Systems and methods for providing network access control in virtual environments

US 8,938,782 B2
Filed: 03/15/2010
Issued: 01/20/2015
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

transferring control of a virtual machine that is running on a host machine to an agent-insertion module;

using the agent-insertion module to allocate a memory region of the virtual machine to a transient security agent;

injecting the transient security agent into the allocated memory region of the virtual machine;

receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies;

controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies;

remediating the virtual machine by allowing the virtual machine access to one or more network resources used to remediate the virtual machine and blocking access to one or more other network resources.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.

Citations

20 Claims

1. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- transferring control of a virtual machine that is running on a host machine to an agent-insertion module;
  
  using the agent-insertion module to allocate a memory region of the virtual machine to a transient security agent;
  
  injecting the transient security agent into the allocated memory region of the virtual machine;
  
  receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies;
  
  controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies;
  
  remediating the virtual machine by allowing the virtual machine access to one or more network resources used to remediate the virtual machine and blocking access to one or more other network resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein:
    - the indication of whether the virtual machine complies with the one or more network access policies is received using a virtual switch comprising a logical switching fabric.
  - 3. The method of claim 1, wherein transferring control of the virtual machine to the agent-insertion module comprises:
    - inserting, into an exception handler memory location of the virtual machine, one or more computer-executable instructions configured to facilitate transfer of control from the virtual machine to the agent-insertion module;
      
      triggering an exception during execution of the virtual machine to cause the one or more computer-executable instructions in the exception handler memory location to be executed;
      
      transferring control of the virtual machine to the agent-insertion module after the one or more computer-executable instructions execute.
  - 4. The method of claim 3, wherein:
    - the computer-executable instructions configured to facilitate transfer of control from the virtual machine comprise an instruction with an invalid opcode;
      
      triggering the exception during the execution of the virtual machine comprises triggering an invalid opcode exception.
  - 5. The method of claim 1, wherein:
    - the indication of whether the virtual machine complies with the one or more network access control policies is received at a network access control module on the host machine;
      
      the indication of whether the virtual machine complies with the one or more network access control policies is sent to the network access control module via an inter-process communication;
      
      the network access control module comprises a network communication filter that controls network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
  - 6. The method of claim 1, wherein:
    - the indication of whether the virtual machine complies with the one or more network access control policies is received at a network access control server that is remote from the host machine;
      
      the network access control server controls network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies.
  - 7. The method of claim 1, further comprising:
    - removing the transient security agent from the virtual machine.
  - 8. The method of claim 7, wherein:
    - the transient security agent is removed from the virtual machine after receiving the indication of whether the virtual machine complies with one or more network access control policies.
  - 9. The method of claim 7, wherein:
    - the transient security agent is removed from the virtual machine when the virtual machine no longer needs network access.
  - 10. The method of claim 1, tangibly embodied as computer-executable instructions on at least one non-transitory computer-readable-storage medium.

11. A computer-implemented method for providing network access control in virtual environments, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- providing a security agent in a user virtual machine that is running on a host machine;
  
  providing a network communication filter that resides on the host machine but is external to the user virtual machine;
  
  providing an access control module in a network access control virtual machine that is running on the host machine, wherein the access control module controls the network communication filter;
  
  receiving, at the access control module, using a memory page that is accessible by both the security agent and the access control module, an indication that the user virtual machine does not comply with one or more network access control policies;
  
  using the network communication filter to control network access of the user virtual machine based on the indication of non-compliance by blocking one or more network communications of the user virtual machine.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim11, wherein:
    - providing the security agent in the user virtual machine comprises prompting the user virtual machine to install the security agent.
  - 13. The method of claim 11, wherein:
    - providing the security agent in the user virtual machine comprises installing the security agent on the user virtual machine;
      
      the security agent is installed on the user virtual machine using an installation process of the user virtual machine.
  - 14. The method of claim 11, further comprising:
    - remediating the user virtual machine to bring the user virtual machine into compliance with the one or more network access control policies, wherein the network communication filter allows the user virtual machine access to one or more network resources used to remediate the user virtual machine.
  - 15. The method of claim 14, wherein:
    - the network communication filter allows the user virtual machine access to one or more network resources used to remediate the user virtual machine by allowing the user virtual machine to connect to a quarantine server that provides software and patches.
  - 16. The method of claim 11, wherein the network access control virtual machine includes both a user level and a kernel level.

17. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- provide a security agent in a user virtual machine that is running on a host machine;
  
  provide a network communication filter that resides on the host machine and is external to the user virtual machine;
  
  provide an access control module in a network access control virtual machine that is running on the host machine, wherein the access control module controls the network communication filter;
  
  receive, at the access control module, using a memory page that is accessible by both the security agent and the access control module, an indication that the user virtual machine does not comply with one or more network access control policies;
  
  use the network communication filter to control network access of the user virtual machine based on the indication of non-compliance by blocking one or more network communications of the user virtual machine.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable-storage medium of claim 17, wherein the one or more computer-executable instructions further cause the computing device to provide the security agent in the user virtual machine at least in part by prompting the user virtual machine to install the security agent.
  - 19. The non-transitory computer-readable-storage medium of claim 17, wherein:
    - the one or more computer-executable instructions further cause the computing device to provide the security agent in the user virtual machine at least in part by installing the security agent on the user virtual machine;
      
      the security agent is installed on the user virtual machine using an installation process of the user virtual machine.
  - 20. The non-transitory computer-readable-storage medium of claim 17, wherein the one or more computer-executable instructions further cause the computing device to remediate the user virtual machine to bring the user virtual machine into compliance with the one or more network access control policies, wherein the network communication filter allows the user virtual machine access to one or more network resources used to remediate the user virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sawhney, Sanjay, Conover, Matthew, Montague, Bruce
Primary Examiner(s)
Colin, Carl G.
Assistant Examiner(s)
ZAIDI, SYED A

Application Number

US12/724,414
Publication Number

US 20110225624A1
Time in Patent Office

1,772 Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

Systems and methods for providing network access control in virtual environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing network access control in virtual environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links