公开(公告)号：US10567440B2

公开(公告)日：2020-02-18

申请号：US15381123

申请日：2016-12-16

Applicant: Nicira, Inc.

Inventor： Kaushal Bansal ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Sunitha Krishna ,  Jerry Pereira

IPC: H04L12/24 ,  H04L29/06

Abstract: A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.

公开(公告)号：US10536383B2

公开(公告)日：2020-01-14

申请号：US15708352

申请日：2017-09-19

Applicant: Nicira, Inc.

Inventor： Kaushal Bansal ,  Sunitha Krishna ,  Jerry Pereira ,  Shadab Shah ,  Subrahmanyam Manuguri ,  Jayant Jain

IPC: H04L12/815 ,  H04L12/801

Abstract: The technology disclosed herein enables the enhancement of attributes used to identify network packet traffic exchanged with micro segmented guests. In a particular embodiment, a method provides receiving a plurality of attributes from a user. The plurality of attributes describes first network packet traffic that should be handled in a first manner. The method further provides processing network packet traffic to identify the first network packet traffic using the plurality of attributes. While processing the network packet traffic, the method provides identifying one or more additional attributes shared among the first network packet traffic and adding at least a portion of the one or more additional attributes to the plurality of attributes.

公开(公告)号：US10320749B2

公开(公告)日：2019-06-11

申请号：US15344591

申请日：2016-11-07

Applicant: Nicira, Inc.

Inventor： Anirban Sengupta ,  Sunitha Krishna ,  Subrahmanyam Manuguri

IPC: H04L29/06

Abstract: Example methods are provided for a network management entity to perform firewall rule creation in a virtualized computing environment. The method may comprise obtaining flow data associated with an application-layer protocol session between a first endpoint and a second endpoint in the virtualized computing environment; and identifying, from the flow data, an association between a control flow and at least one data flow of the application-layer protocol session. The method may also comprise: based on the association, creating a firewall rule that is applicable to both the control flow and at least one data flow; and instructing a first firewall engine associated with the first endpoint, or a second firewall engine associated with the second endpoint, or both, to apply the firewall rule during the application-layer protocol session.

公开(公告)号：US10938726B2

公开(公告)日：2021-03-02

申请号：US15697409

申请日：2017-09-06

Applicant: Nicira, Inc.

Inventor： Russell Lu ,  Xin Qi ,  Shadab Shah ,  Sunitha Krishna ,  Yangyang Zhu ,  Subrahmanyam Manuguri ,  Raju Koganty

IPC: H04L12/851 ,  H04L29/06 ,  H04L12/26

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.

公开(公告)号：US20190089635A1

公开(公告)日：2019-03-21

申请号：US15708352

申请日：2017-09-19

Applicant: Nicira, Inc.

Inventor： Kaushal Bansal ,  Sunitha Krishna ,  Jerry Pereira ,  Shadab Shah ,  Subrahmanyam Manuguri ,  Jayant Jain

IPC: H04L12/815 ,  H04L12/801

Abstract: The technology disclosed herein enables the enhancement of attributes used to identify network packet traffic exchanged with micro segmented guests. In a particular embodiment, a method provides receiving a plurality of attributes from a user. The plurality of attributes describes first network packet traffic that should be handled in a first manner. The method further provides processing network packet traffic to identify the first network packet traffic using the plurality of attributes. While processing the network packet traffic, the method provides identifying one or more additional attributes shared among the first network packet traffic and adding at least a portion of the one or more additional attributes to the plurality of attributes.

公开(公告)号：US20180176261A1

公开(公告)日：2018-06-21

申请号：US15381123

申请日：2016-12-16

Applicant: Nicira, Inc.

Inventor： Kaushal Bansal ,  Anirban Sengupta ,  Subrahmanyam Manuguri ,  Sunitha Krishna ,  Jerry Pereira

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26

Abstract: A method of creating micro-segmentation policies for a network is provided. The method identifies a set of network nodes as seed nodes. The method monitors network packet traffic flows for the seed nodes to collect traffic flow information. The method identifies a set of related nodes for the set of seed nodes based on the collected network flow information. The method analyzes the collected network flow information to identify micro-segmentation policies for the network.

公开(公告)号：US20190075056A1

公开(公告)日：2019-03-07

申请号：US15697409

申请日：2017-09-06

Applicant: Nicira, Inc.

Inventor： Russell Lu ,  Xin Qi ,  Shadab Shah ,  Sunitha Krishna ,  Yangyang Zhu ,  Subrahmanyam Manuguri ,  Raju Koganty

IPC: H04L12/851 ,  H04L29/06 ,  H04L12/26

Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.