Providing a virtual security appliance architecture to a virtual cloud infrastructure
First Claim
1. A method for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the method comprising:
- detecting a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure;
determining a policy of one or more security policies requires a security control for the guest VM;
determining whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM;
upon determining there is not the already present VSA running in the second virtual server, performing a process comprising;
initiating the guest VM in the second virtual server and sending a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure;
creating the new VSA on the second virtual server and running the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and
routing, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and
upon determining there is the already present VSA running in the second virtual server, running the guest VM in the second virtual server and routing the packet stream associated with the guest VM through the already present VSA.
13 Assignments
0 Petitions
Accused Products
Abstract
A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.
-
Citations
23 Claims
-
1. A method for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the method comprising:
-
detecting a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure; determining a policy of one or more security policies requires a security control for the guest VM; determining whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM; upon determining there is not the already present VSA running in the second virtual server, performing a process comprising; initiating the guest VM in the second virtual server and sending a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure; creating the new VSA on the second virtual server and running the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and routing, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and upon determining there is the already present VSA running in the second virtual server, running the guest VM in the second virtual server and routing the packet stream associated with the guest VM through the already present VSA. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the apparatus comprising:
-
at least one processor; and at least one computer-readable storage medium comprising instructions stored thereon, the instructions when executed by the at least one processor, cause the apparatus to; detect a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure; determine a policy of one or more security policies requires a security control for the guest VM; determine whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM; upon determining there is not the already present VSA running in the second virtual server, further causing the apparatus to; initiate the guest VM in the second virtual server and send a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure; create the new VSA on the second virtual server and run the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and route, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and upon determining there is the already present VSA running in the second virtual server, run the guest VM in the second virtual server and route the packet stream associated with the guest VM through the already present VSA. - View Dependent Claims (7, 8, 9, 10)
-
-
11. At least one non-transitory machine readable storage medium comprising instructions stored thereon for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the instructions when executed on a machine, cause the machine to:
-
detect a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the quest VM from a first virtual server to a second virtual server of the virtual network infrastructure; determine a policy of one or more security policies requires a security control for the guest VM; determine whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the quest VM; upon determining there is not the already present VSA running in the second virtual server, further causing the machine to; initiate the quest VM in the second virtual server and send a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure; create the new VSA on the second virtual server and run the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; and route, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and upon determining there is the already present VSA running in the second virtual server, run the quest VM in the second virtual server and route the packet stream associated with the quest VM through the already present VSA. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification