Virtual gateways for isolating virtual machines

US 9,819,658 B2
Filed: 07/12/2012
Issued: 11/14/2017
Est. Priority Date: 07/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a virtual gateway separating a plurality of virtual machines into an enclave separate from a plurality of other enclaves, a message destined for a target virtual machine of the plurality of virtual machines in the enclave;

identifying, by the virtual gateway, a community-of-interest corresponding to the target virtual machine;

encrypting, by the virtual gateway, the message with a key assigned to the identified community-of-interest;

transmitting the encrypted message to the target virtual machine;

receiving, at the virtual gateway, a request for a dynamic license from the virtual machine; and

transmitting, by the virtual gateway, the request for a dynamic license to a license server.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtual machines in a network may be isolated by encrypting transmissions between the virtual machines with keys possessed only by an intended recipient. Within a network, the virtual machines may be logically organized into a number of community-of-interest (COI) groups. Each COI may use an encryption key to secure communications within the COI, such that only other virtual machines in the COI may decrypt the message. Virtual machines may further be isolated through a virtual gateway assigned to handle all communications between a virtual machine and a device outside of the virtual machine'"'"'s COI. The virtual gateway may be a separate virtual machine for handling decrypting and encrypting messages for transmission between virtual machines and other devices.

15 Citations

23 Claims

1. A method, comprising:
- receiving, by a virtual gateway separating a plurality of virtual machines into an enclave separate from a plurality of other enclaves, a message destined for a target virtual machine of the plurality of virtual machines in the enclave;
  
  identifying, by the virtual gateway, a community-of-interest corresponding to the target virtual machine;
  
  encrypting, by the virtual gateway, the message with a key assigned to the identified community-of-interest;
  
  transmitting the encrypted message to the target virtual machine;
  
  receiving, at the virtual gateway, a request for a dynamic license from the virtual machine; and
  
  transmitting, by the virtual gateway, the request for a dynamic license to a license server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, in which the community-of-interest (COI) is at least one of a web tier COI, an application COI, a database COI, and an administrative COI.
  - 3. The method of claim 1, in which the message is received from an unencrypted network.
  - 4. The method of claim 1, further comprising, when the identified community-of-interest is not common with a community-of-interest assigned to the virtual gateway, dropping the message.
  - 5. The method of claim 1, further comprising, when the message has a characteristic matching a defined rule of the virtual gateway, dropping the message.
  - 6. The method of claim 5, in which the characteristic comprises at least one of a source address, a destination address, a source port, and a destination port.
  - 7. The method of claim 1, in which the message is only transmitted to the targeted virtual machine within the enclave if the targeted virtual machine has a community-of-interest in common with the virtual gateway.
  - 8. The method of claim 1, in which only an outside virtual machine having a common community-of-interest with the virtual gateway communicates with the plurality of virtual machines within the enclave.

9. A computer program product, comprising:
- a non-transitory computer readable medium comprising;
  
  code to receive, by a virtual gateway separating a plurality of virtual machines into an enclave separate from a plurality of other enclaves, a message destined for a target virtual machine of the plurality of virtual machines in the enclave;
  
  code to identify, by the virtual gateway, a community-of-interest corresponding to the target virtual machine;
  
  code to encrypt, by the virtual gateway, the message with a key assigned to the identified community-of-interest;
  
  code to transmit the encrypted message to the target virtual machine;
  
  code to receive, at the virtual gateway, a request for a dynamic license from the virtual machine; and
  
  code to transmit, by the virtual gateway, the request for a dynamic license to a license server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, in which the community-of-interest (COI) is at least one of a web tier COI, an application COI a database COI, and an administrative COI.
  - 11. The computer program product of claim 9, in which the message is received from an unencrypted network.
  - 12. The computer program product of claim 9, in which the medium further comprises code to, when the identified community-of-interest is not common with a community-of-interest assigned to the virtual gateway, drop the message.
  - 13. The computer program product of claim 9, in which the medium further comprises code to, when the message has a characteristic matching a defined rule of the virtual gateway, drop the message.
  - 14. The computer program product of claim 13, in which the characteristic comprises at least one of a source address, a destination address, a source port, and a destination port.
  - 15. The computer program product of claim 9, in which the message is only transmitted to the targeted virtual machine within the enclave if the targeted virtual machine has a community-of-interest in common with the virtual gateway.
  - 16. The computer program product of claim 9, in which only an outside virtual machine having a common community-of-interest with the virtual gateway communicates with the plurality of virtual machines within the enclave.

17. An apparatus, comprising:
- a memory;
  
  a network interface; and
  
  a processor coupled to the memory and to the network interface, in which the processor is configured;
  
  to receive, by a virtual gateway separating a plurality of virtual machines into an enclave separate from a plurality of other enclaves, a message destined for a target virtual machine of the plurality of virtual machines in the enclave;
  
  to identify, by the virtual gateway, a community-of-interest corresponding to the target virtual machine;
  
  to encrypt, by the virtual gateway, the message with a key assigned to the identified community-of-interest;
  
  to transmit the encrypted message to the target virtual machine through the network interface;
  
  to receive a request, by the virtual gateway, for a dynamic license from the virtual machine; and
  
  to transmit, by the virtual gateway, the request for a dynamic license to a license server.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The apparatus of claim 17, in which the message is received, through the network interface, from an unencrypted network.
  - 19. The apparatus of claim 17, in which the processor is further configured to, when the identified community-of-interest is not common with a community-of-interest assigned to the virtual gateway, drop the message.
  - 20. The apparatus of claim 17, in which the processor is further configured to, when the message has a characteristic matching a defined rule of the virtual gateway, drop the message.
  - 21. The apparatus of claim 17, in which the characteristic comprises at least one of a source address, a destination address, a source port, and a destination port.
  - 22. The apparatus of claim 17, in which the message is only transmitted to the targeted virtual machine within the enclave if the targeted virtual machine has a community-of-interest in common with the virtual gateway.
  - 23. The apparatus of claim 17, in which only an outside virtual machine having a common community-of-interest with the virtual gateway communicates with the plurality of virtual machines within the enclave.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Dodgson, David S., Farina, Ralph, Fontana, James A., Johnson, Robert A., Maw, David, Narisi, Anthony
Primary Examiner(s)
ABEDIN, SHANTO

Application Number

US13/547,143
Publication Number

US 20140019750A1
Time in Patent Office

1,951 Days
Field of Search

713150, 713153, 713175, 713191, 713193, 713166, 726 1, 726 21, 726 11- 14, 380 44, 380255, 380285, 718104, 718105, 709225-227, 709238
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 63/104   Grouping of entities

Virtual gateways for isolating virtual machines

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual gateways for isolating virtual machines

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links