Segmented networks that implement scanning

US 9,609,026 B2
Filed: 07/25/2016
Issued: 03/28/2017
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a memory for storing executable instructions;

one or more processors executing the instructions;

a plurality of segmented environments, each of the plurality of segmented environments comprising an enforcement point comprising an active probe device, and a plurality of workloads each implementing at least one service component, the plurality of segmented environments collectively providing a service, each of the plurality of segmented environments providing a portion of the service, the plurality of workloads controlled with a host server that coordinates the operations of distributed service components to provide the service; and

a data center server coupled with the plurality of segmented environments over a network, the data center server comprising;

a security controller providing, via the one or more processors, a security policy to each of the plurality of segmented environments, the security policy being configured using the service; and

an active probe controller requesting, via the one or more processors, each active probe device of the plurality of segmented environments to perform a respective scan of a plurality of scans, wherein the active probe controller causes the active probe device to execute the respective scan when a triggering event is detected by the security controller, the respective scan is a vulnerability scan and the active probe controller implements a remediation scheme in addition to the respective scan by the active probe device, the plurality of scans including packet insertion and/or modification, the plurality of scans performed on the plurality of segmented environments collectively providing the service, the plurality of scans occurring in parallel on the plurality of workloads implementing the at least one service component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.

122 Citations

17 Claims

1. A system comprising:
- a memory for storing executable instructions;
  
  one or more processors executing the instructions;
  
  a plurality of segmented environments, each of the plurality of segmented environments comprising an enforcement point comprising an active probe device, and a plurality of workloads each implementing at least one service component, the plurality of segmented environments collectively providing a service, each of the plurality of segmented environments providing a portion of the service, the plurality of workloads controlled with a host server that coordinates the operations of distributed service components to provide the service; and
  
  a data center server coupled with the plurality of segmented environments over a network, the data center server comprising;
  
  a security controller providing, via the one or more processors, a security policy to each of the plurality of segmented environments, the security policy being configured using the service; and
  
  an active probe controller requesting, via the one or more processors, each active probe device of the plurality of segmented environments to perform a respective scan of a plurality of scans, wherein the active probe controller causes the active probe device to execute the respective scan when a triggering event is detected by the security controller, the respective scan is a vulnerability scan and the active probe controller implements a remediation scheme in addition to the respective scan by the active probe device, the plurality of scans including packet insertion and/or modification, the plurality of scans performed on the plurality of segmented environments collectively providing the service, the plurality of scans occurring in parallel on the plurality of workloads implementing the at least one service component.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system according to claim 1, wherein the security policy comprises a firewall that implements a firewall policy and the respective scan occurs within each of the plurality of segmented environments without traversing the network or passing through the firewall.
  - 3. The system according to claim 1, wherein the active probe device is configured to execute the respective scan according to a predetermined schedule.
  - 4. The system according to claim 1, wherein the plurality of scans are at least one of a vulnerability scan, a file scan, and a service scan.
  - 5. The system according to claim 1, wherein the remediation scheme comprises isolating an affected segmented environment from communicating with other segmented environments or communicating over the network.
  - 6. The system according to claim 1, wherein the remediation scheme comprises the security controller implementing a heightened security policy for an affected segmented environment.
  - 7. The system according to claim 1, wherein the remediation scheme comprises identifying an affected segmented environment for further evaluation by a security administrator.

8. A method comprising:
- establishing a plurality of segmented environments within a data center, each of the plurality of segmented environments comprising an enforcement point comprising an active probe device, and a plurality of workloads each implementing at least one service component, the plurality of segmented environments collectively providing a service, each of the plurality of segmented environments providing a portion of the service, the plurality of workloads controlled with a host server that coordinates operations of distributed service components to provide the service;
  
  provisioning each of the plurality of segmented environments with a security policy, the security policy being configured using the service;
  
  performing a scan on each of the plurality of segmented environments using a respective active probe device, the scans performed when a triggering event is detected, the scans including packet insertion and/or modification, the scans performed on the plurality of segmented environments collectively providing the service, the scans occurring in parallel on the plurality of workloads implementing the at least one service component, the active probe device identifying an affected segmented environment; and
  
  executing a remediation scheme in addition to the scans when malicious behavior within one or more of the plurality of segmented environments is detected, wherein the scans are vulnerability scans.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method according to claim 8, wherein the security policy comprises a firewall or virus scanning policy.
  - 10. The method according to claim 9, wherein the performance of the scans occur in its entirety without crossing the firewall.
  - 11. The method according to claim 8 further comprising transmitting to the active probe device instructions to execute the scan.
  - 12. The method according to claim 8, wherein the active probe device is pre-provisioned to execute the scan according to a predetermined schedule.
  - 13. The method according to claim 8, wherein the plurality of segmented environments execute the scans synchronously without affecting performance of a network established between the data center and the plurality of segmented environments.
  - 14. The method according to claim 8, wherein the scans are at least one of a vulnerability scan, a file scan, and a service scan.
  - 15. The method according to claim 8, wherein the remediation scheme comprises isolating the affected segmented environment from communicating with other segmented environments or communicating over a network.
  - 16. The method according to claim 8, wherein the remediation scheme comprises a security controller implementing a heightened security policy for the affected segmented environment.
  - 17. The method according to claim 8, wherein the remediation scheme comprises identifying the affected segmented environment for further evaluation by a security administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Ross, Colin, Shieh, Choung-Yaw, Lian, Jia-Jyi, Xu, Meng, Sun, Yi
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US15/219,273
Publication Number

US 20170063791A1
Time in Patent Office

246 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/51   Discovery or management the...

Segmented networks that implement scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Segmented networks that implement scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links