公开(公告)号：US20250039128A1

公开(公告)日：2025-01-30

申请号：US18229633

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40 ,  G06F9/455

Abstract: Some embodiments provide a novel method for offloading firewall operations from a host computer executing a set of one or more virtual machines (VMs) to a physical network interface card (PNIC) connected to the host computer. The method configures, on the PNIC, a first firewall to determine actions to perform on flows associated with the set of VMs, and to offload processing of the flows to a flow-cache second firewall of the PNIC. The method configures, on the PNIC, the flow-cache second firewall to process a first set of flows based on a first set of actions determined by the first firewall, and to offload processing of a second set of flows to an embedded hardware switch of the PNIC. The method configures, on the PNIC, the embedded hardware switch to process the second set of flows based on a second set of actions determined by the first firewall.

公开(公告)号：US20250039140A1

公开(公告)日：2025-01-30

申请号：US18229647

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40

Abstract: Some embodiments provide a novel method for using connection tracking records to process data messages at a physical network interface card (PNIC) connected to a host computer. A first software firewall of the PNIC determines whether processing of a flow is passable to a second software firewall of the PNIC and to a third hardware firewall of the PNIC. The first software firewall creates a connection tracking record for the flow and data specifying whether processing of the flow is passable to the second software firewall and independently whether processing of the flow is passable to the third hardware firewall. The first software firewall provides the connection tracking record and said data to the second software firewall of the PNIC so that the second software firewall processes the flow or passes the connection tracking record and the data to the third hardware firewall if determination was that the flow is passable to the third hardware firewall.

公开(公告)号：US20250039139A1

公开(公告)日：2025-01-30

申请号：US18229646

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40

Abstract: Some embodiments provide a novel method for updating firewall rules for data message flows processed at a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC receives an update to a particular firewall rule. The firewall identifies a particular data message flow that is processed at an embedded hardware switch of the PNIC using the particular firewall rule. The firewall updates a flow record associated with the particular data message flow to reflect the received update to the particular firewall rule. The firewall provides the updated flow record to the embedded hardware switch for the embedded hardware switch to process the particular flow according to the received update.

公开(公告)号：US12058108B2

公开(公告)日：2024-08-06

申请号：US17723191

申请日：2022-04-18

Applicant: VMware LLC

Inventor： Jingmin Zhou ,  David Lorenzo ,  Subrahmanyam Manuguri ,  Anirban Sengupta

IPC: H04L9/40 ,  G06F9/455 ,  G06F16/901

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  G06F16/9024 ,  H04L63/0218 ,  G06F2009/45587

Abstract: In some embodiments, a method receives a packet at an instance of a distributed firewall associated with one of a plurality of workloads running on a hypervisor. Each of the plurality of workloads has an associated instance of the distributed firewall. An index table is accessed for the workload where the index table includes a set of references to a set of rules in a rules table. Each workload in the plurality of workloads is associated with an index table that references rules that are applicable to each respective workload. The method then accesses at least one rule in a set of rules associated with the set of references from the rules table and compares one or more attributes for the packet to information stored for the at least one rule in the set of rules to determine a rule in the set of rules to apply to the packet.

公开(公告)号：US12010126B2

公开(公告)日：2024-06-11

申请号：US17374630

申请日：2021-07-13

Applicant: VMware LLC

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/102 ,  H04L63/1425 ,  H04L63/1466 ,  H04L63/20

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter that includes at least one host computer executing multiple machines. The method receives multiple contextual attributes associated with a set of data messages processed by the multiple machines executing on the at least one host computer, the multiple contextual attributes including contextual attributes that are not L2-L4 attributes and that define a compute environment in which one or more workloads performed by the multiple machines executing on the at least one host computer operate. The method uses the received multiple contextual attributes to perform a filtering operation to identify, from multiple intrusion detection signatures, a set of intrusion detection signatures applicable to the one or more workloads. The method provides the identified set of intrusion detection signatures to an intrusion detection system operating on the particular host computer for enforcement.

公开(公告)号：US20250039129A1

公开(公告)日：2025-01-30

申请号：US18229645

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: H04L9/40 ,  G06F9/455

Abstract: Some embodiments provide a novel method for processing flows at an embedded hardware switch of a physical network interface card (PNIC) connected to a host computer. A firewall of the PNIC detects an end of a particular data message flow associated with a particular VM of the host computer. Processing of the particular data message flow was offloaded from the firewall to an embedded hardware switch of the PNIC. After detecting the end of the particular data message flow, the firewall ends offloading of the particular data message flow by deleting a first flow record stored at the embedded hardware switch for the particular data message flow. The firewall deletes a second flow record stored at the first firewall for the particular data message flow.

公开(公告)号：US11954005B2

公开(公告)日：2024-04-09

申请号：US18196367

申请日：2023-05-11

Applicant: VMware LLC

Inventor： Jingmin Zhou ,  Subrahmanyam Manuguri ,  Jayant Jain ,  Anirban Sengupta

IPC: G06F9/44 ,  G06F11/30 ,  G06F40/205 ,  G06V10/94

CPC classification number: G06F11/3072 ,  G06F40/205 ,  G06V10/955

Abstract: In some embodiments, a method stores a plurality of identifiers for a plurality of rules. The plurality of rules each include a set of patterns, and a rule and a pattern combination is associated with an identifier in the plurality of identifiers. Information being sent on a network is scanned and the method determines when a pattern in the information matches a pattern for a rule. The method identifies an identifier for the pattern where the identifier identifies a rule and a pattern combination. Then, the method identifies the rule and the pattern combination based on the identifier. The set of patterns for the rule is found in the information based on determining that the rule and the pattern combinations for the rule have been found in the information.

公开(公告)号：US20250036439A1

公开(公告)日：2025-01-30

申请号：US18229644

申请日：2023-08-02

Applicant: VMware LLC

Inventor： Pierluigi Rolando ,  Peng Li ,  Boon S. Ang ,  Guolin Yang ,  Wenyi Jiang ,  Yuxiao Zhang ,  Raju Koganty ,  Subrahmanyam Manuguri ,  Kok Pyng Liew ,  Jin Heo ,  Srinath Suriyanarayanan Thillaisthanam

IPC: G06F9/455 ,  H04L41/0897

Abstract: Some embodiments provide a novel method for migrating virtual machines (VMs) from a first host computer to a second host computer. The first host computer is connected to a physical network interface card (PNIC) that performs middlebox service operations for flows associated with the VMs. At the PNIC, the method receives a notification that a VM is to be migrated from the first to the second host computer. The method configures an embedded hardware switch of the PNIC to forward a set of flows associated with the VM to a firewall of the PNIC. The embedded hardware switch was initially programmed to process the set of flows instead of the firewall. The method synchronizes flow cache information regarding the set of flows from the embedded hardware switch to the firewall. The method processes the set of flows at the firewall until the VM is migrated to the second host computer.

公开(公告)号：US12095780B2

公开(公告)日：2024-09-17

申请号：US17374633

申请日：2021-07-13

Applicant: VMware LLC

Inventor： Nafisa Mandliwala ,  Sirisha Myneni ,  Subrahmanyam Manuguri

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1466 ,  H04L63/20

Abstract: Some embodiments of the invention provide a method of implementing an intent-based intrusion detection and prevention system in a datacenter, the datacenter including at least one host computer executing multiple machines. The method receives a filtered set of intrusion detection signatures to be enforced on the at least one host computer. The method uses a set of contextual attributes associated with a particular data message to generate an intrusion detection signature for the particular data message, the generated intrusion detection signature including a bit pattern, each bit associated with a contextual attribute in the set. The method compares the generated intrusion detection signature with the received set of intrusion detection signatures to identify a matching intrusion detection signature in the received filtered set.