Cloud over IP session layer network
First Claim
1. A method for securing, through a virtual network, a public cloud provided by a cloud services provider for an enterprise comprising:
- providing a plurality of agents for a plurality of endpoints, the plurality of endpoints to be hosted by a plurality of server machines in the public cloud provided by the cloud services provider for the enterprise;
providing a controller that connects to the plurality of agents;
storing, at the controller, a whitelist identifying components of a multi-tiered application authorized by the enterprise to use the virtual network;
defining an application profile for the multi-tiered application, the application profile specifying valid computing flows between components of a tier of the multi-tiered application and components of another tier of the multi-tiered application, the components of the tier to be executed at an endpoint, and the other components of the other tier to be executed at another different endpoint;
provisioning the plurality of endpoints according to the application profile, the provisioning comprising generating a plurality of static routing tables for the plurality of endpoints, a static routing table for an endpoint comprising at least one Internet Protocol (IP) subnet;
distributing a first static routing table, and a first agent to a first endpoint, wherein when a request is received at the first endpoint to connect to a second endpoint, the first agent determines whether an IP address of the second endpoint falls within the at least one IP subnet;
when the IP address of the second endpoint falls within the at least one IP subnet, receiving, at the controller from the first agent, a request to perform a security check;
in response to the security check request, checking the whitelist to determine whether a requestor of the request to connect to the second endpoint is listed as a component of the multi-tiered application authorized to use the virtual network; and
when the requestor of the request to connect to the second endpoint is not listed in the whitelist as a component of the multi-tiered application authorized to use the virtual network, denying the connection to the second endpoint.
1 Assignment
0 Petitions
Accused Products
Abstract
Cloud endpoints are secured using agents and a controller connected to the agents. A whitelist identifies components and processes of an authorized multi-tiered application for the cloud. An application profile for the application specifies valid computing flows between components of a tier and components of another tier, where components of the tier are executed at an endpoint and the other components of the other tier are executed at another endpoint. Endpoints are provisioned with static routing tables identifying at least one subnet destination. A request is received at a first endpoint to connect to a second endpoint. If the second endpoint falls within the at least one subnet destination, the controller performs one or more further security checks including checking the application profile flow, whitelist, and endpoint quarantine list. A network kernel table at an endpoint that includes the static routing table may be periodically checked to detect tampering.
277 Citations
15 Claims
-
1. A method for securing, through a virtual network, a public cloud provided by a cloud services provider for an enterprise comprising:
-
providing a plurality of agents for a plurality of endpoints, the plurality of endpoints to be hosted by a plurality of server machines in the public cloud provided by the cloud services provider for the enterprise; providing a controller that connects to the plurality of agents; storing, at the controller, a whitelist identifying components of a multi-tiered application authorized by the enterprise to use the virtual network; defining an application profile for the multi-tiered application, the application profile specifying valid computing flows between components of a tier of the multi-tiered application and components of another tier of the multi-tiered application, the components of the tier to be executed at an endpoint, and the other components of the other tier to be executed at another different endpoint; provisioning the plurality of endpoints according to the application profile, the provisioning comprising generating a plurality of static routing tables for the plurality of endpoints, a static routing table for an endpoint comprising at least one Internet Protocol (IP) subnet; distributing a first static routing table, and a first agent to a first endpoint, wherein when a request is received at the first endpoint to connect to a second endpoint, the first agent determines whether an IP address of the second endpoint falls within the at least one IP subnet; when the IP address of the second endpoint falls within the at least one IP subnet, receiving, at the controller from the first agent, a request to perform a security check; in response to the security check request, checking the whitelist to determine whether a requestor of the request to connect to the second endpoint is listed as a component of the multi-tiered application authorized to use the virtual network; and when the requestor of the request to connect to the second endpoint is not listed in the whitelist as a component of the multi-tiered application authorized to use the virtual network, denying the connection to the second endpoint.
-
-
2. The method of claim 1 comprising:
-
determining that the requestor of the request to connect to the second endpoint is not listed in the whitelist as a component of the multi-tiered application authorized to use the virtual network; and upon the determination, not allowing the connection to the second endpoint.
-
-
3. The method of claim 1 comprising:
-
programming the first static routing table into a network kernel table of an operating system (OS) executing at the first endpoint, the network kernel table comprising other routing information that is separate from the first static routing table; generating a copy of the network kernel table, the copy of the network kernel table thereby comprising the first static routing table distributed by the controller, and the other routing information that is separate from the first static routing table; maintaining, at the first endpoint, the copy of the network kernel table; sending another copy of the network kernel table to the controller for storage at the controller; periodically comparing the network kernel table in the OS against the copy of the network kernel table maintained at the first endpoint to detect tampering of the network kernel table in the OS; and upon detecting tampering, reinforcing the tampered network kernel table in the OS with the copy of the network kernel table maintained at the first endpoint, and issuing an alert to the controller.
-
-
4. The method of claim 1 comprising:
-
maintaining continuous connections between the controller and the plurality of agents; detecting that a first continuous connection between the controller and the first agent at the first endpoint has been interrupted; and based on the interruption, placing the first endpoint into quarantine.
-
-
5. The method of claim 1 comprising:
-
placing, by the controller, a third endpoint into quarantine; after the placing the third endpoint into quarantine, receiving, at the controller from the first agent at the first endpoint, a request to connect to the third endpoint, the request to connect to the third endpoint being received at the controller because the first agent has determined that an IP address of the third endpoint falls within the at least one IP subnet; and denying the request to connect to the third endpoint because the third endpoint is in quarantine.
-
-
6. The method of claim 1 wherein the components of the multi-tiered application identified in the whitelist are arranged as a tree, the tree comprises authorized parent and child processes associated with the component of the multi-tiered application authorized to use the virtual network, and signatures corresponding to the authorized processes,
wherein the request to perform the security check comprises signatures of processes spawned from the requestor, and wherein the checking the whitelist comprises comparing a signature of a process spawned from the requestor with a signature of an authorized process listed in the whitelist.
-
7. The method of claim 1 comprising:
in response to the security check request, checking the application profile to determine whether a computing flow from the first endpoint to the second endpoint is a valid computing flow according to the application profile.
-
8. The method of claim 1 comprising:
in response to the security check request, checking a listing of endpoints that have been quarantined to determine whether an IP address of the second endpoint is in the listing.
-
9. The method of claim 1 wherein an endpoint comprises a container.
-
10. The method of claim 1 wherein an endpoint comprises a virtual machine.
-
11. A method for pre-defining a secure virtual network to connect endpoints in a public cloud provided by a cloud services provider for an enterprise and, after the pre-defining, enforcing security to allow only connections that were pre-defined, the pre-defining comprising:
-
storing, at a controller, a whitelist comprising plurality of authorized signatures corresponding to applications and processes authorized by the enterprise to use the secure virtual network; defining application profiles for the applications, the application profiles specifying valid subnetworks and computing flows between groups of endpoints for the applications; generating static routing tables based on the valid subnetworks for endpoints that are to be provisioned; provisioning the plurality of endpoints into the valid subnetworks according to the application profiles, the provisioning comprising distributing the static routing tables to the endpoints; and the enforcing security comprising; receiving, at a first endpoint, a request to connect to a second endpoint; determining, at the first endpoint, whether an IP address of the second endpoint is within a valid subnetwork specified by a static routing table at the first endpoint; after determining that the IP address of the second endpoint is within the valid subnetwork, issuing, from the first endpoint to the controller, a request to perform a security check; receiving, at the controller, the request to perform the security check; and allowing, in response to the security check, the first endpoint to connect to the second endpoint when a plurality of conditions are satisfied, wherein a first condition is satisfied when an IP address of the first endpoint is in a first group of endpoints, the IP address of the second endpoint is in a second group of endpoints, and a computing flow according to an application profile indicates the first group is allowed to connect to the second group, a second condition is satisfied when a signature of a requestor of the request to connect, and a signature of a process triggered by the requestor matches authorized signatures specified in the whitelist, and a third condition is satisfied when the IP address of the second endpoint is not found in a list of quarantined endpoints.
-
-
12. The method of claim 11 comprising:
-
programming the static routing table into a network kernel table of an operating system (OS) at the first endpoint, the network kernel table comprising other routing information in addition to routing information from the static routing table; making a copy of the network kernel table, the copy of the network kernel table thereby comprising the routing information from the static routing table, and the other routing information; storing, at the first endpoint, the copy of the network kernel table; periodically comparing the network kernel table in the OS against the copy of the network kernel table stored at the first endpoint to detect tampering of the network kernel table in the OS; and upon detection of tampering, reinforcing the tampered network kernel table in the OS with the copy of the network kernel table stored at the first endpoint.
-
-
13. The method of claim 12 wherein the reinforcing the tampered network kernel table comprises replacing the tampered network kernel table with the copy of the network kernel table.
-
14. The method of claim 12 comprising:
upon the detection of tampering, issuing an alert to the controller, wherein the controller, in response to the alert, adds an IP address of the first endpoint to a list of quarantined endpoints.
-
15. The method of claim 12 comprising:
-
upon the detection of tampering, issuing an alert to the controller, wherein the controller, in response to the alert, instructs the first endpoint to empty a network kernel table in an operating system (OS) at the first endpoint, wherein the network kernel table comprises the static routing table distributed to the first endpoint, and other routing information in addition to the static routing table.
-
Specification