Secured logical component for security in a virtual environment

US 9,584,544 B2
Filed: 03/12/2013
Issued: 02/28/2017
Est. Priority Date: 03/12/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A system for providing security in a virtualization environment, the system comprising:

a link module that links a first secured logical component to a first logical entity including a first set of virtual machines, wherein the first secured logical component includes a network interface, and the link module links a logical network associated with the first logical entity to the network interface, links the first secured logical component to a second logical entity including a second set of virtual machines, and links the logical network associated with the second logical entity to the network interface, wherein the second logical entity is associated with a first set of host machines running the second set of virtual machines, wherein the first set of host machines includes a first set of physical network interfaces, and each virtual machine of the second set of virtual machines includes one or more first virtual network interfaces associated with the first set of physical network interfaces, and wherein the link module links the one or more first virtual network interfaces of the second set of virtual machines to the logical network, wherein the first logical entity is associated with a second set of host machines running the first set of virtual machines, wherein the second set of host machines includes a second set of physical network interfaces, and each virtual machine of the first set of virtual machines includes one or more second virtual network interfaces associated with the second set of physical network interfaces, wherein the link module links the one or more second virtual network interfaces of the first set of virtual machines to the logical network;

a security module that identifies a set of security policies for one or more communications to the first logical entity or one or more communications from the first logical entity and that identifies a set of security policies for one or more communications between the first logical entity and the second logical entity; and

a control module that controls, based on the set of security policies, the one or more communications to the first logical entity or the one or more communications from the first logical entity and that controls, based on the set of security the one or more communications between the first logical entity and the second logical entity, wherein the first secured logical component includes the link module, security module, and control module, wherein the first secured logical component runs on a virtual machine running on a host machine of the first set of host machines and receives communications via a physical network interface of the first set of physical network interfaces, wherein the virtual machine is migrated to a host machine of the second set of host machines, and after migration, the virtual machine receives communications via a physical network interface of the second set of physical network interfaces.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing security in a virtual environment are provided. An example system includes a link module that links a secured logical component to a logical entity including a set of virtual machines. The example system also includes a security module that identifies a set of security policies for one or more communications to the logical entity or one or more communications from the logical entity. The example system further includes a control module that controls, based on the set of security policies, the one or more communications to the logical entity or the one or more communications from the logical entity.

Citations

17 Claims

1. A system for providing security in a virtualization environment, the system comprising:
- a link module that links a first secured logical component to a first logical entity including a first set of virtual machines, wherein the first secured logical component includes a network interface, and the link module links a logical network associated with the first logical entity to the network interface, links the first secured logical component to a second logical entity including a second set of virtual machines, and links the logical network associated with the second logical entity to the network interface, wherein the second logical entity is associated with a first set of host machines running the second set of virtual machines, wherein the first set of host machines includes a first set of physical network interfaces, and each virtual machine of the second set of virtual machines includes one or more first virtual network interfaces associated with the first set of physical network interfaces, and wherein the link module links the one or more first virtual network interfaces of the second set of virtual machines to the logical network, wherein the first logical entity is associated with a second set of host machines running the first set of virtual machines, wherein the second set of host machines includes a second set of physical network interfaces, and each virtual machine of the first set of virtual machines includes one or more second virtual network interfaces associated with the second set of physical network interfaces, wherein the link module links the one or more second virtual network interfaces of the first set of virtual machines to the logical network;
  
  a security module that identifies a set of security policies for one or more communications to the first logical entity or one or more communications from the first logical entity and that identifies a set of security policies for one or more communications between the first logical entity and the second logical entity; and
  
  a control module that controls, based on the set of security policies, the one or more communications to the first logical entity or the one or more communications from the first logical entity and that controls, based on the set of security the one or more communications between the first logical entity and the second logical entity, wherein the first secured logical component includes the link module, security module, and control module, wherein the first secured logical component runs on a virtual machine running on a host machine of the first set of host machines and receives communications via a physical network interface of the first set of physical network interfaces, wherein the virtual machine is migrated to a host machine of the second set of host machines, and after migration, the virtual machine receives communications via a physical network interface of the second set of physical network interfaces.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the first secured logical component runs on a preconfigured virtual machine running on a host machine.
  - 3. The system of claim 2, wherein the preconfigured virtual machine is preconfigured to run an operating system without user selection of the operating system.
  - 4. The system of claim 1, wherein the link module unlinks the first secured logical component from the second logical entity and links the first secured logical component to a third logical entity including a third set of virtual machines, wherein the security module identifies a second set of security policies for one or more communications between the first logical entity and the third logical entity, and wherein the control module controls, based on the second set of security policies, one or more communications between the first logical entity and the third logical entity.
  - 5. The system of claim 4, wherein the link module links the logical network associated with the third logical entity to the network interface, wherein the third logical entity is associated with a third set of host machines running the third set of virtual machines, wherein the third set of host machines includes a third set of physical network interfaces, and each virtual machine of the third set of virtual machines includes a third virtual network interface associated with the third set of physical network interfaces, and wherein the link module links the one or more third virtual network interfaces of the third set of virtual machines to the logical network.
  - 6. The system of claim 1, wherein the link module links the first secured logical component to a network, the security module identifies the set of security policies for one or more communications received via the network to the first logical entity or one or more communications sent via the network from the first logical entity, and the control module controls based on the set of security policies the one or more communications received via the network to the first logical entity or the one or more communications sent via the network from the first logical entity.
  - 7. The system of claim 1, wherein the first logical entity is a first datacenter, the first secured logical component includes the link module, security module, and control module, and the link module links the first secured logical component to the second logical entity that is a second datacenter including the second set of virtual machines, wherein a second secured logical component is linked to the second datacenter, and the first and second secured logical components establish a secure connection and encrypt one or more communications between the first and second logical entities.
  - 8. The system of claim 1, wherein the first logical entity is at least one of a datacenter, cluster, and virtual machine.

9. A method of providing security in a virtualization environment, the method comprising:
- linking, at a virtual machine running on a host machine, a first secured logical component to a first logical entity including a first set of virtual machines;
  
  identifying a network interface of the first secured logical component;
  
  linking a logical network associated with the first logical entity to the network interface;
  
  linking the first secured logical component to a second logical entity including a second set of virtual machines;
  
  linking the logical network associated with the second logical entity to the network interface;
  
  identifying, at the virtual machine, a set of security policies for one or more communications between the first logical entity and the second logical entity;
  
  identifying a first set of host machines associated with the second logical entity, the first set of host machines running the second set of virtual machines and including a first set of physical network interfaces;
  
  identifying one or more virtual network interfaces associated with the second set of virtual machines and the first set of physical network interfaces;
  
  linking the one or more virtual network interfaces of the second set of virtual machines to the logical network;
  
  identifying a second set of host machines associated with the first logical entity, the second set of host machines running the first set of virtual machines and including a second set of physical network interfaces;
  
  identifying one or more virtual network interfaces associated with the first set of virtual machines and the second set of physical network interfaces; and
  
  linking the one or more virtual network interfaces of the first set of virtual machines to the logical network; and
  
  controlling, based on the set of security policies, the one or more communications between the first logical entity and the second logical entity,wherein the first secured logical component runs on a virtual machine running on a host machine of the first set of host machines and receives communications via a physical network interface of the first set of physical network interfaces, wherein the virtual machine is migrated to a host machine of the second set of host machines, and after migration, the virtual machine receives communications via a physical network interface of the second set of physical network interfaces.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, further comprising:
    - unlinking the first secured logical component from the second logical entity;
      
      linking the first secured logical component to a third logical entity including a third set of virtual machines;
      
      identifying a second set of security policies for one or more communications between the first logical entity and the third logical entity;
      
      controlling, based on the second set of security policies, one or more communications between the first logical entity and the third logical entity;
      
      linking the logical network associated with the third logical entity to the network interface;
      
      identifying a third set of host machines associated with the third logical entity, the third set of host machines running the third set of virtual machines and including a third set of physical network interfaces;
      
      identifying one or more virtual network interfaces associated with the third set of virtual machines and the third set of physical network interfaces; and
      
      linking the one or more virtual network interfaces of the third set of virtual machines to the logical network.
  - 11. The method of claim 9, further comprising:
    - linking the first secured logical component to a network, wherein the identifying a set of security policies includes identifying the set of security policies for one or more communications received via the network to the first logical entity or one or more communications sent via the network from the first logical entity, and the controlling includes controlling, based on the set of security policies, the one or more communications received via the network to the first logical entity or the one or more communications sent via the network from the first logical entity.
  - 12. The method of claim 9, wherein the first logical entity is a first datacenter, the method further comprising:
    - linking the first secured logical component to the second logical entity, the second logical entity being a second datacenter including the second set of virtual machines and being linked to a second secured logical component;
      
      establishing a secure connection with the second secured logical component;
      
      encrypting one or more communications between the first and second logical entities; and
      
      sending the encrypted one or more communications.

13. A non-transitory machine-readable medium comprising a plurality of machine-readable instructions that when executed by one or more processors is adapted to cause the one or more processors to perform a method comprising:
- linking a secured logical component to a logical entity including a first set of virtual machines, the secured logical component running on a virtual machine running on a first host machine;
  
  identifying a set of security policies for one or more communications to the logical entity or one or more communications from the logical entity;
  
  controlling, based on the set of security policies, the one or more communications to the logical entity or the one or more communications from the logical entity linking, at a virtual machine running on a host machine, a first secured logical component to a first logical entity including a first set of virtual machines;
  
  identifying a network interface of the first secured logical component;
  
  linking a logical network associated with the first logical entity to the network interface;
  
  linking the first secured logical component to a second logical entity including a second set of virtual machines;
  
  linking the logical network associated with the second logical entity to the network interface;
  
  identifying, at the virtual machine, a set of security policies for one or more communications between the first logical entity and the second logical entity;
  
  identifying a first set of host machines associated with the second logical entity, the first set of host machines running the second set of virtual machines and including a first set of physical network interfaces;
  
  identifying one or more virtual network interfaces associated with the second set of virtual machines and the first set of physical network interfaces;
  
  linking the one or more virtual network interfaces of the second set of virtual machines to the logical network;
  
  identifying a second set of host machines associated with the first logical entity, the second set of host machines running the first set of virtual machines and including a second set of physical network interfaces;
  
  identifying one or more virtual network interfaces associated with the first set of virtual machines and the second set of physical network interfaces; and
  
  linking the one or more virtual network interfaces of the first set of virtual machines to the logical network; and
  
  controlling, based on the set of security policies, the one or more communications between the first logical entity and the second logical entity,wherein the secured logical component runs on a virtual machine running on a host machine of the first set of host machines and receives communications via a physical network interface of the first set of physical network interfaces, wherein the virtual machine is migrated to a host machine of the second set of host machines, and after migration, the virtual machine receives communications via a physical network interface of the second set of physical network interfaces.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory machine-readable medium of claim 13, the method further comprising:
    - unlinking the first secured logical component from the second logical entity;
      
      linking the first secured logical component to a third logical entity including a third set of virtual machines;
      
      identifying a second set of security policies for one or more communications between the first logical entity and the third logical entity;
      
      controlling, based on the second set of security policies, one or more communications between the first logical entity and the third logical entity;
      
      linking the logical network associated with the third logical entity to the network interface;
      
      identifying a third set of host machines associated with the third logical entity, the third set of host machines running the third set of virtual machines and including a third set of physical network interfaces;
      
      identifying one or more virtual network interfaces associated with the third set of virtual machines and the third set of physical network interfaces; and
      
      linking the one or more virtual network interfaces of the third set of virtual machines to the logical network.
  - 15. The non-transitory machine-readable medium of claim 13, the method further comprising:
    - linking the first secured logical component to a network, wherein the identifying a set of security policies includes identifying the set of security policies for one or more communications received via the network to the first logical entity or one or more communications sent via the network from the first logical entity, and the controlling includes controlling, based on the set of security policies, the one or more communications received via the network to the first logical entity or the one or more communications sent via the network from the first logical entity.
  - 16. The non-transitory machine-readable medium of claim 13, wherein the first logical entity is a first datacenter.
  - 17. The non-transitory machine-readable medium of claim 16, the method further comprising:
    - linking the first secured logical component to the second logical entity, the second logical entity being a second datacenter including the second set of virtual machines and being linked to a second secured logical component;
      
      establishing a secure connection with the second secured logical component;
      
      encrypting one or more communications between the first and second logical entities; and
      
      sending the encrypted one or more communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Original Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Inventors
Botzer, David
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
AMORIN, CARLOS E

Application Number

US13/795,275
Publication Number

US 20140282813A1
Time in Patent Office

1,449 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/20 for managing network securi...

Secured logical component for security in a virtual environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Secured logical component for security in a virtual environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links