公开(公告)号：US20210036990A1

公开(公告)日：2021-02-04

申请号：US17063415

申请日：2020-10-05

Applicant: Nicira, Inc.

Inventor： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC: H04L29/06 ,  H04L29/08 ,  G06F9/455

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

公开(公告)号：US10735376B2

公开(公告)日：2020-08-04

申请号：US15899329

申请日：2018-02-19

Applicant: Nicira, Inc.

Inventor： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Todd Sabin

IPC: H04L29/06 ,  G06F9/455

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

公开(公告)号：US10567440B2

公开(公告)日：2020-02-18

申请号：US15381123

申请日：2016-12-16

Applicant: Nicira, Inc.

Inventor： Kaushal Bansal ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Sunitha Krishna ,  Jerry Pereira

IPC: H04L12/24 ,  H04L29/06

Abstract: A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.

公开(公告)号：US10536383B2

公开(公告)日：2020-01-14

申请号：US15708352

申请日：2017-09-19

Applicant: Nicira, Inc.

Inventor： Kaushal Bansal ,  Sunitha Krishna ,  Jerry Pereira ,  Shadab Shah ,  Subrahmanyam Manuguri ,  Jayant Jain

IPC: H04L12/815 ,  H04L12/801

Abstract: The technology disclosed herein enables the enhancement of attributes used to identify network packet traffic exchanged with micro segmented guests. In a particular embodiment, a method provides receiving a plurality of attributes from a user. The plurality of attributes describes first network packet traffic that should be handled in a first manner. The method further provides processing network packet traffic to identify the first network packet traffic using the plurality of attributes. While processing the network packet traffic, the method provides identifying one or more additional attributes shared among the first network packet traffic and adding at least a portion of the one or more additional attributes to the plurality of attributes.

公开(公告)号：US10320749B2

公开(公告)日：2019-06-11

申请号：US15344591

申请日：2016-11-07

Applicant: Nicira, Inc.

Inventor： Anirban Sengupta ,  Sunitha Krishna ,  Subrahmanyam Manuguri

IPC: H04L29/06

Abstract: Example methods are provided for a network management entity to perform firewall rule creation in a virtualized computing environment. The method may comprise obtaining flow data associated with an application-layer protocol session between a first endpoint and a second endpoint in the virtualized computing environment; and identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session. The method may also comprise: based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session.

公开(公告)号：US10148696B2

公开(公告)日：2018-12-04

申请号：US14975583

申请日：2015-12-18

Applicant: Nicira, Inc.

Inventor： Srinivas Nimmagadda ,  Jayant Jain ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Alok S. Tiagi

IPC: H04L29/06

Abstract: Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

公开(公告)号：US09906494B2

公开(公告)日：2018-02-27

申请号：US14231646

申请日：2014-03-31

Applicant: Nicira, Inc.

Inventor： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Todd Sabin

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0227 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L63/0236 ,  H04L63/0263

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

公开(公告)号：US20170180321A1

公开(公告)日：2017-06-22

申请号：US14975609

申请日：2015-12-18

Applicant: Nicira, Inc.

Inventor： Srinivas Nimmagadda ,  Jayant Jain ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Alok S. Tiagi

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/0263 ,  H04L63/20

Abstract: Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

公开(公告)号：US20150281180A1

公开(公告)日：2015-10-01

申请号：US14231640

申请日：2014-03-31

Applicant: Nicira, Inc.

Inventor： Chids Raman ,  Subrahmanyam Manuguri ,  Todd Sabin

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0272 ,  G06F9/455 ,  G06F9/45533 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L63/0236 ,  H04L63/0254

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

Abstract translation: 对于执行一个或多个来宾虚拟机（GVM）的主机，一些实施例提供了一种新颖的虚拟化架构，用于在主机上利用防火墙服务虚拟机（SVM）来检查由GVM发送和/或接收的数据包。 在一些实施例中，GVM连接到在主机上执行的软件转发元件（例如，软件交换机），以连接到彼此以及在主机之外运行的其他设备。 除了将防火墙SVM连接到连接其GVM的主机的软件转发元件之外，一些实施例的虚拟化架构提供了SVM接口（SVMI），通过该SVM接口可以访问防火墙SVM以检查由/ GVMs。

公开(公告)号：US20150281178A1

公开(公告)日：2015-10-01

申请号：US14231646

申请日：2014-03-31

Applicant: Nicira, Inc.

Inventor： Chids Raman ,  Subrahmanyam Manuguri ,  Todd Sabin

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L63/0236 ,  H04L63/0263

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

Abstract translation: 对于执行一个或多个来宾虚拟机（GVM）的主机，一些实施例提供了一种新颖的虚拟化架构，用于在主机上利用防火墙服务虚拟机（SVM）来检查由GVM发送和/或接收的数据包。 在一些实施例中，GVM连接到在主机上执行的软件转发元件（例如，软件交换机），以连接到彼此以及在主机之外运行的其他设备。 除了将防火墙SVM连接到连接其GVM的主机的软件转发元件之外，一些实施例的虚拟化架构提供了SVM接口（SVMI），通过该SVM接口可以访问防火墙SVM以检查由/ GVMs。