公开(公告)号：US20150096007A1

公开(公告)日：2015-04-02

申请号：US14043714

申请日：2013-10-01

Applicant: VMware, Inc.

Inventor： Anirban Sengupta ,  Subrahmanyam Manuguri ,  Mitchell T. Christensen ,  Azeem Feroz ,  Todd Sabin

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0218 ,  G06F9/45558 ,  G06F2009/45595 ,  H04L67/327

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract translation: 描述了使用分布式防火墙监控网络通信的系统和技术。 其中一种技术包括：在虚拟机的客户操作系统中执行的驱动程序接收从与用户相关联的进程打开网络连接的请求，其中所述驱动程序执行操作，包括：获得用户的身份信息; 将身份信息和标识网络连接的数据提供给驾驶员外部的身份模块; 并且由分布式防火墙接收将所述身份信息与从所述身份模块识别所述网络连接的数据相关联的数据，其中所述分布式防火墙执行操作，包括：从所述虚拟机接收输出数据包; 确定所述身份信息对应于所述传出分组; 以及至少部分地基于所述身份信息来评估一个或多个路由规则。