公开(公告)号：US11695731B2

公开(公告)日：2023-07-04

申请号：US17063415

申请日：2020-10-05

申请人： Nicira, Inc.

发明人： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC分类号： H04L9/40 ,  G06F9/455 ,  H04L67/63

CPC分类号： H04L63/0218 ,  G06F9/45558 ,  H04L67/63 ,  G06F2009/45595

摘要： Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

公开(公告)号：US11388139B2

公开(公告)日：2022-07-12

申请号：US16945748

申请日：2020-07-31

申请人： Nicira, Inc.

发明人： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Todd Sabin

IPC分类号： H04L29/06 ,  G06F9/455 ,  H04L9/40

摘要： For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel virtualization architecture for utilizing a firewall service virtual machine (SVM) on the host to check the packets sent by and/or received for the GVMs. In some embodiments, the GVMs connect to a software forwarding element (e.g., a software switch) that executes on the host to connect to each other and to other devices operating outside of the host. Instead of connecting the firewall SVM to the host's software forwarding element that connects its GVMs, the virtualization architecture of some embodiments provides an SVM interface (SVMI) through which the firewall SVM can be accessed to check the packets sent by and/or received for the GVMs.

公开(公告)号：US11210121B2

公开(公告)日：2021-12-28

申请号：US15178402

申请日：2016-06-09

申请人： Nicira, Inc.

发明人： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Raju Koganty ,  Chidambareswaran Raman

IPC分类号： G06F9/455 ,  H04L12/927

摘要： Techniques for transferring connection data for a migrated virtual computing instance are described. The connection data transfer process includes the steps of, responsive to determining the virtual computing instance is to be migrated, transmitting the connection data, from a first memory buffer shared between a first instance of a service virtual computing instance and a first hardware abstraction layer executing in a source host, to a second memory buffer shared between a second instance of the service virtual computing instance and a second hardware abstraction layer executing in a destination host; responsive to determining the virtual computing instance is stopped in the source host, packing connection data changes including changes made to the connection data at the source host during a time period beginning when the connection data is copied and ending when the virtual computing instance is stopped; and transmitting the connection data changes to the destination host.

公开(公告)号：US11018970B2

公开(公告)日：2021-05-25

申请号：US15366793

申请日：2016-12-01

申请人： Nicira, Inc.

发明人： Chidambareswaran Raman ,  Subrahmanyam Manuguri ,  Raju Koganty ,  Anirban Sengupta

IPC分类号： H04L12/24 ,  H04L12/26 ,  H04L12/911

摘要： A method for monitoring several data compute nodes (DCNs) on a group of managed host machines is provided. The method receives service usage data from a group of managed hosts. The service usage data identifies service usage for each of a plurality of entities associated with each managed host. The method aggregates the received service usage data. The method displays the aggregated service usage data.

公开(公告)号：US10791092B2

公开(公告)日：2020-09-29

申请号：US15897129

申请日：2018-02-14

申请人： Nicira, Inc.

发明人： Alok Tiagi ,  Jayant Jain ,  Sushruth Gopal ,  Anirban Sengupta ,  Subrahmanyam Manuguri

IPC分类号： H04L29/06 ,  H04L29/08

摘要： Some embodiments provide a method that receives a packet, having a set of one or more layer 7 (L7) expressions, from a datapath. The method identifies a set of datapath firewall rules that match on expressions in the set of expressions. The method provides identifiers for the datapath firewall rules of the identified set to the datapath. The datapath uses the identifiers and additional packet header data to determine a matching firewall rule from the set of datapath firewall rules.

公开(公告)号：US20180183760A1

公开(公告)日：2018-06-28

申请号：US15388151

申请日：2016-12-22

申请人： Nicira, Inc.

发明人： Sameer Kurkure ,  Subrahmanyam Manuguri ,  Anirban Sengupta ,  Aman Raj ,  Kaushal Bansal ,  Shadab Shah

IPC分类号： H04L29/06

CPC分类号： H04L63/0263 ,  H04L63/0227 ,  H04L63/0236 ,  H04L63/20

摘要： Network firewalls operate based on rules that define how a firewall should handle traffic passing through the firewall. At their most basic, firewall rules may indicate that certain network traffic should be denied from passing through a network firewall or indicate that certain network traffic should be allowed to pass through the network firewall. Manners of handling network traffic beyond simply allowing or denying the network traffic may also be defined by the rules. For instance, a rule may indicate that certain network traffic should be routed to a specific system. Thus, if an administrator of a network firewall determines that certain network traffic should be handled in a certain way by a network firewall, the administrator need only implement a firewall rule defining how that network traffic should be handled in the network firewall.

公开(公告)号：US10798058B2

公开(公告)日：2020-10-06

申请号：US16041698

申请日：2018-07-20

申请人： Nicira, Inc.

发明人： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC分类号： H04L29/06 ,  H04L29/08 ,  G06F9/455

摘要： Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

公开(公告)号：US10756969B2

公开(公告)日：2020-08-25

申请号：US15677733

申请日：2017-08-15

申请人： Nicira, Inc.

发明人： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC分类号： H04L12/24 ,  H04L12/863 ,  H04L12/801

摘要： The technology disclosed herein enables a data plane of a packet handler in a host to be changed while minimizing disruption to the operation of guests that are associated therewith. In a particular embodiment, the method provides, in a control plane of the packet handler, extracting state information about states of the data plane and pausing network traffic to the data plane. After pausing the network traffic to the data plane, the method provides applying changes to components of the data plane. After applying changes to the components of the data plane, the method provides restoring the states to the data plane using the state information and resuming the network traffic to the data plane.

公开(公告)号：US10608887B2

公开(公告)日：2020-03-31

申请号：US15726789

申请日：2017-10-06

申请人： Nicira, Inc.

发明人： Jayant Jain ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Rick Lund ,  Alok Tiagi

IPC分类号： H04L12/24 ,  H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  H04L12/931

摘要： Some embodiments provide a method that performs a packet tracing operation for a particular data flow between endpoints of a logical network to generate a representation of logical network components along a path between the endpoints. In response to a selection of at least two of the logical network components, the method automatically generates separate packet capture operations for execution by physical components that implement each of the selected logical network components. The method uses packet header information to correlate packet data from the separate packet capture operations.

公开(公告)号：US10341297B2

公开(公告)日：2019-07-02

申请号：US14975570

申请日：2015-12-18

申请人： Nicira, Inc.

发明人： Srinivas Nimmagadda ,  Jayant Jain ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Alok S. Tiagi

IPC分类号： H04L29/06 ,  H04L29/08 ,  H04L12/24

摘要： Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.