Context aware microsegmentation

US 10,158,672 B2
Filed: 09/01/2016
Issued: 12/18/2018
Est. Priority Date: 03/13/2015
Status: Active Grant

First Claim

Patent Images

1. A context aware microsegmented network, comprising:

an enforcement point creating a logical security boundary around at least a first and a second virtual machine collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine, the enforcement point configured to;

select at least a first and a second contextual security policy based upon attributes of the first and the second virtual machines respectively; and

apply at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within the logical security boundary based on the attributes of the first and the second virtual machines; and

a central enforcement controller that;

determines a packet forwarding path for the enforcement point;

selects a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and

applies the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.

144 Citations

27 Claims

1. A context aware microsegmented network, comprising:
- an enforcement point creating a logical security boundary around at least a first and a second virtual machine collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine, the enforcement point configured to;
  
  select at least a first and a second contextual security policy based upon attributes of the first and the second virtual machines respectively; and
  
  apply at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within the logical security boundary based on the attributes of the first and the second virtual machines; and
  
  a central enforcement controller that;
  
  determines a packet forwarding path for the enforcement point;
  
  selects a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and
  
  applies the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The context aware microsegmented network according to claim 1, wherein the attributes of the first and the second virtual machines comprise a location of a data center where the first and second virtual machines reside.
  - 3. The context aware microsegmented network according to claim 1, wherein the first and the second virtual machines are physically collocated in a data center.
  - 4. The context aware microsegmented network according to claim 1, wherein the enforcement point is a virtual machine.
  - 5. The context aware microsegmented network according to claim 1, wherein network traffic that violates at least of the first contextual security policy, the second contextual security policy, and the third contextual security policy is rejected.
  - 6. The context aware microsegmented network according to claim 1, wherein network traffic that violates at least one of the first contextual security policy, the second contextual security policy, and the third contextual security policy is subjected to intrusion prevention scanning.
  - 7. The context aware microsegmented network according to claim 1, wherein the first virtual machine within the logical security boundary is subject to different local security requirements, the different local security requirements manifesting in the first contextual security policy.
  - 8. The context aware microsegmented network according to claim 1, wherein the first virtual machine is located in a first country and the second virtual machine is located in a second country, wherein the first country is subject to a first set of security requirements manifesting in the first contextual security policy and the second country is subject to a second set of security requirements manifesting in the second contextual security policy.
  - 9. The context aware microsegmented network according to claim 1, wherein the central enforcement controller further inspects the network traffic into and out of the logical security boundary for malicious behavior by performing a stateful inspection of the network traffic.
  - 10. The context aware microsegmented network according to claim 1, wherein the enforcement point quarantines at least one of the first and the second virtual machines when network traffic associated with a respective one of the first and the second virtual machines violates one or more of the first, the second and the third contextual security policies.
  - 11. The context aware microsegmented network according to claim 1, wherein the enforcement point measures network traffic associated with one of the first and the second virtual machines and determines the measured network traffic is indicative of malicious behavior.
  - 12. The context aware microsegmented network according to claim 11, wherein the determining includes comparing the measured network traffic to traffic rules, the traffic rules being included in at least one of the first, the second, and the third contextual security policies.
  - 13. The context aware microsegmented network according to claim 11, wherein the enforcement point further provides a warning for the malicious behavior when the malicious behavior is determined.

14. A method for context aware security policy enforcement, the method comprising:
- selecting, by an enforcement point, at least a first and a second contextual security policy based upon attributes of at least a first and a second virtual machine respectively, the at least first and second virtual machines collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine;
  
  applying, by the enforcement point, at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within a logical security boundary based on the attributes of the first and the second virtual machines;
  
  determining, by a central enforcement controller, a packet forwarding path for the enforcement point;
  
  selecting, by the central enforcement controller, a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and
  
  applying, by the central enforcement controller, the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The method according to claim 14, wherein the attributes of the first and the second virtual machines comprise a location of a data center where the first and the second virtual machines reside.
  - 16. The method according to claim 14, wherein the first and the second virtual machines are physically collocated in a data center.
  - 17. The method according to claim 14, wherein the enforcement point is a virtual machine.
  - 18. The method according to claim 14, further comprising rejecting network traffic that violates at least one of the first contextual security policy, the second contextual security policy, and the third contextual security policy.
  - 19. The method according to claim 14, further comprising subjecting network traffic that violates at least one of the first contextual security policy, the second contextual security policy, and the third contextual security policy to intrusion prevention scanning.
  - 20. The method according to claim 14, further comprising subjecting the first virtual machine within the logical security boundary to different local security requirements, the different local security requirements manifesting in the first contextual security policy.
  - 21. The method according to claim 14, wherein the first virtual machine is located in a first country and the second virtual machine is located in a second country, wherein the first country is subject to a first set of security requirements manifesting in the first contextual security policy and the second country is subject to a second set of security requirements manifesting in the second contextual security policy.
  - 22. The method according to claim 14, wherein the central enforcement controller further inspects the network traffic into and out of the logical security boundary for malicious behavior by performing a stateful inspection of the network traffic.
  - 23. The method according to claim 14, further comprising quarantining at least one of the first and the second virtual machines when network traffic associated with a respective one of the first and the second virtual machines violates one or more of the first, the second and the third contextual security policies.
  - 24. The method according to claim 14, further comprising:
    - measuring network traffic associated with one of the first and the second virtual machines; and
      
      determining the measured network traffic is indicative of malicious behavior.
  - 25. The method according to claim 24, wherein the determining includes comparing the measured network traffic to traffic rules, the traffic rules being included in at least one of the first, the second, and the third contextual security policies.
  - 26. The method according to claim 24, further comprising:
    - providing a warning for the malicious behavior when the malicious behavior is determined.

27. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising:
- selecting, by an enforcement point, at least a first and a second contextual security policy based upon attributes of at least a first and a second virtual machine respectively, the at least first and second virtual machines collectively providing a microservice, the microservice comprising a first microservice component and a second microservice component, the first microservice component being provided by the first virtual machine, the second microservice component being provided by the second virtual machine;
  
  applying, by the enforcement point, at least one of the first and the second contextual security policies to control network traffic of the first and the second virtual machines within a logical security boundary based on the attributes of the first and the second virtual machines;
  
  determining, by a central enforcement controller, a packet forwarding path for the enforcement point;
  
  selecting, by the central enforcement controller, a third contextual security policy based on at least one of a location of the enforcement point and security attributes of the enforcement point; and
  
  applying, by the central enforcement controller, the third contextual security policy to network traffic into and out of the logical security boundary received by at least one of the location of the enforcement point or the packet forwarding path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Shieh, Choung-Yaw, Lian, Jia-Jyi, Sun, Yi, Xu, Meng
Primary Examiner(s)
Gee, Jason K

Application Number

US15/255,132
Publication Number

US 20170063933A1
Time in Patent Office

838 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/554   involving event detection a...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0254   Stateful filtering

H04L 63/107   wherein the security polici...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Context aware microsegmentation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Context aware microsegmentation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links