherein the creating the intercept mechanism includes:
    - reconfiguring logic of a virtual switch connected to the guest VM to force the network packets from the guest VM to a physical network interface card; and
      
      reconfiguring logic of a virtual network interface card (vNIC) to prevent the network packets from passing through the vNIC.
  - 9. The apparatus of claim 6, wherein the one or more security policies further identify one or more additional VSAs to process the network packets from the guest VM.
  - 10. The apparatus of claim 9, wherein the one or more security policies identify an order for the one or more additional VSAs to process the network packets from the guest VM.

11. At least one non-transitory machine readable storage medium comprising instructions stored thereon for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the instructions when executed on a machine, cause the machine to:
- detect a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the quest VM from a first virtual server to a second virtual server of the virtual network infrastructure;
  
  determine a policy of one or more security policies requires a security control for the guest VM;
  
  determine whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the quest VM;
  
  upon determining there is not the already present VSA running in the second virtual server, further causing the machine to;
  
  initiate the quest VM in the second virtual server and send a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure;
  
  create the new VSA on the second virtual server and run the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and
  
  route, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and
  
  upon determining there is the already present VSA running in the second virtual server, run the quest VM in the second virtual server and route the packet stream associated with the quest VM through the already present VSA.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 12. The at least one non-transitory machine readable storage medium of claim 11, wherein the instructions, when executed on the machine, further cause the machine to:
    - delete the existing VSA from the first virtual server based, at least in part, on the existing VSA running in the first virtual server and the packet stream being routed through the new VSA instead of the existing VSA; and
      
      reconfigure logic of a virtual switch in the first virtual server to communicate via a virtual network interface card, wherein the existing VSA applied the required security control to the quest VM at the first virtual server prior to moving the quest VM to the second virtual server.
  - 13. The at least one non-transitory machine readable storage medium of claim 11, wherein the one or more security policies further identify one or more additional VSAs to process the network packets from the guest VM.
  - 14. The at least one non-transitory machine readable storage medium of claim 13, wherein the one or more security policies identify an order for the one or more additional VSAs to process the network packets from the guest VM.
  - 15. The at least one non-transitory machine readable storage medium of claim 11, wherein the routing of the packet stream is performed, at least in part, via an intercept mechanism created in the second virtual server to intercept the network packets from the guest VM.
  - 16. The at least one non-transitory machine readable storage medium of claim 15, wherein the creating the intercept mechanism includes executing instructions which cause the machine to:
    - reconfigure logic of a virtual switch connected to the guest VM to force the network packets from the guest VM to a physical network interface card; and
      
      reconfigure logic of a virtual network interface card (vNIC) to prevent the network packets from passing through the vNIC.
  - 17. The at least one non-transitory machine readable storage medium of claim 15, wherein the intercept mechanism is based on Single Root Input/Output Virtualization (SR-IOV) specification.
  - 18. The at least one non-transitory machine readable storage medium of claim 11, wherein the instructions, when executed on the machine, further cause the machine to:
    - query the new VSA running on the second virtual server to determine a utilization rate of the new VSA; and
      
      receive a response to the query.
  - 19. The at least one non-transitory machine readable storage medium of claim 18, wherein the instructions, when executed on the machine, further cause the machine to:
    - send a request to create a second VSA in the second virtual server if the response indicates that the new VSA is over-utilized.
  - 20. The at least one non-transitory machine readable storage medium of claim 18, wherein the instructions, when executed on the machine, further cause the machine to:
    - prevent any further network packets from being sent to the new VSA and delete the new VSA if the response indicates that the new VSA is under-utilized and there is at least one additional VSA on the second virtual server that is a duplicate of the new VSA.
  - 21. The at least one non-transitory machine readable storage medium of claim 18, wherein the instructions, when executed on the machine, further cause the machine to:
    - send a request to allocate more resources to the new VSA if the response indicates the new VSA is over-utilized, wherein the resources comprise one or more of processor and memory resources.
  - 22. The at least one non-transitory machine readable storage medium of claim 11, wherein the change is detected through an application programming interface (API) of a cloud manager.
  - 23. The at least one non-transitory machine readable storage medium of claim 11, wherein a first outgoing network packet of a packet flow from the guest VM is intercepted by an OpenFlow switch in the second virtual server after the guest VM is initiated in the second virtual server, wherein the instructions, when executed on the machine, further cause the machine to:
    - generate a flow route for the outgoing network packet based on one of the security policies, wherein the OpenFlow switch routes the outgoing network packet according to the flow route.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey Howard, Nedbal, Manuel, Nadkarni, Hemang Satish
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
MILLS, PAUL V

Application Number

US13/656,730
Publication Number

US 20140115578A1
Time in Patent Office

1,577 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/50   Monitoring users, programs ...

G06F 21/606   by securing the transmissio...

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/205   involving negotiation or de...

Providing a virtual security appliance architecture to a virtual cloud infrastructure

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Providing a virtual security appliance architecture to a virtual cloud infrastructure

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links