Policy-Based Virtualization Method Involving Adaptive Enforcement

US 20110072504A1
Filed: 09/23/2009
Published: 03/24/2011
Est. Priority Date: 09/23/2009
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first telecommunications network node, wherein the first node is operable to execute a first system software instance and a policy enforcement point (PEP);

a second telecommunications network node operable to execute a policy decision point (PDP) wherein the policy decision point (PDP) is configured to make a decision as to whether a second system software instance should be allowed to execute concurrently with the first system software instance on the first node; and

wherein the policy enforcement point (PEP) is configured to prevent the execution of the second system software instance on the basis of a decision provided by the policy decision point (PDP).

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in which a permission for running a system software instance alongside another system software instance is issued on the basis of a first policy rule concerning the operation of a first software application and a second policy rule concerning the execution of second software application.

Citations

20 Claims

1. A system comprising:
- a first telecommunications network node, wherein the first node is operable to execute a first system software instance and a policy enforcement point (PEP);
  
  a second telecommunications network node operable to execute a policy decision point (PDP) wherein the policy decision point (PDP) is configured to make a decision as to whether a second system software instance should be allowed to execute concurrently with the first system software instance on the first node; and
  
  wherein the policy enforcement point (PEP) is configured to prevent the execution of the second system software instance on the basis of a decision provided by the policy decision point (PDP).
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the decision depends on a telecommunications network policy rule related to the operation of software executing inside the first system software instance.
  - 3. The method of claim 1 wherein the decision depends on a characteristic of software executing inside the first system software instance.
  - 4. The method of claim 1 wherein the decision depends on the amount of computing resources available to the first node.
  - 5. The method of claim 1 wherein:
    - the first computing environment contains a first server software, wherein the first server software is associated with a first telecommunications network perimeter,the second computing environment contains a second server software, wherein the second server software is associated with a second telecommunications network perimeter, andthe decision depends on a first network policy rule related to the first perimeter and a second network policy rule related to the security of the second perimeter.

6. A method comprising transmitting from a first node, a message indicating a permission to execute on a second node a first software concurrently with a second software, wherein:
- a. the first server is executing within a first system software instance, and the second software is within a second system software instance;
  
  b. the permission depends on a first telecommunications network policy rule and a second telecommunications network policy rule, wherein;
  
  i. the first rule relates to the operation of the first software, andii. the second rule relates to the operation of the second software.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The method of claim 6 comprising:
    - transmitting from the first node to the second node a message identifying a telecommunications network policy rule that needs to be implemented by firewall software executing on the second node; and
      
      in response to receipt of the message, launching at the second node, an instance of firewall software that implements the rule.
  - 8. The method of claim 6 wherein the decision depends on the hardware resources of the second node.
  - 9. The method of claim 6 comprising:
    - evaluating the hardware resources of the second node; and
      
      transmitting from the first node message indicating a desirable hardware upgrade for the second node.
  - 10. The method of claim 6 wherein the permission is transmitted in response to detecting the instantiation of the second system software instance on the second node.
  - 11. The method of claim 6 wherein the permission is transmitted in response to detecting a request for system services by the second system software instance.
  - 12. The method of claim 6 comprising disabling the second system software instance in response to the receipt of the message containing the permission.
  - 13. The method of claim 6 wherein the permission depends on a telecommunications network policy rule concerning the concurrent execution of multiple system software instances on the same hardware device.

14. A method comprising:
- receiving a first telecommunications network policy rule, wherein the first rule relates to the operation of a first server in a telecommunications network;
  
  receiving a second telecommunications network policy rule, wherein the second rule relates to the operation of second server in the telecommunications network;
  
  transmitting a message containing a permission to migrate the second server to a first telecommunications network node, wherein;
  
  i. the first node is host to the first server,ii. the first server is executing within a first system software instance,iii. and the migration of the second server to the first node comprises the instantiation of a second system software instance at the first node and executing the second server within the second system software instance; and
  
  vi. the permission depends on the first policy rule and second policy rule.
- View Dependent Claims (15, 16, 18, 19)
- - 15. The method of claim 14 comprising transmitting a message indicating a suggestion for a hardware upgrade of the first node, wherein the suggestion depends on the expected utilization of computer hardware resources by the first virtual server.
  - 16. The method of claim 14 comprising transmitting an indication of a third telecommunications network policy rule, wherein:
    - i. the third rule is to be implemented by a firewall software, wherein the firewall software is executing on the first node,ii. the third rule depends on the first rule and second rule.
  - 18. The method of claim 16 comprising transmitting a message indicating a suggestion for a hardware upgrade of the first node, wherein the suggestion depends on the expected utilization of computer hardware resources by the first virtual server.
  - 19. The method of claim 16 comprising transmitting an indication of a third telecommunications network policy rule, wherein:
    - i. the third rule is to be implemented by a firewall software, wherein the firewall software is executing on the first node,ii. the third rule depends on the first rule and second rule.

17. A method comprising:
- receiving at a telecommunication network node request to migrate a first virtual server to the first node, wherein the first node is executing a second virtual server; and
  
  transmitting a message containing a permission to migrate the second server to a first telecommunications network node, wherein;
  
  i. the first node is host to the first server,ii. the first server is executing within a first system software instance,iii. and the migration of the second server to the first node comprises the instantiation of a second system software instance at the first node and executing the second server within the second system software instance; and
  
  vi. the permission depends on the first policy rule and second policy rule.

20. A system comprising:
- a first telecommunications network node, wherein the first node is operable to execute a first software and a first software module, wherein the first software is executing within a first system software instance;
  
  a second telecommunications network node operable to execute a second software module wherein the second software module decides whether a second software should be allowed to execute within a second system software instance concurrently with the first virtual server on the first node; and
  
  wherein the first software module prevents the operation of the second software on the basis of a decision provided by the second software module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Abderrazzaq, Saad, Srinivas, Tanjore K., Mani, Mahalingam

Granted Patent

US 8,272,031 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 67/30 Profiles

Policy-Based Virtualization Method Involving Adaptive Enforcement

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-Based Virtualization Method Involving Adaptive Enforcement

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links