公开(公告)号：US11522835B2

公开(公告)日：2022-12-06

申请号：US16027086

申请日：2018-07-03

申请人： VMware, Inc.

发明人： Arijit Chanda ,  Sirisha Myneni ,  Arnold Poon ,  Kausum Kumar ,  Dhivya Srinivasan

IPC分类号： H04L29/06 ,  H04L9/40 ,  H04L41/5041 ,  H04L65/1033 ,  G06F9/455

摘要： A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

公开(公告)号：US20220109684A1

公开(公告)日：2022-04-07

申请号：US17062600

申请日：2020-10-04

申请人： VMware, Inc.

发明人： Jayant Jain ,  Anirban Sengupta ,  Rick Lund ,  Kausum Kumar

IPC分类号： H04L29/06 ,  G06K9/62

摘要： The current document is directed to methods and systems that generate microsegmentation quotients for computational entities and components of a distributed-computer-system. In the described implementation, microsegmentation quotients are generated for each component, subsystem, or computational entity, collectively referred to as “system entities,” of a set of specified system-entity types within the distributed computer system. Microsegmentation quotients are generated for system entities at any of the various hierarchical levels within a distributed computer system, including for the entire distributed computer system. Microsegmentation quotients are generated by an iterative process that refines initial estimates of the microsegmentation quotients for system entities within the distributed computer system. Microsegmentation quotients are displayed, through system-management interfaces, to administration and management personnel and provided to automated administration-and-management-system tools and facilities in order to facilitate analysis and monitoring of distributed-computer-system security as well as to facilitate rapid and accurate detection and amelioration of security-related deficiencies and problems.

公开(公告)号：US11233770B2

公开(公告)日：2022-01-25

申请号：US16460823

申请日：2019-07-02

申请人： VMware, Inc.

发明人： Sirisha Myneni ,  Rajiv Mordani ,  Kausum Kumar

IPC分类号： H04L29/06

摘要： Behavior-based security in a datacenter includes monitoring user actions made by users in the datacenter. Behavior-based risk scores are computer for users based on their monitored actions. One or more firewall rules are generated for users based on their behavior-based risk scores. The firewall rules regulate the actions of the users.

公开(公告)号：US11086700B2

公开(公告)日：2021-08-10

申请号：US16112408

申请日：2018-08-24

申请人： VMware, Inc.

发明人： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC分类号： G06F9/54 ,  G06F8/60 ,  H04L29/06

摘要： A simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. These manifests are application specific. Also, in some cases, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200065166A1

公开(公告)日：2020-02-27

申请号：US16112408

申请日：2018-08-24

申请人： VMware, Inc.

发明人： Sirisha Myneni ,  Arijit Chanda ,  Laxmikant Vithal Gunda ,  Arnold Poon ,  Farzad Ghannadian ,  Kausum Kumar

IPC分类号： G06F9/54 ,  G06F8/60

摘要： Some embodiments provide a simplified mechanism to deploy and control a multi-segmented application by using application-based manifests that express how application segments of the multi-segment application are to be defined or modified, and how the communication profiles between these segments. In some embodiments, these manifests are application specific. Also, in some embodiments, deployment managers in a software defined datacenter (SDDC) provide these manifests as templates to administrators, who can use these templates to express their intent when they are deploying multi-segment applications in the datacenter. Application-based manifests can also be used to control previously deployed multi-segmented applications in the SDDC. Using such manifests would enable the administrators to be able to manage fine grained micro-segmentation rules based on endpoint and network attributes.

公开(公告)号：US20200014662A1

公开(公告)日：2020-01-09

申请号：US16027086

申请日：2018-07-03

申请人： VMware, Inc.

发明人： Arijit Chanda ,  Sirisha Myneni ,  Arnold Poon ,  Kausum Kumar ,  Dhivya Srinivasan

IPC分类号： H04L29/06 ,  H04L12/24 ,  G06F9/455

摘要： A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

公开(公告)号：US20240004689A1

公开(公告)日：2024-01-04

申请号：US18211402

申请日：2023-06-19

申请人： VMware, Inc.

发明人： Sunitha Krishna ,  Kausum Kumar ,  Rajiv Mordani ,  Ashish Shendure ,  Ashish Patel ,  Farzad Ghannadian

IPC分类号： G06F9/455 ,  H04L43/026 ,  H04L9/40

CPC分类号： G06F9/45558 ,  H04L43/026 ,  H04L63/0263 ,  G06F2009/4557 ,  G06F2009/45595 ,  G06F2009/45591

摘要： Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

公开(公告)号：US11693688B2

公开(公告)日：2023-07-04

申请号：US17751140

申请日：2022-05-23

申请人： VMware, Inc.

发明人： Sunitha Krishna ,  Kausum Kumar ,  Rajiv Mordani ,  Ashish Shendure ,  Ashish Patel ,  Farzad Ghannadian

IPC分类号： G06F9/455 ,  H04L43/026 ,  H04L9/40

CPC分类号： G06F9/45558 ,  H04L43/026 ,  H04L63/0263 ,  G06F2009/4557 ,  G06F2009/45591 ,  G06F2009/45595

摘要： Some embodiments provide a novel method for collecting and reporting attributes of data flows associated with machines executing on a plurality of host computers to an analysis appliance and providing visual representations of the data to a user. Some embodiments provide a visual representation of the collected data that allows a user to select a set of machines and flows and initiate recommendation generation based on the selected machines and flows. The recommendation generation, in some embodiments, includes identifying flows for which rules have not been defined and filtering the identified rules to remove flows for which rules should not be defined. Some embodiments use the identified rues to identify services and groups associated with the rules and generate recommendations for rules, groups and services based on the identified flows, groups and services. The recommendations, in some embodiments, are implemented as a single PATCH API.

公开(公告)号：US11641305B2

公开(公告)日：2023-05-02

申请号：US16714805

申请日：2019-12-16

申请人： VMware, Inc.

发明人： Sirisha Myneni ,  Kausum Kumar ,  Nafisa Mandliwala ,  Venkatakrishnan Rajagopalan

IPC分类号： H04L41/0631 ,  H04L41/0654 ,  H04L41/0604 ,  H04L12/46 ,  H04L45/02 ,  H04L69/22 ,  H04L45/64

摘要： Example methods and systems are provided for network diagnosis. One example method may comprise: detecting an egress packet and determining whether each of multiple network issues is detected for the egress packet or a datapath between a first virtualized computing instance and a second virtualized computing instance. The method may also comprise: generating network diagnosis code information specifying whether each of the multiple network issues is detected or not detected; generating an encapsulated packet by encapsulating the egress packet with an outer header that specifies the network diagnosis code information; and sending the encapsulated packet towards the second virtualized computing instance to cause a second computer system to perform one or more remediation actions based on the network diagnosis code information.

公开(公告)号：US11601474B2

公开(公告)日：2023-03-07

申请号：US17103700

申请日：2020-11-24

申请人： VMware, Inc.

发明人： Sachin Mohan Vaidya ,  Kausum Kumar ,  Nikhil Bokare ,  Mayur Dhas ,  Shailesh Makhijani ,  Rushikesh Wagh ,  Shrinivas Sharad Parashar ,  Vaibhav Bhandari

IPC分类号： H04L29/06 ,  H04L9/40 ,  G06F9/455 ,  H04L12/46 ,  H04L41/0803 ,  H04L41/0893 ,  H04L45/586 ,  H04L49/00 ,  H04L67/10 ,  H04L12/66 ,  H04L45/42 ,  H04L45/64

摘要： Some embodiments provide a method for network management and control system that manages one or more logical networks. From a first user, the method receives a definition of one or more security zones for a logical network. Each security zone definition includes a set of security rules for data compute nodes (DCNs) assigned to the security zone. From a second user, the method receives a definition of an application to be deployed in the logical network. The application definition specifies a set of requirements. Based on the specified set of requirements, the method assigns DCNs implementing the application to one or more of the security zones for the logical network.