Firewall rule creation in a virtualized computing environment

US 10,320,749 B2
Filed: 11/07/2016
Issued: 06/11/2019
Est. Priority Date: 11/07/2016
Status: Active Grant

First Claim

Patent Images

1. A method for a network management entity to perform firewall rule creation in a virtualized computing environment that includes the network management entity, a first endpoint and a second endpoint, wherein the method comprises:

obtaining flow data associated with an application-layer protocol session between the first endpoint and second endpoint;

identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session;

based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and

instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the instructing to apply the firewall rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example methods are provided for a network management entity to perform firewall rule creation in a virtualized computing environment. The method may comprise obtaining flow data associated with an application-layer protocol session between a first endpoint and a second endpoint in the virtualized computing environment; and identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session. The method may also comprise: based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session.

39 Citations

View as Search Results

21 Claims

1. A method for a network management entity to perform firewall rule creation in a virtualized computing environment that includes the network management entity, a first endpoint and a second endpoint, wherein the method comprises:
- obtaining flow data associated with an application-layer protocol session between the first endpoint and second endpoint;
  
  identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session;
  
  based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and
  
  instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the instructing to apply the firewall rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein creating the firewall rule comprises:
    - creating the firewall rule based on the control flow, while ignoring the at least one data flow during firewall rule creation.
  - 3. The method of claim 2, wherein creating the firewall rule comprises:
    - creating the firewall rule to allow communication via a control port number associated with the control flow, wherein at least one ephemeral data port number is dynamically negotiated for the respective at least one data flow through the control flow.
  - 4. The method of claim 3, wherein creating the firewall rule comprises:
    - creating the firewall rule to specify an application-layer protocol for which application-layer gateway (ALG) processing is supported by the first firewall engine, the second firewall engine, or both, wherein the ALG processing is to allow communication via the at least one ephemeral data port number based on the firewall rule.
  - 5. The method of claim 1, wherein identifying the association comprises:
    - traversing a tree structure in the flow data to identify the association based on a parent node and at least one child node linked to the parent node, wherein the parent node represents the control flow and the at least one child node represents respective at least one data flow.
  - 6. The method of claim 1, wherein obtaining the flow data comprises:
    - obtaining the tree structure from the first firewall engine, the second firewall engine, or both.
  - 7. The method of claim 1, wherein obtaining the flow data comprises:
    - obtaining the flow data associated with the application-layer protocol session that utilizes one of the following application-layer protocols;
      
      File Transfer Protocol (FTP), Remote Procedure Call (RPC), Common Internet File System (CIFS), Transparent Network Substrate (TNS) and Trivial File Transfer Protocol (TFTP).

8. A non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a network management entity, cause the processor to perform a method of firewall rule creation in a virtualized computing environment that includes the network management entity, a first endpoint and a second endpoint, wherein the method comprises:
- obtaining flow data associated with an application-layer protocol session between the first endpoint and second endpoint;
  
  identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session;
  
  based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and
  
  instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the instructing to apply the firewall rule.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein creating the firewall rule comprises:
    - creating the firewall rule based on the control flow, while ignoring the at least one data flow during firewall rule creation.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein creating the firewall rule comprises:
    - creating the firewall rule to allow communication via a control port number associated with the control flow, wherein at least one ephemeral data port number is dynamically negotiated for the respective at least one data flow through the control flow.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein creating the firewall rule comprises:
    - creating the firewall rule to specify an application-layer protocol for which application-layer gateway (ALG) processing is supported by the first firewall engine, the second firewall engine, or both, wherein the ALG processing is to allow communication via the at least one ephemeral data port number based on the firewall rule.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein identifying the association comprises:
    - traversing a tree structure in the flow data to identify the association based on a parent node and at least one child node linked to the parent node, wherein the parent node represents the control flow and the at least one child node represents respective at least one data flow.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein obtaining the flow data comprises:
    - obtaining the tree structure from the first firewall engine, the second firewall engine, or both.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein obtaining the flow data comprises:
    - obtaining the flow data associated with the application-layer protocol session that utilizes one of the following application-layer protocols;
      
      File Transfer Protocol (FTP), Remote Procedure Call (RPC), Common Internet File System (CIFS), Transparent Network Substrate (TNS) and Trivial File Transfer Protocol (TFTP).

15. A computer system configured to perform firewall rule creation in a virtualized computing environment, the computer system comprising:
- a processor; and
  
  a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to;
  
  obtain flow data associated with an application-layer protocol session between a first endpoint and a second endpoint in the virtualized computing environment;
  
  identify, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session;
  
  based on the association, create a firewall rule that is applicable to both the control flow and at least one data flow; and
  
  instruct a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session, wherein the first firewall engine, or the second firewall engine, or both processes packets in response to the processor instructing to apply the firewall rule.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15, wherein instructions for creating the firewall rule cause the processor to:
    - create the firewall rule based on the control flow, while ignoring the at least one data flow during firewall rule creation.
  - 17. The computer system of claim 16, wherein instructions for creating the firewall rule cause the processor to:
    - create the firewall rule to allow communication via a control port number associated with the control flow, wherein at least one ephemeral data port number is dynamically negotiated for the respective at least one data flow through the control flow.
  - 18. The computer system of claim 17, wherein instructions for creating the firewall rule cause the processor to:
    - create the firewall rule to specify an application-layer protocol for which application-layer gateway (ALG) processing is supported by the first firewall engine, the second firewall engine, or both, wherein the ALG processing is to allow communication via the at least one ephemeral data port number based on the firewall rule.
  - 19. The computer system of claim 15, wherein instructions for identifying the association cause the processor to:
    - traverse a tree structure in the flow data to identify the association based on a parent node and at least one child node linked to the parent node, wherein the parent node represents the control flow and the at least one child node represents respective at least one data flow.
  - 20. The computer system of claim 15, wherein instructions for obtaining the flow data cause the processor to:
    - obtain the tree structure from the first firewall engine, the second firewall engine, or both.
  - 21. The computer system of claim 15, wherein instructions for obtaining the flow data cause the processor to:
    - obtain the flow data associated with the application-layer protocol session that utilizes one of the following application-layer protocols;
      
      File Transfer Protocol (FTP), Remote Procedure Call (RPC), Common Internet File System (CIFS), Transparent Network Substrate (TNS) and Trivial File Transfer Protocol (TFTP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Sengupta, Anirban, Krishna, Sunitha, Manuguri, Subrahmanyam
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/344,591
Publication Number

US 20180131675A1
Time in Patent Office

946 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

Firewall rule creation in a virtualized computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall rule creation in a virtualized computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links