Providing application visibility for micro-segmentation of a network deployment

US 10,567,440 B2
Filed: 12/16/2016
Issued: 02/18/2020
Est. Priority Date: 12/16/2016
Status: Active Grant

First Claim

Patent Images

1. A method of creating micro-segmentation policies for traffic flowing between compute nodes that execute distributed applications in a network, the method comprising:

through a user interface, receiving a selection of a subset of the compute nodes as seed nodes, wherein each seed node is a node for a different distributed application;

monitoring network packet traffic flows for the set of selected seed nodes bar performing deep packet inspection (DPI) to collect network traffic flow information;

analyzing the collected network flow information to identify, for each respective seed node of the selected seed nodes, a set of one or more nodes related to the respective seed node; and

for each respective selected seed node and the set of nodes related to the respective seed node, generating micro-segmentation policies for managing network packet traffic flows for the application executed by the respective seed node and the set of nodes related to the respective seed node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.

68 Citations

View as Search Results

18 Claims

1. A method of creating micro-segmentation policies for traffic flowing between compute nodes that execute distributed applications in a network, the method comprising:
- through a user interface, receiving a selection of a subset of the compute nodes as seed nodes, wherein each seed node is a node for a different distributed application;
  
  monitoring network packet traffic flows for the set of selected seed nodes bar performing deep packet inspection (DPI) to collect network traffic flow information;
  
  analyzing the collected network flow information to identify, for each respective seed node of the selected seed nodes, a set of one or more nodes related to the respective seed node; and
  
  for each respective selected seed node and the set of nodes related to the respective seed node, generating micro-segmentation policies for managing network packet traffic flows for the application executed by the respective seed node and the set of nodes related to the respective seed node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein identifying the set of one or more related nodes for a particular seed node comprises:
    - identifying a set of source nodes and a set of destination nodes for network packet traffic flows of the particular seed node; and
      
      identifying the set of related nodes for the particular seed node from the set of source nodes and the set of destination nodes.
  - 3. The method of claim 1, wherein analyzing the collected network flow information comprises identifying a direction for packets of the monitored network packet traffic flows relative to a particular selected seed node, wherein the direction comprises at least one of incoming traffic and exiting traffic.
  - 4. The method of claim 1, wherein generating micro-segmentation policies comprises generating a set of firewall rules based on the analyzed network flow information.
  - 5. The method of claim 1, wherein analyzing the collected network flow information comprises identifying a set of security groups for the set of selected seed nodes, wherein the micro-segmentation policies are defined based on the security groups.
  - 6. The method of claim 1 further comprising:
    - providing the identified micro-segmentation policies in the user interface for review;
      
      receiving an approval for the generated micro-segmentation policies through the user interface; and
      
      publishing the approved micro-segmentation polices into a rule table for enforcement at a set of network enforcement points.
  - 7. The method of claim 1, wherein analyzing the collected network flow information to identify the set of one or more related nodes for each seed node of the set of selected seed nodes comprises generating a connectivity graph depicting traffic entering and exiting the set of seed nodes, wherein the connectivity graph is displayed in the user interface to indicate how the seed nodes and the sets of related nodes communicate with each other.
  - 8. The method of claim 1, wherein analyzing the collected network traffic flow information comprises:
    - performing reverse translation on the collected network traffic flow information; and
      
      providing the reverse translated network traffic flow information to a user via the user interface.

9. A non-transitory machine readable medium storing a program which when executed by at least one processing unit creates micro-segmentation policies for traffic flowing between compute nodes that execute distributed applications in a network, the program comprising sets of instructions for:
- through a user interface, receiving a selection of a subset of the compute nodes as seed nodes, wherein each seed node is a node for a different distributed application;
  
  monitoring network packet traffic flows for the set of selected seed nodes by performing deep packet inspection (DPI) to collect network traffic flow information;
  
  analyzing the collected network flow information to identify, for each respective seed node of the selected seed nodes, a set of one or more nodes related to the respective seed node; and
  
  for each respective selected seed node and the set of nodes related to the respective seed node, generating micro-segmentation policies for managing network packet traffic flows for the application executed by the respective seed node and the set of nodes related to the respective seed node.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The non-transitory computer readable medium of claim 9, wherein the set of instructions for receiving the selection of the seed nodes comprises sets of instructions for:
    - providing a plurality of compute nodes available for selection as seed nodes in the user interface; and
      
      receiving the selection as a selection of a subset of the plurality of available compute nodes.
  - 11. The non-transitory computer readable medium of claim 9, wherein the set of instructions for identifying the set of one or more related nodes for a particular seed node comprises sets of instructions for:
    - identifying a set of source nodes and a set of destination nodes for network packet traffic flows of the particular seed node; and
      
      identifying the set of related nodes for the particular seed node from the set of source nodes and the set of destination nodes.
  - 12. The non-transitory computer readable medium of claim 9, wherein the program further comprises a set of instructions for monitoring network packet traffic flows for the set of seed nodes and the sets of related nodes for each seed node of the set of seed nodes to collect additional network flow information.
  - 13. The non-transitory computer readable medium of claim 9, wherein the set of instructions for analyzing the collected network flow information comprises a set of instructions for identifying a direction for packets of the monitored network packet traffic flows relative to a particular seed node, wherein the direction comprises at least one of incoming traffic and exiting traffic.
  - 14. The non-transitory computer readable medium of claim 9, wherein the set of instructions for generating micro-segmentation policies comprises a set of instructions for generating a set of firewall rules based on the analyzed network flow information.
  - 15. The non-transitory computer readable medium of claim 9, wherein the set of instructions for analyzing the collected network flow information comprises a set of instructions for identifying a set of security groups for the set of selected seed nodes, wherein the micro-segmentation policies are defined based on the security groups.
  - 16. The non-transitory computer readable medium of claim 9, the program further comprising sets of instructions for:
    - providing the identified micro-segmentation policies in the user interface for review;
      
      receiving an approval for the generated micro-segmentation policies through the user interface; and
      
      publishing the approved micro-segmentation polices into a rule table for enforcement at a set of network enforcement points.
  - 17. The non-transitory machine readable medium of claim 9, wherein the set of instructions for analyzing the collected network flow information to identify the set of one or more related nodes for each seed node of the set of selected seed nodes comprises a set of instructions for generating a connectivity graph depicting traffic entering and exiting the set of seed nodes, wherein the connectivity graph is displayed in the user interface to indicate how the seed nodes and the sets of related nodes communicate with each other.
  - 18. The non-transitory machine readable medium of claim 9, wherein the set of instructions for analyzing the collected network traffic flow information comprises sets of instructions for:
    - performing reverse translation on the collected network traffic flow information; and
      
      providing the reverse translated network traffic flow information to a user via the user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Bansal, Kaushal, Sengupta, Anirban, Manuguri, Subrahmanyam, Krishna, Sunitha, Pereira, Jerry
Primary Examiner(s)
Do, Khang

Application Number

US15/381,123
Publication Number

US 20180176261A1
Time in Patent Office

1,159 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 63/0209   Architectural arrangements,...

H04L 63/0263   Rule management

H04L 63/205   involving negotiation or de...

H04L 67/131   Protocols for games, networ...

Providing application visibility for micro-segmentation of a network deployment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Providing application visibility for micro-segmentation of a network deployment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links