公开(公告)号：US20220210127A1

公开(公告)日：2022-06-30

申请号：US17177257

申请日：2021-02-17

Applicant: VMWARE, INC.

Inventor： VASANTHA KUMAR DHANASEKAR ,  Shirish VIJAYVARGIYA ,  Rayanagouda Bheemanagouda PATIL

IPC: H04L29/06 ,  H04L9/32

Abstract: Example methods and systems for attribute-based firewall rule enforcement are described. One example method may comprise a computer system obtaining, from a management entity, one or more first firewall rules configured based on first attribute information. The computer system may detect a login event associated with a user operating a user device to log onto a virtualized computing instance. In response to determination that the user is associated with the first attribute information, the one or more first firewall rules may be applied. Otherwise, in response to determination that the user is associated with second attribute information that is different from the first attribute information, the computer system may obtain and apply one or more second firewall rules configured based on the second attribute information.

公开(公告)号：US20240422195A1

公开(公告)日：2024-12-19

申请号：US18230695

申请日：2023-08-07

Applicant: VMWARE, INC.

Inventor： VASANTHA KUMAR DHANASEKAR ,  DIMITRIOS SIKERIDIS ,  SHIRISH VIJAYVARGIYA ,  SRIRAM GOPALAKRISHNAN

IPC: H04L9/40 ,  G06F9/455

Abstract: Example methods and systems for policy configuration using a data-plane approach are described. In one example, a first computer system may detect first data- plane packet(s) for establishing a connection between (a) a first virtualized computing instance and (b) a second computer system from which a resource is accessible. The first computer system may extract, from the first data-plane packet(s), parameter information associated with the connection; and configure a policy that is applicable for access control of the resource based on the parameter information. In response to detecting second data-plane packet(s) to access the resource, the computer system may apply the policy to allow or block forwarding of the second data-plane packet towards the second computer system. The second data-plane packet may originate from (a) the first virtualized computing instance or (b) a second virtualized computing instance supported by the first computer system.

公开(公告)号：US20230229756A1

公开(公告)日：2023-07-20

申请号：US17701736

申请日：2022-03-23

Applicant: VMWARE, INC.

Inventor： VASANTHA KUMAR DHANASEKAR ,  Shirish Vijayvargiya ,  Bharath Kumar Chandrasekhar ,  Leena Shuklendu Soman

IPC: G06F21/51 ,  H04L9/32 ,  G06F9/455

CPC classification number: G06F21/51 ,  H04L9/3239 ,  G06F9/45558 ,  G06F2221/033 ,  G06F2009/45562 ,  G06F2009/45587

Abstract: Rapid launch of secure executables in a virtualized environment includes using a persisted security cache in a virtualized component (VC), such as a virtual machine. The VC generates a cache integrity value (IV), such as a hash value, for the security cache and sends it to a remote validator, which returns an indication of security cache validity or invalidity. Upon receiving a request to execute applications, the VC analyzes whether the applications have been determined to be safe to execute and have not been altered. The VC retrieves application IVs from the security cache, rather than hashing each of the applications, thereby saving compute time, and sends the application IVs to a remote validator, which returns an indication of application validity or invalidity.

公开(公告)号：US20230208810A1

公开(公告)日：2023-06-29

申请号：US17673841

申请日：2022-02-17

Applicant: VMWARE, INC.

Inventor： VASANTHA KUMAR DHANASEKAR ,  SHIRISH VIJAYVARGIYA ,  LEENA SHUKLENDU SOMAN

IPC: H04L9/40

CPC classification number: H04L63/0254 ,  H04L63/1491 ,  H04L63/205

Abstract: Example methods and systems for a computer system to perform context-aware service query filtering are described. One example may involve a computer system intercepting a service query from a virtualized computing instance to pause forwarding of the service query towards a destination; and obtaining context information associated with an application running on the virtualized computing instance. In response to determination that the service query is a potential security threat based on the context information, service query filtering may be performed to inspect the service query for malicious activity. Otherwise, in response to determination that the service query is not a potential security threat based on the context information, the service query filtering may be skipped and the service query forwarded towards the destination.

公开(公告)号：US20240205191A1

公开(公告)日：2024-06-20

申请号：US18106526

申请日：2023-02-07

Applicant: VMWARE, INC.

Inventor： SHIRISH VIJAYVARGIYA ,  VASANTHA KUMAR DHANASEKAR ,  SRIRAM GOPALAKRISHNAN

IPC: H04L9/40

CPC classification number: H04L63/0263 ,  H04L63/20

Abstract: The disclosure provides an approach for firewall policy management. Embodiments include receiving, at a firewall from a first virtual computing instance (VCI), a registration request comprising a first identifier of the first VCI and a second identifier of a second VCI. Embodiments include determining, at the firewall, based on the second identifier included in the registration request, that the second VCI is associated with a network security policy at the firewall. Embodiments include applying, at the firewall, based on the first identifier included in the registration request, the network policy associated with the second VCI to the first VCI. Additionally, embodiments include allowing or disallowing network activity for the first VCI based on the applied network security policy.