Systems and methods for providing network access control in virtual environments
First Claim
1. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- transferring control of a virtual machine that is running on a host machine to an agent-insertion module;
using the agent-insertion module to allocate a memory region of the virtual machine to a transient security agent;
injecting the transient security agent into the allocated memory region of the virtual machine;
receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies;
controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies;
remediating the virtual machine by allowing the virtual machine access to one or more network resources used to remediate the virtual machine and blocking access to one or more other network resources.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.
-
Citations
20 Claims
-
1. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
transferring control of a virtual machine that is running on a host machine to an agent-insertion module; using the agent-insertion module to allocate a memory region of the virtual machine to a transient security agent; injecting the transient security agent into the allocated memory region of the virtual machine; receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies; remediating the virtual machine by allowing the virtual machine access to one or more network resources used to remediate the virtual machine and blocking access to one or more other network resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
providing a security agent in a user virtual machine that is running on a host machine; providing a network communication filter that resides on the host machine but is external to the user virtual machine; providing an access control module in a network access control virtual machine that is running on the host machine, wherein the access control module controls the network communication filter; receiving, at the access control module, using a memory page that is accessible by both the security agent and the access control module, an indication that the user virtual machine does not comply with one or more network access control policies; using the network communication filter to control network access of the user virtual machine based on the indication of non-compliance by blocking one or more network communications of the user virtual machine. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
provide a security agent in a user virtual machine that is running on a host machine; provide a network communication filter that resides on the host machine and is external to the user virtual machine; provide an access control module in a network access control virtual machine that is running on the host machine, wherein the access control module controls the network communication filter; receive, at the access control module, using a memory page that is accessible by both the security agent and the access control module, an indication that the user virtual machine does not comply with one or more network access control policies; use the network communication filter to control network access of the user virtual machine based on the indication of non-compliance by blocking one or more network communications of the user virtual machine. - View Dependent Claims (18, 19, 20)
-
Specification