Granular segmentation using events

US 9,787,639 B1
Filed: 12/21/2016
Issued: 10/10/2017
Est. Priority Date: 06/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method implemented by at least one hardware processor for granular segmentation of data networks, the method comprising:

receiving from a metadata source event metadata associated with a workload;

identifying a workload type using the event metadata;

determining a high-level declarative security policy using the workload type;

launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and

configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for granular segmentation of data networks are provided herein. Exemplary methods include: receiving from a metadata source event metadata associated with a workload; identifying a workload type using the event metadata; determining a high-level declarative security policy using the workload type; launching a compiler to generate a low-level firewall rule set using the high-level declarative policy and the event metadata; and configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall ruleset, the network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted.

Citations

20 Claims

1. A method implemented by at least one hardware processor for granular segmentation of data networks, the method comprising:
- receiving from a metadata source event metadata associated with a workload;
  
  identifying a workload type using the event metadata;
  
  determining a high-level declarative security policy using the workload type;
  
  launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and
  
  configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the metadata source is at least one of a hypervisor and an orchestration layer.
  - 3. The method of claim 1, wherein the event metadata is received in response to an event.
  - 4. The method of claim 3, wherein the event is at least one of:
    - the workload being instantiated, the workload being removed, the workload being migrated, and workload metadata being changed.
  - 5. The method of claim 4, further comprising:
    - disseminating, to a destination enforcement point of a migrated workload, a state of a communications session of the migrated workload.
  - 6. The method of claim 1, wherein the workload is at least one of a:
    - bare-metal server, virtual machine (VM), container, and microservice.
  - 7. The method of claim 1, wherein the event metadata includes at least one of:
    - an event, an application name, a service name, a user-defined tag/label, an IP address, a port number, an operating system name, a software version, and a location.
  - 8. The method of claim 1, wherein:
    - the event metadata includes at least one of;
      
      a date and a time; and
      
      the high-level declarative security policy includes a time-based provision.
  - 9. The method of claim 1, wherein the high-level declarative security policy comprises an intent-driven model, the intent-driven model specifying groups of workloads and describing permitted connectivity, security, and network services between the groups.
  - 10. The method of claim 1, wherein the low-level firewall rule set comprises individual workload addresses to and/or from which network communications are at least one of forwarded, blocked, redirected, and logged.

11. A system for granular segmentation of data networks, the system comprising:
- at least one hardware processor; and
  
  a memory coupled to the at least one hardware processor, the memory storing instructions executable by the at least one hardware processor to perform a method comprising;
  
  receiving from a metadata source event metadata associated with a workload;
  
  identifying a workload type using the event metadata;
  
  determining a high-level declarative security policy using the workload type;
  
  launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and
  
  configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the metadata source is at least one of a hypervisor and an orchestration layer.
  - 13. The system of claim 11, wherein the metadata source sends the event metadata in response to an event.
  - 14. The system of claim 13, wherein the event is at least one of:
    - the workload being instantiated, the workload being removed, the workload being migrated, and workload metadata being changed.
  - 15. The system of claim 14, wherein the method further comprises:
    - disseminating, to a destination enforcement point of a migrated workload, a state of a communications session of the migrated workload.
  - 16. The system of claim 11, wherein the workload is at least one of a:
    - bare-metal server, virtual machine, container, and microservice.
  - 17. The system of claim 11, wherein the event metadata includes at least one of:
    - an event, an application name, a service name, a user-defined tag/label, an IP address, a port number, an operating system name, a software version, and a location.
  - 18. The system of claim 11, wherein:
    - the event metadata includes at least one of a date and a time; and
      
      the high-level declarative security policy includes a time-based provision.
  - 19. The system of claim 11, wherein the high-level declarative policy comprises an intent-driven model, the intent-driven model specifying groups of workloads and describing permitted connectivity, security, and network services between the groups.
  - 20. The system of claim 11, wherein the low-level firewall rule set comprises individual workload addresses to and/or from which network communications are at least one of forwarded, blocked, redirected, and logged.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Sun, Yi, Zarny, Myo, Woolward, Marc
Primary Examiner(s)
McNally, Michael S

Application Number

US15/387,584
Time in Patent Office

293 Days
Field of Search

726 13
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Granular segmentation using events

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Granular segmentation using events

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links