公开(公告)号：US11652637B2

公开(公告)日：2023-05-16

申请号：US17398814

申请日：2021-08-10

Applicant: Illumio, Inc.

Inventor： Paul J. Kirner ,  Matthew K. Glenn ,  Mukesh Gupta ,  Anish Vinodkumar Desai

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/3226 ,  H04L9/3242 ,  H04L9/3247 ,  H04L9/3268 ,  H04L63/02 ,  H04L63/06 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/20

Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.

公开(公告)号：US20230353540A1

公开(公告)日：2023-11-02

申请号：US18218899

申请日：2023-07-06

Applicant: Illumio, Inc.

Inventor： Daniel Richard Cook ,  Anish Vinodkumar Desai ,  Thomas Michael McCormick

IPC: H04L9/40 ,  G06F9/38 ,  H04L41/0803 ,  H04L43/04 ,  G06F9/448 ,  H04L41/0894

CPC classification number: H04L63/0263 ,  H04L63/0254 ,  H04L63/0236 ,  G06F9/3826 ,  H04L41/0803 ,  H04L43/04 ,  G06F9/4486 ,  H04L63/20 ,  H04L41/0894 ,  H04L63/0227 ,  H04L41/0895

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

公开(公告)号：US20220103361A1

公开(公告)日：2022-03-31

申请号：US17398814

申请日：2021-08-10

Applicant: Illumio, Inc.

Inventor： Paul J. Kirner ,  Matthew K. Glenn ,  Mukesh Gupta ,  Anish Vinodkumar Desai

IPC: H04L9/32 ,  H04L29/06

Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.

公开(公告)号：US11736443B2

公开(公告)日：2023-08-22

申请号：US17730062

申请日：2022-04-26

Applicant: Illumio, Inc.

Inventor： Daniel Richard Cook ,  Anish Vinodkumar Desai ,  Thomas Michael McCormick

IPC: H04L9/40 ,  G06F9/38 ,  H04L41/0803 ,  H04L43/04 ,  G06F9/448 ,  H04L41/0894 ,  H04L41/0895

CPC classification number: H04L63/0263 ,  G06F9/3826 ,  G06F9/4486 ,  H04L41/0803 ,  H04L41/0894 ,  H04L43/04 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0254 ,  H04L63/20 ,  H04L41/0895

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

公开(公告)号：US11121875B2

公开(公告)日：2021-09-14

申请号：US15789921

申请日：2017-10-20

Applicant: Illumio, Inc.

Inventor： Paul J. Kirner ,  Matthew K. Glenn ,  Mukesh Gupta ,  Anish Vinodkumar Desai

IPC: H04L29/06 ,  H04L9/32

Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.

公开(公告)号：US12010098B2

公开(公告)日：2024-06-11

申请号：US18218899

申请日：2023-07-06

Applicant: Illumio, Inc.

Inventor： Daniel Richard Cook ,  Anish Vinodkumar Desai ,  Thomas Michael McCormick

IPC: H04L9/40 ,  G06F9/38 ,  G06F9/448 ,  H04L41/0803 ,  H04L41/0894 ,  H04L43/04 ,  H04L41/0895 ,  H04L41/40

CPC classification number: H04L63/0263 ,  G06F9/3826 ,  G06F9/4486 ,  H04L41/0803 ,  H04L41/0894 ,  H04L43/04 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0254 ,  H04L63/20 ,  H04L41/0895 ,  H04L41/40

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

公开(公告)号：US11451514B2

公开(公告)日：2022-09-20

申请号：US16239492

申请日：2019-01-03

Applicant: Illumio, Inc.

Inventor： Daniel Richard Cook ,  Anish Vinodkumar Desai

IPC: H04L9/40 ,  G06F9/50 ,  H04L41/0823

Abstract: An enforcement module receives management instructions from a segmentation server for enforcing a segmentation policy. The management instructions include one or more rules specifying one or more groups of workloads that a workload executing on the operating system instance is permitted to communicate with according to certain communication constraints, and membership information specifying workload identifiers for workloads in each of the groups. An optimization module processes the management instructions to reduce the number of rules and the number of workload groups to which the rules apply, thereby simplifying the firewall configuration. The enforcement module then configures a firewall according to the optimized rules to enforce the segmentation policy. The optimization process beneficially improves performance of the firewall and thereby enables more efficient enforcement of the segmentation policy utilizing fewer computing resources.

公开(公告)号：US20190123905A1

公开(公告)日：2019-04-25

申请号：US15789921

申请日：2017-10-20

Applicant: Illumio, Inc.

Inventor： Paul J. Kirner ,  Matthew K. Glenn ,  Mukesh Gupta ,  Anish Vinodkumar Desai

IPC: H04L9/32 ,  H04L29/06

Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.

公开(公告)号：US20240291802A1

公开(公告)日：2024-08-29

申请号：US18652559

申请日：2024-05-01

Applicant: Illumio, Inc.

Inventor： Daniel Richard Cook ,  Anish Vinodkumar Desai ,  Thomas Michael McCormick

IPC: H04L9/40 ,  G06F9/38 ,  G06F9/448 ,  H04L41/0803 ,  H04L41/0894 ,  H04L41/0895 ,  H04L41/40 ,  H04L43/04

CPC classification number: H04L63/0263 ,  G06F9/3826 ,  G06F9/4486 ,  H04L41/0803 ,  H04L41/0894 ,  H04L43/04 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/0254 ,  H04L63/20 ,  H04L41/0895 ,  H04L41/40

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

公开(公告)号：US20220255899A1

公开(公告)日：2022-08-11

申请号：US17730062

申请日：2022-04-26

Applicant: Illumio, Inc.

Inventor： Daniel Richard Cook ,  Anish Vinodkumar Desai ,  Thomas Michael McCormick

IPC: H04L9/40 ,  G06F9/38 ,  H04L41/0803 ,  H04L43/04 ,  G06F9/448

Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.