公开(公告)号：US20230018434A1

公开(公告)日：2023-01-19

申请号：US17374630

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: H04L29/06

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads. The method provides the identified set of intrusion detection signatures to an intrusion detection system operating on the particular host computer for enforcement.

公开(公告)号：US20230013808A1

公开(公告)日：2023-01-19

申请号：US17374608

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Sirisha Myneni ,  Nafisa Mandliwala ,  Rajitha Arcot ,  Subrahmanyam Manuguri

IPC: H04L29/06 ,  G06F9/54

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives an intent-based application programming interface (API) command that defines intent for a set of one or more context-based intrusion detection rules for detecting and preventing intrusions on the at least one host computer. The method uses multiple contextual attributes to convert the defined intent into a set of one or more intrusion detection scripts for enforcement on the at least one host computer. The method provides the set of one or more intrusion detection scripts to an intrusion detection system operating on the at least one host computer for enforcement.

公开(公告)号：US09225647B2

公开(公告)日：2015-12-29

申请号：US13764341

申请日：2013-02-11

Applicant: VMware, Inc.

Inventor： Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L12/26 ,  H04L12/801 ,  H04L29/06 ,  H04L12/803

CPC classification number: H04L43/028 ,  H04L41/12 ,  H04L47/12 ,  H04L47/125 ,  H04L47/20 ,  H04L63/20

Abstract: Exemplary methods, apparatuses, and systems receive a copy of or make a copy of one or more packets of a flow of packets between a source and a destination. While or after the one or more packets are forwarded to the destination, the content of the one or more packets is compared to a policy to determine if the flow of packets triggers a policy response. A map of devices within a datacenter cluster of devices is maintained and used to select one or more available devices when packet inspection is distributed.

Abstract translation: 示例性方法，装置和系统在源和目的地之间接收一组或多个分组流的分组的副本。 在将一个或多个分组转发到目的地之后或之后，将一个或多个分组的内容与策略进行比较以确定分组的流是否触发策略响应。 维护数据中心集群设备中的设备的映射，并用于在分发数据包检查时选择一个或多个可用设备。

公开(公告)号：US20150096007A1

公开(公告)日：2015-04-02

申请号：US14043714

申请日：2013-10-01

Applicant: VMware, Inc.

Inventor： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0218 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L67/327

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract translation: 描述了使用分布式防火墙监控网络通信的系统和技术。 其中一种技术包括：在虚拟机的客户操作系统中执行的驱动程序接收从与用户相关联的进程打开网络连接的请求，其中所述驱动程序执行操作，包括：获得用户的身份信息; 将身份信息和标识网络连接的数据提供给驾驶员外部的身份模块; 并且由分布式防火墙接收将所述身份信息与从所述身份模块识别所述网络连接的数据相关联的数据，其中所述分布式防火墙执行操作，包括：从所述虚拟机接收输出数据包; 确定所述身份信息对应于所述传出分组; 以及至少部分地基于所述身份信息来评估一个或多个路由规则。

公开(公告)号：US20230179475A1

公开(公告)日：2023-06-08

申请号：US18102686

申请日：2023-01-28

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Mike Parsa ,  Xinhua Hong ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L41/0806 ,  H04L12/66 ,  H04L12/46 ,  H04L49/25 ,  H04L61/50

CPC classification number: H04L41/0806 ,  H04L12/66 ,  H04L12/4641 ,  H04L49/25 ,  H04L61/50 ,  H04L2101/622

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

公开(公告)号：US20230021269A1

公开(公告)日：2023-01-19

申请号：US17374623

申请日：2021-07-13

Applicant: VMware, Inc.

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: G06F21/56

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method forwards multiple contextual attributes to a set of servers that distribute intrusion detection scripts. The method receives a filtered set of intrusion detection signatures for enforcement on the at least one host computer, the filtered set of intrusion detection signatures identified based on the multiple contextual attributes. The method uses the filtered set of intrusion detection signatures to detect at least one potential intrusion associated with a particular data message processed on the at least one host computer.

公开(公告)号：US11310202B2

公开(公告)日：2022-04-19

申请号：US16352577

申请日：2019-03-13

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  David Lorenzo ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L29/06 ,  G06F9/455 ,  G06F16/901

Abstract: In some embodiments, a method receives a packet at an instance of a distributed firewall associated with one of a plurality of workloads running on a hypervisor. Each of the plurality of workloads has an associated instance of the distributed firewall. An index table is accessed for the workload where the index table includes a set of references to a set of rules in a rules table. Each workload in the plurality of workloads is associated with an index table that references rules that are applicable to each respective workload. The method then accesses at least one rule in a set of rules associated with the set of references from the rules table and compares one or more attributes for the packet to information stored for the at least one rule in the set of rules to determine a rule in the set of rules to apply to the packet.

公开(公告)号：US20210218623A1

公开(公告)日：2021-07-15

申请号：US16742663

申请日：2020-01-14

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Mike Parsa ,  Xinhua Hong ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L12/24 ,  H04L12/66 ,  H04L12/947 ,  H04L12/46 ,  H04L29/12

Abstract: Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). In some embodiments, each interface associated with a different bridge calls a service engine based on identifiers included in data messages received at the interface. Each data message flow is associated with a particular identifier that is associated with a particular service engine instance that provides the stateful service. In some embodiments, the interface that receives a data message identifies a service engine to provide the stateful service and provides the data message to the identified service engine. After processing the data message, the service engine provides the data message to the egress interface associated with the ingress interface.

公开(公告)号：US11036405B2

公开(公告)日：2021-06-15

申请号：US16124208

申请日：2018-09-07

Applicant: VMware, Inc.

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: G06F3/06 ,  G06F9/455

Abstract: Example methods and systems are provided for a computer system to transfer runtime information between a first kernel module and a second kernel module. In one example, the method may comprise assigning ownership of a memory pool to the first kernel module; and the first kernel module accessing the memory pool to store runtime information associated with one or more operations performed by the first kernel module. The method may also comprise releasing ownership of the memory pool from the first kernel module while maintaining the runtime information in the memory pool; and assigning ownership of the memory pool to the second kernel module. The second kernel module may then access the memory pool to obtain the runtime information stored by the first kernel module.

公开(公告)号：US10277482B2

公开(公告)日：2019-04-30

申请号：US14945334

申请日：2015-11-18

Applicant: VMware, Inc.

Inventor： Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: H04L12/26 ,  H04L12/801 ,  H04L29/06 ,  H04L12/24 ,  H04L12/813 ,  H04L12/803

Abstract: Exemplary methods, apparatuses, and systems receive a copy of or make a copy of one or more packets of a flow of packets between a source and a destination. While or after the one or more packets are forwarded to the destination, the content of the packets is compared to a policy to determine if the flow of packets triggers a policy response. A map of devices within a datacenter cluster of devices is maintained and used to select one or more available devices when packet inspection is distributed.