Data network microsegmentation

US 10,009,383 B2
Filed: 12/16/2016
Issued: 06/26/2018
Est. Priority Date: 06/24/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for microsegmentation of data networks comprising:

receiving a high-level declarative policy, the high-level declarative policy based on metadata associated with a plurality of containers from an orchestration layer;

determining a low-level firewall rule set using the high-level declarative policy; and

configuring, by a plurality of enforcement points, a respective virtual switch of a plurality of virtual switches to process packets in accordance with the low-level firewall ruleset, the virtual switches being collectively communicatively coupled to the plurality of containers, such that network communications between a first group of containers and a second group of containers of the plurality of containers are restricted by a first set of characteristics, and communications between containers of the first group of containers are at least one of permitted and restricted by a second set of characteristics; and

wherein the metadata includes at least one of an image name, an image type, service name, ports, tags and labels associated with the plurality of containers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for microsegmentation of data networks are provided herein. Exemplary methods include: receiving a high-level declarative policy; getting metadata associated with a plurality of containers from an orchestration layer; determining a low-level firewall rule set using the high-level declarative policy and the metadata; and configuring by a plurality of enforcement points a respective virtual switch of a plurality of virtual switches to process packets in accordance with the low-level firewall ruleset, the virtual switches being collectively communicatively coupled to the plurality of containers, such that network communications between a first group of containers and a second group of containers of the plurality of containers are not permitted, and communications between containers of the first group of containers are permitted.

131 Citations

17 Claims

1. A computer-implemented method for microsegmentation of data networks comprising:
- receiving a high-level declarative policy, the high-level declarative policy based on metadata associated with a plurality of containers from an orchestration layer;
  
  determining a low-level firewall rule set using the high-level declarative policy; and
  
  configuring, by a plurality of enforcement points, a respective virtual switch of a plurality of virtual switches to process packets in accordance with the low-level firewall ruleset, the virtual switches being collectively communicatively coupled to the plurality of containers, such that network communications between a first group of containers and a second group of containers of the plurality of containers are restricted by a first set of characteristics, and communications between containers of the first group of containers are at least one of permitted and restricted by a second set of characteristics; and
  
  wherein the metadata includes at least one of an image name, an image type, service name, ports, tags and labels associated with the plurality of containers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the high-level declarative policy is further based on at least one model associated with the metadata.
  - 3. The computer-implemented method of claim 2, wherein the plurality of enforcement points matches the metadata with the at least one model to determine a list of at least one of allowed protocols, ports and relationships for the plurality of containers.
  - 4. The computer-implemented method of claim 1, wherein an enforcement point of the plurality of enforcement points runs on a container close in physical proximity to at least one container of the plurality of containers, communications of the at least one container of the plurality of containers being controlled by the enforcement point.
  - 5. The computer-implemented method of claim 1, further comprising:
    - dynamically commissioning a new enforcement point in response to a new container being added to the plurality of containers.
  - 6. The computer-implemented method of claim 1, further comprising:
    - provisioning a new enforcement point, the new enforcement point being communicatively coupled with a virtual switch of the plurality of virtual switches, the virtual switch being communicatively coupled to at least one container of the plurality of containers; and
      
      programming the virtual switch of the plurality of virtual switches to forward received network packets to the new enforcement point, the virtual switch being communicatively coupled to the at least one container.
  - 7. The computer-implemented method of claim 1, further comprising:
    - receiving, by an enforcement point of the plurality of enforcement points, network traffic from a virtual switch;
      
      detecting the network traffic violates the high-level declarative policy; and
      
      at least one of issuing an alert, dropping the network traffic, and forwarding the network traffic.
  - 8. The computer-implemented method of claim 1, wherein the high-level declarative policy specifies groups of containers and describes permitted connectivity, security and network services between the groups of containers.
  - 9. The computer-implemented method of claim 1, wherein at least one container in the first group of containers is running on a different physical server than at least one other container in the first group of containers.

10. A system for microsegmentation of data networks comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions which are executable by the processor to perform a method comprising;
  
  receiving a high-level declarative policy, the high-level declarative policy based on metadata associated with a plurality of containers from an orchestration layer;
  
  determining a low-level firewall rule set using the high-level declarative policy; and
  
  configuring, by a plurality of enforcement points, a respective virtual switch of a plurality of virtual switches to process packets in accordance with the low-level firewall ruleset, the virtual switches being collectively communicatively coupled to the plurality of containers, such that network communications between a first group of containers and a second group of containers of the plurality of containers are restricted by a first set of characteristics, and communications between containers of the first group of containers are at least one of permitted and restricted by a second set of characteristics; and
  
  wherein the metadata includes at least one of an image name, an image type, service name, ports, tags and labels associated with the plurality of containers.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the high-level declarative policy is further based on at least one model associated with the metadata.
  - 12. The system of claim 11, wherein the plurality of enforcement points matches the metadata with the at least one model to determine a list of at least one of allowed protocols, ports and relationships for the plurality of containers.
  - 13. The system of claim 10, wherein an enforcement point of the plurality of enforcement points runs on a container close in physical proximity to at least one container of the plurality of containers, communications of the at least one container of the plurality of containers being controlled by the enforcement point.
  - 14. The system of claim 10, further comprising:
    - dynamically commissioning a new enforcement point in response to a new container being added to the plurality of containers.
  - 15. The system of claim 10, further comprising:
    - provisioning a new enforcement point, the new enforcement point being communicatively coupled with a virtual switch of the plurality of virtual switches, the virtual switch being communicatively coupled to at least one container of the plurality of containers; and
      
      programming the virtual switch of the plurality of virtual switches to forward received network packets to the new enforcement point, the virtual switch being communicatively coupled to the at least one container.
  - 16. The system of claim 10, further comprising:
    - receiving, by an enforcement point of the plurality of enforcement points, network traffic from a virtual switch;
      
      detecting the network traffic violates the high-level declarative policy; and
      
      at least one of issuing an alert, dropping the network traffic, and forwarding the network traffic.
  - 17. The system of claim 10, wherein the high-level declarative policy specifies groups of containers and describes permitted connectivity, security, and network services between the groups of containers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Woolward, Marc
Primary Examiner(s)
McNally, Michael S

Application Number

US15/382,443
Publication Number

US 20170374102A1
Time in Patent Office

557 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Data network microsegmentation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

131 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Data network microsegmentation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links