SYSTEM AND METHOD FOR ISOLATED VIRTUAL IMAGE AND APPLIANCE COMMUNICATION WITHIN A CLOUD ENVIRONMENT

US 20130227550A1
Filed: 02/27/2012
Published: 08/29/2013
Est. Priority Date: 02/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method for providing isolated virtual image communication in a virtual computing environment, the method executed by one or more processors configured to perform a plurality of operations comprising:

activating a guest virtual machine provided in a virtual computing environment;

isolating the guest virtual machine within a virtual network in the virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network;

formulating, on the guest virtual machine, a service request addressed to a predetermined address;

attempting to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address;

forwarding the service request from the resource to the security appliance machine;

formulating a reply to the service request at the security appliance machine;

transmitting the reply from the security appliance machine to the resource; and

transmitting the reply from the network filter to the guest virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for providing isolated virtual image communication in a virtual computing environment. Initially, a guest virtual machine that is activated in a virtual computing environment may be isolated into a private network. A service request may then be formulated at the guest virtual machine and addressed to a predetermined non-existent address. The request is then ostensibly sent to the predetermined address, whereupon the service request is actually transmitted to a shared resource with a security appliance machine in the virtual computing environment. The request is then forwarded to the security appliance machine and a reply formulated. The reply is sent back to the guest virtual machine via the shared resource.

Citations

33 Claims

1. A method for providing isolated virtual image communication in a virtual computing environment, the method executed by one or more processors configured to perform a plurality of operations comprising:
- activating a guest virtual machine provided in a virtual computing environment;
  
  isolating the guest virtual machine within a virtual network in the virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network;
  
  formulating, on the guest virtual machine, a service request addressed to a predetermined address;
  
  attempting to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address;
  
  forwarding the service request from the resource to the security appliance machine;
  
  formulating a reply to the service request at the security appliance machine;
  
  transmitting the reply from the security appliance machine to the resource; and
  
  transmitting the reply from the network filter to the guest virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the predetermined address is a non-existent address stored at the guest virtual machine.
  - 3. The method of claim 1, wherein the resource shared with the security appliance machine is a network filter.
  - 4. The method of claim 1, wherein the resource shared with the security appliance machine runs on a hypervisor that supports the guest virtual machine and the security appliance machine.
  - 5. The method of claim 1, wherein the service request is formulated using information from the security appliance machine.
  - 6. The method of claim 1, wherein the service request is formulated using information from a resource within the virtual computing environment.
  - 7. The method of claim 1, wherein the service request is formulated using information from a resource outside of the virtual computing environment.
  - 8. The method of claim 1, wherein formulating a reply to the service request further includes determining, at the security appliance machine, that the predetermined address indicates that the guest virtual machine is isolated within the virtual network.
  - 9. The method of claim 1, wherein formulating a reply to the service request further includes determining, at the security appliance machine, what resources are needed to service the request by inspecting an information content of the request.
  - 10. The method of claim 1, wherein formulating a service request is performed because the guest virtual machine has been moved from a first host to a second host, and wherein the service request relates to verification of the second host.
  - 11. The method of claim 1, wherein the service request relates to a software update.

12. A system for providing isolated virtual image communication in a virtual computing environment, comprising:
- one or more processors configured to;
  
  activate a guest virtual machine in a virtual computing environment,isolate the guest virtual machine within a virtual network in the virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network,formulate, on the guest virtual machine, a service request addressed to a predetermined address,attempt to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address,forward the service request from the resource to the security appliance machine,formulate a reply to the service request at the security appliance machine,transmit the reply from the security appliance machine to the resource, andtransmit the reply from the network filter to the guest virtual machine.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the predetermined address is a non-existent address stored at the guest virtual machine.
  - 14. The system of claim 12, wherein the resource shared with the security appliance machine is a network filter.
  - 15. The system of claim 12, wherein the resource shared with the security appliance machine runs on a hypervisor that supports the guest virtual machine and the security appliance machine.
  - 16. The system of claim 12, wherein the service request is formulated using information from the security appliance machine.
  - 17. The system of claim 12, wherein the service request is formulated using information from a resource within the virtual computing environment.
  - 18. The system of claim 12, wherein the service request is formulated using information from a resource outside of the virtual computing environment.
  - 19. The system of claim 12, wherein the one or more processors configured to formulate a reply to the service request are further configured to determine, at the security appliance machine, that the predetermined address indicates that the guest virtual machine is isolated within the virtual network.
  - 20. The system of claim 12, wherein the one or more processors configured to formulate a reply to the service request are further configured to determine, at the security appliance machine, what resources are needed to service the request by inspection of an information content of the request.
  - 21. The system of claim 12, wherein formulation of a service request is performed because the guest virtual machine has been moved from a first host to a second host, and wherein the service request relates to verification of the second host.
  - 22. The system of claim 12, wherein the service request relates to a software update.

23. A computer-readable medium having computer-executable instructions thereon, for providing isolated virtual image communication in a virtual computing environment, the computer-executable instructions, when executed by one or more processors cause the one or more processors to perform a plurality of operations comprising:
- activate a guest virtual machine in a virtual computing environment;
  
  isolate the guest virtual machine within a virtual network in the virtual computing environment such that the guest virtual machine is unreachable from outside the virtual network;
  
  formulate, on the guest virtual machine, a service request addressed to a predetermined address;
  
  attempt to send the service request to the predetermined address, whereupon the service request is transmitted to a resource shared with a security appliance machine in the virtual computing environment, wherein the resource is not located at the predetermined address,forward the service request from the resource to the security appliance machine;
  
  formulate a reply to the service request at the security appliance machine;
  
  transmit the reply from the security appliance machine to the resource; and
  
  transmit the reply from the network filter to the guest virtual machine.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer-readable medium of claim 23, wherein the predetermined address is a non-existent address stored at the guest virtual machine.
  - 25. The computer-readable medium of claim 23, wherein the resource shared with the security appliance machine is a network filter.
  - 26. The computer-readable medium of claim 23, wherein the resource shared with the security appliance machine runs on a hypervisor that supports the guest virtual machine and the security appliance machine.
  - 27. The computer-readable medium of claim 23, wherein the service request is formulated using information from the security appliance machine.
  - 28. The computer-readable medium of claim 23, wherein the service request is formulated using information from a resource within the virtual computing environment.
  - 29. The computer-readable medium of claim 23, wherein the service request is formulated using information from a resource outside of the virtual computing environment.
  - 30. The computer-readable medium of claim 23, wherein the computer-executable instructions that cause the one or more processors to formulate a reply to the service request further cause the one or more processors to determine, at the security appliance machine, that the predetermined address indicates that the guest virtual machine is isolated within the virtual network.
  - 31. The computer-readable medium of claim 23, wherein the computer-executable instructions that cause the one or more processors to formulate a reply to the service request further cause the one or more processors to determine, at the security appliance machine, what resources are needed to service the request by inspection of an information content of the request.
  - 32. The computer-readable medium of claim 23, wherein formulation of a service request is performed because the guest virtual machine has been moved from a first host to a second host, and wherein the service request relates to verification of the second host.
  - 33. The computer-readable medium of claim 23, wherein the service request relates to a software update.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Barak, Nir, Weinstein, Igal

Granted Patent

US 8,954,964 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

SYSTEM AND METHOD FOR ISOLATED VIRTUAL IMAGE AND APPLIANCE COMMUNICATION WITHIN A CLOUD ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ISOLATED VIRTUAL IMAGE AND APPLIANCE COMMUNICATION WITHIN A CLOUD ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links