Segmented networks that implement scanning
First Claim
Patent Images
1. A system comprising:
- a memory for storing executable instructions;
one or more processors executing the instructions;
a plurality of segmented environments, each of the plurality of segmented environments comprising an enforcement point comprising an active probe device, and a plurality of workloads each implementing at least one service component, the plurality of segmented environments collectively providing a service, each of the plurality of segmented environments providing a portion of the service, the plurality of workloads controlled with a host server that coordinates the operations of distributed service components to provide the service; and
a data center server coupled with the plurality of segmented environments over a network, the data center server comprising;
a security controller providing, via the one or more processors, a security policy to each of the plurality of segmented environments, the security policy being configured using the service; and
an active probe controller requesting, via the one or more processors, each active probe device of the plurality of segmented environments to perform a respective scan of a plurality of scans, wherein the active probe controller causes the active probe device to execute the respective scan when a triggering event is detected by the security controller, the respective scan is a vulnerability scan and the active probe controller implements a remediation scheme in addition to the respective scan by the active probe device, the plurality of scans including packet insertion and/or modification, the plurality of scans performed on the plurality of segmented environments collectively providing the service, the plurality of scans occurring in parallel on the plurality of workloads implementing the at least one service component.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.
122 Citations
17 Claims
-
1. A system comprising:
-
a memory for storing executable instructions; one or more processors executing the instructions; a plurality of segmented environments, each of the plurality of segmented environments comprising an enforcement point comprising an active probe device, and a plurality of workloads each implementing at least one service component, the plurality of segmented environments collectively providing a service, each of the plurality of segmented environments providing a portion of the service, the plurality of workloads controlled with a host server that coordinates the operations of distributed service components to provide the service; and a data center server coupled with the plurality of segmented environments over a network, the data center server comprising; a security controller providing, via the one or more processors, a security policy to each of the plurality of segmented environments, the security policy being configured using the service; and an active probe controller requesting, via the one or more processors, each active probe device of the plurality of segmented environments to perform a respective scan of a plurality of scans, wherein the active probe controller causes the active probe device to execute the respective scan when a triggering event is detected by the security controller, the respective scan is a vulnerability scan and the active probe controller implements a remediation scheme in addition to the respective scan by the active probe device, the plurality of scans including packet insertion and/or modification, the plurality of scans performed on the plurality of segmented environments collectively providing the service, the plurality of scans occurring in parallel on the plurality of workloads implementing the at least one service component. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
establishing a plurality of segmented environments within a data center, each of the plurality of segmented environments comprising an enforcement point comprising an active probe device, and a plurality of workloads each implementing at least one service component, the plurality of segmented environments collectively providing a service, each of the plurality of segmented environments providing a portion of the service, the plurality of workloads controlled with a host server that coordinates operations of distributed service components to provide the service; provisioning each of the plurality of segmented environments with a security policy, the security policy being configured using the service; performing a scan on each of the plurality of segmented environments using a respective active probe device, the scans performed when a triggering event is detected, the scans including packet insertion and/or modification, the scans performed on the plurality of segmented environments collectively providing the service, the scans occurring in parallel on the plurality of workloads implementing the at least one service component, the active probe device identifying an affected segmented environment; and executing a remediation scheme in addition to the scans when malicious behavior within one or more of the plurality of segmented environments is detected, wherein the scans are vulnerability scans. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
Specification