Granular segmentation using events
First Claim
1. A method implemented by at least one hardware processor for granular segmentation of data networks, the method comprising:
- receiving from a metadata source event metadata associated with a workload;
identifying a workload type using the event metadata;
determining a high-level declarative security policy using the workload type;
launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and
configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for granular segmentation of data networks are provided herein. Exemplary methods include: receiving from a metadata source event metadata associated with a workload; identifying a workload type using the event metadata; determining a high-level declarative security policy using the workload type; launching a compiler to generate a low-level firewall rule set using the high-level declarative policy and the event metadata; and configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall ruleset, the network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted.
-
Citations
20 Claims
-
1. A method implemented by at least one hardware processor for granular segmentation of data networks, the method comprising:
-
receiving from a metadata source event metadata associated with a workload; identifying a workload type using the event metadata; determining a high-level declarative security policy using the workload type; launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for granular segmentation of data networks, the system comprising:
-
at least one hardware processor; and a memory coupled to the at least one hardware processor, the memory storing instructions executable by the at least one hardware processor to perform a method comprising; receiving from a metadata source event metadata associated with a workload; identifying a workload type using the event metadata; determining a high-level declarative security policy using the workload type; launching a compiler to generate a low-level firewall rule set using the high-level declarative security policy and the event metadata; and configuring by a plurality of enforcement points a respective network switch of a plurality of network switches to process packets in accordance with the low-level firewall rule set, the plurality of network switches being collectively communicatively coupled to a plurality of workloads, such that network communications between a first group of workloads of the plurality of workloads and the workload are not permitted, and between a second group of workloads of the plurality of workloads and the workload are permitted. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification