TW201703485A - 編排實體與虛擬交換器以執行安全邊界之系統及方法 - Google Patents
編排實體與虛擬交換器以執行安全邊界之系統及方法 Download PDFInfo
- Publication number
- TW201703485A TW201703485A TW105110187A TW105110187A TW201703485A TW 201703485 A TW201703485 A TW 201703485A TW 105110187 A TW105110187 A TW 105110187A TW 105110187 A TW105110187 A TW 105110187A TW 201703485 A TW201703485 A TW 201703485A
- Authority
- TW
- Taiwan
- Prior art keywords
- switch
- data packet
- execution point
- forwarding table
- host
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
一些實施例包含包括以下步驟之方法:透過一交換器之一應用程式設計介面(API)將項目寫入於該交換器之一轉發表中,使得藉由該交換器將來自一第一主機且引導至一第二主機之第一資料封包轉發至一執行點;接收該等第一資料封包;使用該轉發表將該等第一資料封包轉發至該執行點;使用一低級規則集判定該等第一資料封包是否違反一高級安全策略;透過該API組態該轉發表,使得回應於判定該等第一資料封包並未違反該安全策略而藉由該交換器將第二資料封包轉發至該第二主機;透過該API組態該轉發表,使得回應於判定而藉由該交換器將該等第二資料封包丟棄或轉發至一安全功能。
Description
本發明技術大體係關於電腦安全,且更明確言之但不以限制方式,係關於電腦網路安全。
一些實施例包含包括以下步驟之方法:藉由一策略引擎透過一交換器之一應用程式設計介面(API)將項目寫入於該交換器之一轉發表中,使得藉由該交換器將來自一第一主機且引導至一第二主機之第一資料封包轉發至一執行點;藉由該交換器接收該等第一資料封包;藉由該交換器使用該轉發表將該等第一資料封包轉發至該執行點;藉由該執行點使用一低級規則集判定該等第一資料封包是否違反一高級安全策略;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包並未違反該安全策略而藉由該交換器將第二資料封包轉發至該第二主機;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包違反該安全策略而藉由該交換器將該等第二資料封包丟棄或轉發至一安全功能;藉由該交換器接收第二資料封包;及藉由該交換器根據該組態選擇性丟棄或轉發該等第二資料封包。
各項實施例包含包括以下各者之系統:一資料網路;複數個主
機,其通信耦合至該資料網路;一交換器,其通信耦合至該資料網路,包含一轉發表及一應用程式設計介面(API);一執行點,其通信耦合至該資料網路;及一策略引擎,其通信耦合至該資料網路,其中該系統執行包括以下步驟之一方法:藉由該策略引擎透過該應用程式設計介面(API)將項目寫入於該交換器之該轉發表中,使得藉由該交換器將來自一第一主機且引導至一第二主機之第一資料封包轉發至該執行點;藉由該交換器接收該等第一資料封包;藉由該交換器使用該轉發表將該等第一資料封包轉發至該執行點;藉由該執行點使用一低級規則集判定該等第一資料封包是否違反一高級安全策略;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包並未違反該安全策略而藉由該交換器將第二資料封包轉發至該第二主機;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包違反該安全策略而藉由該交換器將該等第二資料封包丟棄或轉發至一安全功能;藉由該交換器接收第二資料封包;及藉由該交換器根據該組態選擇性丟棄或轉發該等第二資料封包。
100‧‧‧系統
110‧‧‧網路
125‧‧‧交換器
135‧‧‧應用程式設計介面
140‧‧‧資產
141‧‧‧資產
142‧‧‧資產
143‧‧‧資產/虛擬機器
144‧‧‧資產
145‧‧‧資產
150‧‧‧通信
160‧‧‧轉發表
170‧‧‧通道
180‧‧‧分佈式安全處理器/安全處理器
190‧‧‧策略引擎
200‧‧‧系統
225‧‧‧交換器
235‧‧‧應用程式設計介面(API)
240‧‧‧資產
241‧‧‧資產
242‧‧‧資產
243‧‧‧資產
244‧‧‧資產
245‧‧‧資產
260‧‧‧轉發表
270‧‧‧網狀結構
280‧‧‧執行點
400‧‧‧電腦系統
410‧‧‧處理器單元
420‧‧‧主記憶體
430‧‧‧大容量資料儲存器
440‧‧‧可攜式儲存裝置
450‧‧‧輸出裝置
460‧‧‧使用者輸入裝置
470‧‧‧圖形顯示系統
480‧‧‧周邊裝置
490‧‧‧匯流排
圖1係繪示根據一些實施例之一系統之一簡化方塊圖。
圖2係繪示根據一些實施例之另一系統之一簡化方塊圖。
圖3係根據各項實施例之本發明技術之一實例性方法之一簡化流程圖。
圖4繪示根據各項實施例之一實例性電腦系統。
根據本發明技術之一例示性系統在進行新連接時藉由將關於連接之決策推動至用於檢測之一較高層級及針對容許性評估該等新連接來進行操作。此等新連接係藉由各伺服器/機架中之交換器來實施。一交換器具有實施一規則之一轉發表。在一例示性系統中,之前未通
信之節點之間的全部初始訊務在未首先轉發至分佈式安全處理器的情況下不通信。此係預設規則且提供基本安全層級,因為該分佈式安全處理器必須批准所有連接。
一例示性系統可使用在交換器中操作或與交換器相關聯之一執行點(EP),該EP將通信發送至分佈式安全處理器。此通信可經由一穿隧系統,舉例而言,一虛擬可擴展區域網路(VXLAN)。該分佈式安全處理器檢查策略、驗證預期協定行為且在批准通信之後將第一若干封包轉發至預期接收端節點。接著,分佈式安全處理器程式化交換器以容許自第一埠至第二埠(亦被稱為或替代性地可為:一節點、一通信節點、一虛擬機器、一容器及一主機)之未來通信。此外,在此及所有其他實例中之發送端及接收端可在藉由相同交換器控制之相同伺服器上、在藉由相同交換器控制之不同伺服器上或可在藉由不同交換器控制之不同伺服器上。
在根據本發明技術之一例示性系統中,初始轉發表包含首先將全部通信發送至分佈式安全處理器之一預設路由規則,稍後重新寫入該預設路由規則以在不受分佈式安全處理器干預的情況下容許直接藉由交換器控制之通信。一封包標頭中之特定資訊將促進重新轉發至分佈式安全處理器。例如,若一傳輸控制協定(TCP)標頭包含與建立及/或拆除一連接有關之資訊,則諮詢分佈式安全處理器以檢視通信且需要分佈式安全處理器批准。例如,包含與建立或拆除連接有關之SYN、FIN及/或RST之一TCP標頭可需要分佈式安全處理器批准。可記錄分佈式安全處理器之動作以容許檢視及執行以及策略修訂。
圖1係繪示根據一實例性實施例之系統100之一方塊圖。系統100可為一雲端伺服器環境,其可為一公共雲端、私用雲端、一內部網路或任何其他適當網路。系統100包含一策略引擎190,其可使得一資訊技術(IT)或安全管理員能夠實施系統100中之安全策略。舉例而言,
此等策略可包含阻止高價值資產與高風險資產通信或阻止生產機器與測試/開發機器通信。此等策略亦可包含故障轉移策略或任何其他適當阻止、限制或策略。
策略引擎190可與可操作以實施策略之分佈式安全處理器180雙邊通信。此外,策略引擎190可經由與交換器125相關聯之應用程式設計介面(API)135與交換器125雙邊通信以實施策略。API 135包含用於建置用於交換器125之軟體應用程式之一組常式、協定及/或工具。API 135可在一軟體組件之操作、輸入、輸出及基礎類型方面表現該軟體組件。替代性地或此外,API 135可為一軟體開發套件(SDK或「devkit」),其包含容許產生用於交換器125之應用程式之一組軟體開發工具。分佈式安全處理器180可傳送電腦可執行指令至API 135。系統100可包含具有彼此類似或不同之一結構之許多資產140至145。資產140至145中之各者可經由網路110耦合至系統100中之資產140至145之其他資產中之一些或所有者。資產140至145中之至少一些亦可經由網路110耦合至網際網路、一內部網路或任何其他適當網路。
在一些實施例中,資產140至145係一虛擬機器(VM)、實體主機、工作負載、伺服器、基於雲端之虛擬機器、用戶端、執行目標及類似者中之至少一者。資產140至145中之各者係與交換器125通信耦合,該交換器125可操作以控制進出資產140至145及在資產140至145之間的通信。例如,資產140至145中之一或多者包含一VM。該等虛擬機器可作為一超管理器之部分操作。替代性地,可使用不同虛擬機器系統(舉例而言,容器)。
在操作中,策略引擎190與API 135通信以程式化交換器125之轉發表160。初始程式化係預設程式化且指示轉發先前未經分佈式安全處理器180批准之任何通信(其係初始預設情境中之所有通信)至分佈式安全處理器180。接著,資產140可嘗試藉由通信150通信至虛擬機
器(VM)143。交換器125在容許通信之前檢查轉發表160,且因為此處不存在任何批准指示,所以交換器125經由通道170將封包轉發至分佈式安全處理器180。通道170可通過系統100之資料中心之一網狀結構且可為一VXLAN通信路徑。
在一些實施例中,策略引擎190與API 135通信以程式化交換器125之轉發表160。初始程式化係預設程式化且指示轉發需要藉由分佈式安全處理器180處理之通信(其係初始預設情境中之所有通信)至分佈式安全處理器180。接著,資產140可嘗試藉由通信150使用在應用至交換器125之安全策略內所定義之一協定通信至虛擬機器(VM)143。交換器125在容許通信之前檢查轉發表160,且因為此處不存在任何批准指示,所以交換器125經由通道170將封包轉發至分佈式安全處理器180。通道170可通過系統100之資料中心之一網狀結構且可為一VXLAN通信路徑。以此方式,可使一管理員「調諧」網路內之需要安全處理之訊務類型。
在各項實施例中,下一步驟係使分佈式安全處理器180對照藉由策略引擎190提供之策略而對通信以及發送端及接收端節點執行安全檢查。接下來步驟係若批准連接,則將通信轉發至VM 143及程式化交換器125之轉發表160中之一轉發項目以用於資產140與資產143之間的通信。以此方式,可在不需要分佈式安全處理器180幫助的情況下藉由交換器125處置資產140與資產143之間的後續通信,藉此最佳化通信及減少資源負載。然而,一些觸發事件將使轉發表回復至用於一特定路由指令或用於所有路由指令之一預設位置。觸發事件在本文中亦被稱為一條件且可關於一封包標頭及/或改變節點之間的一連接。
若分佈式安全處理器180對照策略而對初始通信以及發送端及接收端節點執行一安全檢查,且判定以任何方式阻止或懷疑該通信,則分佈式安全處理器180可重新引導該通信至一誘捕系統(honeypot)、重
新引導該通信至一限定坑(tarpit)、丟棄封包及可在不寫入至轉發表160的情況下轉發該等封包,使得未來封包亦被路由至分佈式安全處理器180,藉此提供檢測、記錄及安全資訊至一IT管理員或安全專家。
在圖2中所繪示之一例示性系統中,可利用一實體可程式化交換器(舉例而言,用於低級封包轉發之一商業矽(或客製ASIC)網路連結交換器)。在此例示性實施例中,轉發表最初為空白的,且如在圖1中所繪示之先前描述之例示性實施例中,節點並不需要在相同交換器上。
圖2係繪示根據一實例性實施例之系統200之一方塊圖。系統200可為一雲端伺服器環境,其可為一公共雲端、私用雲端、一內部網路或任何其他適當網路。系統200包含策略引擎190,其可使得一IT或安全管理員能夠實施系統200中之安全策略。策略引擎190可與可操作以實施策略之分佈式安全處理器180雙邊通信。此外,策略引擎190可與一交換器225雙邊通信。
分佈式安全處理器180可傳送電腦可執行指令至API 235。系統200可包含具有彼此類似或不同之一結構之資產240至245。資產240至245中之至少一些可經由網路110耦合至系統200中之資產240至245之其他資產中之一些或所有者。資產240至245中之至少一些亦可經由網路110耦合至網際網路、一內部網路或任何其他適當網路。
資產240至245中之各者係通信耦合至交換器225,該交換器225可操作以控制進出工作負載240至245及在工作負載240至245之間的通信。例如,資產240至245中之至少一些可包含一或多個虛擬機器。該等虛擬機器可作為一超管理器之部分操作。替代性地,可使用不同虛擬機器系統(舉例而言,容器)。此外,資產240至245中之至少一者可包含誘捕系統及/或限定坑虛擬機器。一誘捕系統及一限定坑可如上
文及本文中所描述般操作。
交換器225可包含應用程式設計介面(API)235以藉由程式化轉發表260來實施策略。API 235包含用於建置用於交換器225之軟體應用程式之一組常式、協定及/或工具。API 235可在一軟體組件之操作、輸入、輸出及基礎類型方面表現該軟體組件。替代性地或此外,API 235可為一軟體開發套件(SDK或「devkit」),其包含容許產生用於交換器225之應用程式之一組軟體開發工具。交換器225亦可包含透過系統200之網狀結構與分佈式安全處理器180雙邊通信之執行點280。
在操作中,策略引擎190通信至交換器225以程式化交換器225之轉發表260。初始程式化係預設程式化且指示轉發先前未經分佈式安全處理器180批准之任何通信(其係初始預設情境中之所有通信)至分佈式安全處理器180。接著,資產140可嘗試藉由通信150通信至資產143。交換器225在容許通信之前檢查轉發表260,且因為此處不存在任何批准指示,所以交換器225經由一網狀結構270將封包轉發至執行點280。執行點280亦實質上存在於交換器225上。
在各項實施例中,下一步驟係使執行點280對照藉由分佈式安全處理器180及策略引擎190提供之策略而對通信及發送端及接收端節點執行安全檢查。接下來步驟係若批准連接,則將通信轉發至資產143及經由API 235程式化交換器225之轉發表260中之一轉發項目以用於資產140與資產143之間的通信。以此方式,可在不需要執行點280幫助的情況下藉由交換器225處置資產140與資產143之間的後續通信,藉此最佳化通信及減少資源負載。然而,一些觸發事件將使轉發表回復至用於一特定路由指令或用於所有路由指令之一預設位置。觸發事件在本文中亦被稱為一條件且可關於一封包標頭及/或改變節點之間的一連接。
若執行點280對照策略而對初始通信以及發送端及接收端節點執
行安全檢查,且判定以任何方式阻止或懷疑該通信,或即使決策需要額外資源或一第二安全層級,則執行點280亦可經由網狀結構270重新引導該通信至分佈式安全處理器180以用於對資產140與資產143之間的通信之可接受性之一未來判定。
分佈式安全處理器180對照藉由策略引擎190提供之策略而對通信以及發送端及接收端節點執行此等第二、較高層級安全檢查。此外,安全處理器180可檢查通信以確保根據文件化標準建立協定會話。此有利地減小用於協定攻擊之孔隙且確保正確建置協定關係(例如,超出諸如在OSI層5至7之間的TCP)。若分佈式安全處理器180對照策略而對初始通信以及發送端及接收端節點執行安全檢查且判定是否以任何方式阻止或懷疑通信,則分佈式安全處理器180可重新引導該通信至一誘捕系統、重新引導該通信至一限定坑、可丟棄封包、可在不寫入至轉發表260的情況下轉發該等封包,使得未來封包亦被路由至分佈式安全處理器180,藉此提供檢測、記錄及安全資訊至一IT管理員或安全專家。
若分佈式安全處理器180對通信以及發送端及接收端節點執行此等第二、較高層級安全檢查且批准連接,則分佈式安全處理器180可直接將通信轉發至VM 143或藉由指示執行點280將通信轉發至VM 143來將該通信轉發至VM 143。此外,分佈式安全處理器180可引導執行點280經由API 235程式化交換器225之轉發表260中之轉發項目以用於資產140與資產143之間的通信。以此方式,可在不需要執行點280幫助的情況下藉由交換器225處置資產140與資產143之間的後續通信,藉此最佳化通信及減少資源負載。在又另一替代例中,分佈式安全處理器180可授權執行點280處置此類型之通信以用於新、未來連接或甚至不程式化用於此連接之轉發表260,使得以一中間安全層級監測新、未來通信。
如先前所論述,一些觸發事件將使轉發表回復至用於一特定路由指令或用於所有路由指令之一預設位置。觸發事件在本文中亦被稱為一條件且可關於一封包標頭及/或改變節點之間的一連接。
在本發明技術之例示性實施例中,初始化節點之間的通信係需要較高審查之一事件,且藉由使預設轉發表不包含項目來實施此策略。跨一網路之一通道或一網狀結構將通信直接轉發至一EP、直接轉發至一EPI或經由一EPI轉發至一EP。該EP及/或EPI檢查策略且可判定以容許通信,在此情況中可程式化一EPI且更新轉發表以實現節點之間的通信。除非滿足一觸發條件,否則將此策略應用於未來通信。系統100(圖1)之模型與系統200(圖2)之模型之間的區別在於可藉由一EPI在不涉及EP的情況下處置小變化(例如,旗標變化),因此改良效率。在所有情況中,可跨網狀結構將記錄發送至EP及/或策略引擎及/或另一使用者介面或報告模組。
上文所描述之包含交換器125及交換器225之交換器可處於實體環境中。在替代例示性實施例中,交換器可為一虛擬交換器。
本發明之各項例示性實施例可實現一交換器上之表資源之管理以用於最佳化。例如,若一交換器在自由空間外運行,則可在轉發表中彙總連接或可將連接推動至其他資源以用於確認。
在一些實施例中,交換器225係一硬體交換器且資產240至245中之至少一者係一實體主機。在各項實施例中,交換器225係一虛擬交換器且資產240至245中之至少一者係一虛擬機器。
圖3係用於執行安全策略以用於在一交換式網路之節點之間通信之一例示性方法300之一流程圖。用虛線展示選用步驟。圖3之方法包含選用操作305,其指示接收自該交換式網路之一第一節點傳送至該交換式網路之一第二節點之封包。自操作305,方法繼續進行至操作310,其指示評估一策略以判定用於自該第一節點傳送至該第二節點
之封包之一轉發決策。自操作310,方法繼續進行至操作315,其指示基於該轉發決策程式化一交換器之一可重新寫入之轉發表。自操作315,方法繼續進行至選用操作320,其指示將封包自第一節點轉發至第二節點。此步驟係選用的,此係因為可在一啟動或其他適當時間(例如,一策略更新)在不傳送封包的情況下起始先前非選用步驟310及315。自操作320,方法繼續進行至操作325,其指示使能夠在不評估策略以判定轉發決策的情況下將自第一節點傳送至第二節點之未來封包轉發至該第二節點。在方法之又進一步變動中,策略可阻止在第一節點與第二節點之間尋求之通信,在此情況中該通信可被丟棄、記錄、誘捕、限定或以上之全部。
圖4繪示可用於實施本發明之一些實施例之一例示性電腦系統400。圖4之該電腦系統400可在運算系統、網路、伺服器或其等之組合之類似者之脈絡中實施。圖4之該電腦系統400包含一或多個處理器單元410及主記憶體420。主記憶體420部分儲存用於藉由該(等)處理器單元410執行之指令及資料。在此實例中,主記憶體420在操作中時儲存可執行程式碼。圖4之電腦系統400進一步包含一大容量資料儲存器430、可攜式儲存裝置440、輸出裝置450、使用者輸入裝置460、一圖形顯示系統470及周邊裝置480。
圖4中所展示之組件係描繪為經由一單個匯流排490連接。該等組件可透過一或多個資料輸送構件連接。該(等)處理器單元410及該主記憶體420經由一本端微處理器匯流排連接,且該等大容量資料儲存器430、周邊裝置480、可攜式儲存裝置440及圖形顯示系統470經由一或多個輸入/輸出(I/O)匯流排連接。
可藉由一磁碟機、固態磁碟機或一光學磁碟機實施之大容量資料儲存器430係用於儲存供由該(等)處理器單元410使用之資料及指令之一非揮發性儲存裝置。大容量資料儲存器430儲存用於實施本發明
之實施例之系統軟體以用於將該軟體載入至主記憶體420中。
可攜式儲存裝置440結合一可攜式非揮發性儲存媒體(諸如一快閃磁碟、軟磁碟、緊緻磁碟、數位視訊光碟或通用串列匯流排(USB)儲存裝置)操作以往返於圖4之電腦系統400輸入及輸出資料及程式碼。用於實施本發明之實施例之系統軟體係經由可攜式儲存裝置440儲存於此一可攜式媒體上且輸入至電腦系統400。
使用者輸入裝置460可提供一使用者介面之一部分。使用者輸入裝置460可包含一或多個麥克風、用於輸入文數及其他資訊之一文數鍵台(諸如一鍵盤)或一指向裝置(諸如一滑鼠、一軌跡球、觸控筆或游標方向鍵)。使用者輸入裝置460亦可包含一觸控螢幕。此外,如圖4中所展示之電腦系統400包含輸出裝置450。合適輸出裝置450包含揚聲器、印表機、網路介面及監測器。
圖形顯示系統470包含一液晶顯示器(LCD)或其他合適顯示裝置。圖形顯示系統470可經組態以接收文字及圖形資訊及處理該資訊以輸出至顯示裝置。
周邊裝置480可包含為電腦系統增加額外功能性之任何類型之電腦支援裝置。
圖4之電腦系統400中所提供之組件係通常在可適於與本發明之實施例一起使用且意欲表示此項技術中熟知之廣泛類別之此等電腦組件之電腦系統中存在之組件。因此,圖4之電腦系統400可為一個人電腦(PC)、手持式電腦系統、電話、行動電腦系統、工作站、平板電腦、平板手機、行動電話、伺服器、小型電腦、大型電腦、可佩戴或任何其他電腦系統。電腦亦可包含不同匯流排組態、網路連結平台、多處理器平台及類似者。可使用各種作業系統,包含UNIX、LINUX、WINDOWS、MAC OS、PALM OS、QNX ANDROID、IOS、CHROME、TIZEN及其他合適作業系統。
可在基於雲端之軟體中實施處理各項實施例。在一些實施例中,電腦系統400係實施為一基於雲端之運算環境,諸如在一運算雲端內操作之一虛擬機器。在其他實施例中,電腦系統400可自身包含一基於雲端之運算環境,其中該電腦系統400之功能性係以一分佈式方式執行。因此,電腦系統400在經組態為一運算雲端時可包含呈各種形式之複數個運算裝置,如將在下文更詳細描述。
一般而言,一基於雲端之運算環境係通常組合(諸如在網路伺服器內之)一大群組處理器之運算能力及/或組合一大群組電腦記憶體或儲存裝置之儲存能力之一資源。提供基於雲端之資源之系統可僅藉由其等擁有者利用或此等系統可為在運算基礎設施內部署應用程式以獲得大運算或儲存資源之益處之外部使用者所用。
例如,可藉由包含複數個運算裝置(諸如電腦系統400)之網路伺服器之一網路來形成雲端,其中各伺服器(或其等之至少複數個)提供處理器及/或儲存資源。此等伺服器可管理由多個使用者(例如,雲端資源客戶或其他使用者)提供之工作負載。通常,各使用者將即時、有時顯著改變之工作負載要求放置於雲端上。此等變動之本質及範圍通常取決於與使用者相關聯之業務之類型。
上文參考實例性實施例描述本發明技術。因此,對於該等實例性實施例之其他變動係意欲由本發明涵蓋。
100‧‧‧系統
110‧‧‧網路
125‧‧‧交換器
135‧‧‧應用程式設計介面
140‧‧‧資產
141‧‧‧資產
142‧‧‧資產
143‧‧‧資產/虛擬機器
144‧‧‧資產
145‧‧‧資產
150‧‧‧通信
160‧‧‧轉發表
170‧‧‧通道
180‧‧‧分佈式安全處理器/安全處理器
190‧‧‧策略引擎
Claims (14)
- 一種方法,其包括:藉由一策略引擎透過一交換器之一應用程式設計介面(API)將項目寫入於該交換器之一轉發表中,使得藉由該交換器將來自一第一主機且引導至一第二主機之第一資料封包轉發至一執行點;藉由該交換器接收該等第一資料封包;藉由該交換器使用該轉發表將該等第一資料封包轉發至該執行點;藉由該執行點使用一低級規則集判定該等第一資料封包是否違反一高級安全策略;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包並未違反該安全策略而藉由該交換器將第二資料封包轉發至該第二主機;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包違反該安全策略而藉由該交換器將該等第二資料封包丟棄或轉發至一安全功能;藉由該交換器接收第二資料封包;及藉由該交換器根據該組態選擇性丟棄或轉發該等第二資料封包。
- 如請求項1之方法,其進一步包括:藉由該執行點自一分佈式安全處理器接收一重新編譯規則集;藉由該執行點接收一第三資料封包;藉由該執行點識別該第三資料封包中之一觸發器,該觸發器 為一經接收傳輸控制協定(TCP)標頭、旗標及基於定時器之觸發器中之至少一者;及藉由該執行點透過該API將項目寫入於該轉發表中,使得回應於識別該觸發器而藉由該交換器將來自該第一主機且引導至該第二主機之第四資料封包轉發至該執行點。
- 如請求項2之方法,其進一步包括:藉由該交換器接收該等第四資料封包;藉由該交換器使用該轉發表將該等第四資料封包轉發至該執行點;及藉由該執行點判定該等第四資料封包是否違反該重新編譯規則集或預組態之協定行為要求。
- 如請求項1之方法,其中使用一軟體開發套件(SDK)執行該轉發表之該寫入及該組態中之至少一者。
- 如請求項1之方法,其中該安全功能係以下各項中之至少一者:一誘捕系統、限定坑及入侵偵測系統。
- 如請求項1之方法,其中複數個主機中之至少一者係一實體主機且該交換器係一實體交換器。
- 如請求項1之方法,其中該複數個主機中之至少一者係一虛擬機器且該交換器係一虛擬交換器。
- 一種系統,其包括:一資料網路;複數個主機,其通信耦合至該資料網路;一交換器,其通信耦合至該資料網路,包含一轉發表及一應用程式設計介面(API);一執行點,其通信耦合至該資料網路;及一策略引擎,其通信耦合至該資料網路, 其中該系統執行包括以下步驟之一方法:藉由該策略引擎透過該應用程式設計介面(API)將項目寫入於該交換器之該轉發表中,使得藉由該交換器將來自一第一主機且引導至一第二主機之第一資料封包轉發至該執行點;藉由該交換器接收該等第一資料封包;藉由該交換器使用該轉發表將該等第一資料封包轉發至該執行點;藉由該執行點使用一低級規則集或預組態協定行為要求判定該等第一資料封包是否違反一高級安全策略;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包並未違反該安全策略而藉由該交換器將第二資料封包轉發至該第二主機;藉由該執行點透過該API組態該轉發表,使得回應於判定該等第一資料封包違反該安全策略而藉由該交換器將該等第二資料封包丟棄或轉發至一安全功能;藉由該交換器接收第二資料封包;及藉由該交換器根據該組態選擇性丟棄或轉發該等第二資料封包。
- 如請求項8之系統,其進一步包括:一分佈式安全處理器,其中該方法進一步包括:藉由該執行點自一分佈式安全處理器接收一重新編譯規則集;藉由該執行點接收一第三資料封包;藉由該執行點識別該第三資料封包中之一觸發器,該觸發器為一經接收傳輸控制協定(TCP)標頭、旗標及基於定時器之 觸發器中之至少一者;及藉由該執行點透過該API程式化該轉發表,使得回應於識別該觸發器而藉由該交換器將來自該第一主機且引導至該第二主機之第四資料封包轉發至該執行點。
- 如請求項9之系統,其中該方法進一步包括:藉由該執行點自一分佈式安全處理器接收一重新編譯規則集;藉由該執行點接收一第三資料封包;藉由該執行點識別該第三資料封包中之一觸發器,該觸發器為一經接收傳輸控制協定(TCP)標頭、旗標及基於定時器之觸發器中之至少一者;及藉由該執行點透過該API程式化該轉發表,使得回應於識別該觸發器而藉由該交換器將來自該第一主機且引導至該第二主機之第四資料封包轉發至該執行點。
- 如請求項8之系統,其中使用一軟體開發套件(SDK)執行該轉發表之該寫入及該組態中之至少一者。
- 如請求項8之系統,其中該安全功能係以下各項中之至少一者:一誘捕系統、限定坑及入侵偵測系統。
- 如請求項8之系統,其中該複數個主機中之至少一者係一實體主機且該交換器係一實體交換器。
- 如請求項9之系統,其中該複數個主機中之至少一者係一虛擬機器且該交換器係一虛擬交換器。
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/677,827 US9973472B2 (en) | 2015-04-02 | 2015-04-02 | Methods and systems for orchestrating physical and virtual switches to enforce security boundaries |
Publications (1)
Publication Number | Publication Date |
---|---|
TW201703485A true TW201703485A (zh) | 2017-01-16 |
Family
ID=57006341
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW105110187A TW201703485A (zh) | 2015-04-02 | 2016-03-30 | 編排實體與虛擬交換器以執行安全邊界之系統及方法 |
Country Status (3)
Country | Link |
---|---|
US (1) | US9973472B2 (zh) |
TW (1) | TW201703485A (zh) |
WO (1) | WO2016160533A1 (zh) |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9621595B2 (en) | 2015-03-30 | 2017-04-11 | Varmour Networks, Inc. | Conditional declarative policies |
US9680852B1 (en) | 2016-01-29 | 2017-06-13 | Varmour Networks, Inc. | Recursive multi-layer examination for computer network security remediation |
US9762599B2 (en) | 2016-01-29 | 2017-09-12 | Varmour Networks, Inc. | Multi-node affinity-based examination for computer network security remediation |
US9973472B2 (en) | 2015-04-02 | 2018-05-15 | Varmour Networks, Inc. | Methods and systems for orchestrating physical and virtual switches to enforce security boundaries |
US10009317B2 (en) | 2016-03-24 | 2018-06-26 | Varmour Networks, Inc. | Security policy generation using container metadata |
US10009381B2 (en) | 2015-03-30 | 2018-06-26 | Varmour Networks, Inc. | System and method for threat-driven security policy controls |
US10091238B2 (en) | 2014-02-11 | 2018-10-02 | Varmour Networks, Inc. | Deception using distributed threat detection |
US10191758B2 (en) | 2015-12-09 | 2019-01-29 | Varmour Networks, Inc. | Directing data traffic between intra-server virtual machines |
US10193929B2 (en) | 2015-03-13 | 2019-01-29 | Varmour Networks, Inc. | Methods and systems for improving analytics in distributed networks |
US10264025B2 (en) | 2016-06-24 | 2019-04-16 | Varmour Networks, Inc. | Security policy generation for virtualization, bare-metal server, and cloud computing environments |
US10755334B2 (en) | 2016-06-30 | 2020-08-25 | Varmour Networks, Inc. | Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors |
US11290494B2 (en) | 2019-05-31 | 2022-03-29 | Varmour Networks, Inc. | Reliability prediction for cloud security policies |
US11290493B2 (en) | 2019-05-31 | 2022-03-29 | Varmour Networks, Inc. | Template-driven intent-based security |
US11310284B2 (en) | 2019-05-31 | 2022-04-19 | Varmour Networks, Inc. | Validation of cloud security policies |
US11575563B2 (en) | 2019-05-31 | 2023-02-07 | Varmour Networks, Inc. | Cloud security management |
US11711374B2 (en) | 2019-05-31 | 2023-07-25 | Varmour Networks, Inc. | Systems and methods for understanding identity and organizational access to applications within an enterprise environment |
US11734316B2 (en) | 2021-07-08 | 2023-08-22 | Varmour Networks, Inc. | Relationship-based search in a computing environment |
US11777978B2 (en) | 2021-01-29 | 2023-10-03 | Varmour Networks, Inc. | Methods and systems for accurately assessing application access risk |
US11818152B2 (en) | 2020-12-23 | 2023-11-14 | Varmour Networks, Inc. | Modeling topic-based message-oriented middleware within a security system |
US11863580B2 (en) | 2019-05-31 | 2024-01-02 | Varmour Networks, Inc. | Modeling application dependencies to identify operational risk |
US11876817B2 (en) | 2020-12-23 | 2024-01-16 | Varmour Networks, Inc. | Modeling queue-based message-oriented middleware relationships in a security system |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9191327B2 (en) | 2011-02-10 | 2015-11-17 | Varmour Networks, Inc. | Distributed service processing of network gateways using virtual machines |
US10778722B2 (en) * | 2016-11-08 | 2020-09-15 | Massachusetts Institute Of Technology | Dynamic flow system |
US10333985B2 (en) * | 2017-01-09 | 2019-06-25 | Microsoft Technology Licensing, Llc | Distribution and management of services in virtual environments |
CN110071929B (zh) * | 2019-04-28 | 2021-03-16 | 江苏极元信息技术有限公司 | 一种基于虚拟化平台的海量诱饵捕获攻击源的防御方法 |
Family Cites Families (210)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6147993A (en) | 1997-10-14 | 2000-11-14 | Cisco Technology, Inc. | Method and apparatus for implementing forwarding decision shortcuts at a network switch |
US6484261B1 (en) | 1998-02-17 | 2002-11-19 | Cisco Technology, Inc. | Graphical network security policy management |
US6779118B1 (en) | 1998-05-04 | 2004-08-17 | Auriq Systems, Inc. | User specific automatic data redirection system |
US6253321B1 (en) | 1998-06-19 | 2001-06-26 | Ssh Communications Security Ltd. | Method and arrangement for implementing IPSEC policy management using filter code |
JP4501280B2 (ja) | 1998-12-09 | 2010-07-14 | インターナショナル・ビジネス・マシーンズ・コーポレーション | ネットワークおよびコンピュータシステムセキュリティを提供する方法および装置 |
US6970459B1 (en) | 1999-05-13 | 2005-11-29 | Intermec Ip Corp. | Mobile virtual network system and method |
US6765864B1 (en) | 1999-06-29 | 2004-07-20 | Cisco Technology, Inc. | Technique for providing dynamic modification of application specific policies in a feedback-based, adaptive data network |
US6578076B1 (en) * | 1999-10-18 | 2003-06-10 | Intel Corporation | Policy-based network management system using dynamic policy generation |
US20020031103A1 (en) | 2000-05-02 | 2002-03-14 | Globalstar L.P. | User terminal employing quality of service path determination and bandwidth saving mode for a satellite ISP system using non-geosynchronous orbit satellites |
US20070192863A1 (en) | 2005-07-01 | 2007-08-16 | Harsh Kapoor | Systems and methods for processing data flows |
US20030236985A1 (en) | 2000-11-24 | 2003-12-25 | Nokia Corporation | Transaction security in electronic commerce |
US6983325B1 (en) | 2000-12-28 | 2006-01-03 | Mcafee, Inc. | System and method for negotiating multi-path connections through boundary controllers in a networked computing environment |
US7068598B1 (en) | 2001-02-15 | 2006-06-27 | Lucent Technologies Inc. | IP packet access gateway |
WO2002098100A1 (en) | 2001-05-31 | 2002-12-05 | Preventon Technologies Limited | Access control systems |
US6992985B1 (en) | 2001-06-29 | 2006-01-31 | Nokia Inc. | Method and system for auto discovery of IP-based network elements |
US7028179B2 (en) | 2001-07-03 | 2006-04-11 | Intel Corporation | Apparatus and method for secure, automated response to distributed denial of service attacks |
US7546629B2 (en) | 2002-03-06 | 2009-06-09 | Check Point Software Technologies, Inc. | System and methodology for security policy arbitration |
US7904454B2 (en) | 2001-07-16 | 2011-03-08 | International Business Machines Corporation | Database access security |
US7165100B2 (en) | 2001-07-24 | 2007-01-16 | At&T Corp. | Method and apparatus for packet analysis in a network |
US7302700B2 (en) | 2001-09-28 | 2007-11-27 | Juniper Networks, Inc. | Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device |
CA2473863A1 (en) | 2001-11-13 | 2003-05-22 | Ems Technologies, Inc. | Enhancements for tcp perfomance enhancing proxies |
US7058718B2 (en) | 2002-01-15 | 2006-06-06 | International Business Machines Corporation | Blended SYN cookies |
US7058712B1 (en) | 2002-06-04 | 2006-06-06 | Rockwell Automation Technologies, Inc. | System and methodology providing flexible and distributed processing in an industrial controller environment |
JP3794491B2 (ja) | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | 攻撃防御システムおよび攻撃防御方法 |
US7849495B1 (en) | 2002-08-22 | 2010-12-07 | Cisco Technology, Inc. | Method and apparatus for passing security configuration information between a client and a security policy server |
US7313098B2 (en) | 2002-09-30 | 2007-12-25 | Avaya Technology Corp. | Communication system endpoint device with integrated call synthesis capability |
US7062566B2 (en) | 2002-10-24 | 2006-06-13 | 3Com Corporation | System and method for using virtual local area network tags with a virtual private network |
US7313384B1 (en) | 2002-10-31 | 2007-12-25 | Aol Llc, A Delaware Limited Liability Company | Configuring wireless devices |
US20050033989A1 (en) | 2002-11-04 | 2005-02-10 | Poletto Massimiliano Antonio | Detection of scanning attacks |
US7454499B2 (en) | 2002-11-07 | 2008-11-18 | Tippingpoint Technologies, Inc. | Active network defense system and method |
US7035257B2 (en) | 2002-11-14 | 2006-04-25 | Digi International, Inc. | System and method to discover and configure remotely located network devices |
US7397794B1 (en) * | 2002-11-21 | 2008-07-08 | Juniper Networks, Inc. | Systems and methods for implementing virtual switch planes in a physical switch fabric |
US7444620B2 (en) | 2003-02-28 | 2008-10-28 | Bea Systems, Inc. | Systems and methods for a common runtime container framework |
CN1813454B (zh) | 2003-04-28 | 2012-09-05 | 钱特利网络公司 | 无线通信网络上的移动单元会话管理的系统和方法 |
EP1634175B1 (en) | 2003-05-28 | 2015-06-24 | Citrix Systems, Inc. | Multilayer access control security system |
US7254713B2 (en) | 2003-09-11 | 2007-08-07 | Alcatel | DOS attack mitigation using upstream router suggested remedies |
WO2005032042A1 (en) * | 2003-09-24 | 2005-04-07 | Infoexpress, Inc. | Systems and methods of controlling network access |
US20050114829A1 (en) | 2003-10-30 | 2005-05-26 | Microsoft Corporation | Facilitating the process of designing and developing a project |
US8458215B2 (en) | 2003-11-24 | 2013-06-04 | International Business Machines Corporation | Dynamic functional module availability |
US7373524B2 (en) | 2004-02-24 | 2008-05-13 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user behavior for a server application |
US20050190758A1 (en) | 2004-03-01 | 2005-09-01 | Cisco Technology, Inc. | Security groups for VLANs |
US7586922B2 (en) | 2004-03-12 | 2009-09-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Providing higher layer packet/frame boundary information in GRE frames |
US20050246241A1 (en) | 2004-04-30 | 2005-11-03 | Rightnow Technologies, Inc. | Method and system for monitoring successful use of application software |
US7620986B1 (en) | 2004-06-14 | 2009-11-17 | Xangati, Inc. | Defenses against software attacks in distributed computing environments |
JP4341517B2 (ja) | 2004-06-21 | 2009-10-07 | 日本電気株式会社 | セキュリティポリシー管理システム、セキュリティポリシー管理方法およびプログラム |
US7519079B2 (en) | 2004-09-08 | 2009-04-14 | Telefonaktiebolaget L M Ericsson (Publ) | Generic routing encapsulation over point-to-point protocol |
GB2418110B (en) | 2004-09-14 | 2006-09-06 | 3Com Corp | Method and apparatus for controlling traffic between different entities on a network |
GB2418326B (en) | 2004-09-17 | 2007-04-11 | Hewlett Packard Development Co | Network vitrualization |
US8032937B2 (en) | 2004-10-26 | 2011-10-04 | The Mitre Corporation | Method, apparatus, and computer program product for detecting computer worms in a network |
KR100628325B1 (ko) | 2004-12-20 | 2006-09-27 | 한국전자통신연구원 | 무선 네트워크에 대한 공격을 탐지하기 위한 침입 탐지센서 및 무선 네트워크 침입 탐지 시스템 및 방법 |
US7607170B2 (en) | 2004-12-22 | 2009-10-20 | Radware Ltd. | Stateful attack protection |
AP2482A (en) | 2005-02-04 | 2012-09-28 | Bp Australia Pty Ltd | System and method for evaluating intiatives adapted to deliver value to a customer |
US7627123B2 (en) | 2005-02-07 | 2009-12-01 | Juniper Networks, Inc. | Wireless network having multiple security interfaces |
US8056124B2 (en) | 2005-07-15 | 2011-11-08 | Microsoft Corporation | Automatically generating rules for connection security |
US7961739B2 (en) | 2005-07-21 | 2011-06-14 | Genband Us Llc | Systems and methods for voice over multiprotocol label switching |
US9467462B2 (en) | 2005-09-15 | 2016-10-11 | Hewlett Packard Enterprise Development Lp | Traffic anomaly analysis for the detection of aberrant network code |
JP4482816B2 (ja) | 2005-09-27 | 2010-06-16 | 日本電気株式会社 | ポリシ処理装置、方法、及び、プログラム |
US7996255B1 (en) | 2005-09-29 | 2011-08-09 | The Mathworks, Inc. | System and method for providing sales leads based on-demand software trial usage |
US8104033B2 (en) | 2005-09-30 | 2012-01-24 | Computer Associates Think, Inc. | Managing virtual machines based on business priorty |
US20070168971A1 (en) | 2005-11-22 | 2007-07-19 | Epiphany, Inc. | Multi-tiered model-based application testing |
US7694181B2 (en) | 2005-12-12 | 2010-04-06 | Archivas, Inc. | Automated software testing framework |
US20070174429A1 (en) | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
US8613088B2 (en) | 2006-02-03 | 2013-12-17 | Cisco Technology, Inc. | Methods and systems to detect an evasion attack |
US8566919B2 (en) | 2006-03-03 | 2013-10-22 | Riverbed Technology, Inc. | Distributed web application firewall |
WO2007110094A1 (en) | 2006-03-27 | 2007-10-04 | Telecom Italia S.P.A. | System for enforcing security policies on mobile communications devices |
US7801128B2 (en) | 2006-03-31 | 2010-09-21 | Amazon Technologies, Inc. | Managing communications between computing nodes |
US7542455B2 (en) | 2006-04-18 | 2009-06-02 | Cisco Technology, Inc. | Unlicensed mobile access (UMA) communications using decentralized security gateway |
NZ547322A (en) | 2006-05-18 | 2008-03-28 | Fronde Anywhere Ltd | Authentication method for wireless transactions |
US8316439B2 (en) | 2006-05-19 | 2012-11-20 | Iyuko Services L.L.C. | Anti-virus and firewall system |
US7743414B2 (en) | 2006-05-26 | 2010-06-22 | Novell, Inc. | System and method for executing a permissions recorder analyzer |
US7774837B2 (en) | 2006-06-14 | 2010-08-10 | Cipheroptics, Inc. | Securing network traffic by distributing policies in a hierarchy over secure tunnels |
US7742414B1 (en) | 2006-06-30 | 2010-06-22 | Sprint Communications Company L.P. | Lightweight indexing for fast retrieval of data from a flow-level compressed packet trace |
US20080083011A1 (en) | 2006-09-29 | 2008-04-03 | Mcalister Donald | Protocol/API between a key server (KAP) and an enforcement point (PEP) |
US8510834B2 (en) | 2006-10-09 | 2013-08-13 | Radware, Ltd. | Automatic signature propagation network |
US20080155239A1 (en) | 2006-10-10 | 2008-06-26 | Honeywell International Inc. | Automata based storage and execution of application logic in smart card like devices |
US8312507B2 (en) | 2006-10-17 | 2012-11-13 | A10 Networks, Inc. | System and method to apply network traffic policy to an application session |
US8381209B2 (en) | 2007-01-03 | 2013-02-19 | International Business Machines Corporation | Moveable access control list (ACL) mechanisms for hypervisors and virtual machines and virtual port firewalls |
JP4859933B2 (ja) | 2007-01-19 | 2012-01-25 | 三菱電機株式会社 | 暗号文生成装置及び暗号通信システム及び群パラメータ生成装置 |
EP1962192A1 (en) | 2007-02-21 | 2008-08-27 | Deutsche Telekom AG | Method and system for the transparent migration of virtual machine storage |
US20080229382A1 (en) | 2007-03-14 | 2008-09-18 | Motorola, Inc. | Mobile access terminal security function |
US20080239961A1 (en) | 2007-03-30 | 2008-10-02 | Microsoft Corporation | Packet routing based on application source |
US8341739B2 (en) | 2007-05-24 | 2012-12-25 | Foundry Networks, Llc | Managing network security |
US20080301770A1 (en) | 2007-05-31 | 2008-12-04 | Kinder Nathan G | Identity based virtual machine selector |
US7720995B2 (en) | 2007-06-08 | 2010-05-18 | Cisco Technology, Inc. | Conditional BGP advertising for dynamic group VPN (DGVPN) clients |
GB2453518A (en) | 2007-08-31 | 2009-04-15 | Vodafone Plc | Telecommunications device security |
US9043861B2 (en) | 2007-09-17 | 2015-05-26 | Ulrich Lang | Method and system for managing security policies |
US8798056B2 (en) | 2007-09-24 | 2014-08-05 | Intel Corporation | Method and system for virtual port communications |
CN101399749B (zh) | 2007-09-27 | 2012-04-04 | 华为技术有限公司 | 一种报文过滤的方法、系统和设备 |
US8730946B2 (en) | 2007-10-18 | 2014-05-20 | Redshift Internetworking, Inc. | System and method to precisely learn and abstract the positive flow behavior of a unified communication (UC) application and endpoints |
US20090165078A1 (en) | 2007-12-20 | 2009-06-25 | Motorola, Inc. | Managing policy rules and associated policy components |
US9143566B2 (en) | 2008-01-16 | 2015-09-22 | Netapp, Inc. | Non-disruptive storage caching using spliced cache appliances with packet inspection intelligence |
US8254381B2 (en) | 2008-01-28 | 2012-08-28 | Microsoft Corporation | Message processing engine with a virtual network interface |
US8146147B2 (en) | 2008-03-27 | 2012-03-27 | Juniper Networks, Inc. | Combined firewalls |
US8532106B2 (en) | 2008-04-28 | 2013-09-10 | Xg Technology, Inc. | Header compression mechanism for transmitting RTP packets over wireless links |
US9069599B2 (en) | 2008-06-19 | 2015-06-30 | Servicemesh, Inc. | System and method for a cloud computing abstraction layer with security zone facilities |
US9361089B2 (en) | 2008-07-22 | 2016-06-07 | International Business Machines Corporation | Secure patch updates of a virtual machine image in a virtualization data processing system |
US8307422B2 (en) | 2008-08-14 | 2012-11-06 | Juniper Networks, Inc. | Routing device having integrated MPLS-aware firewall |
US8112304B2 (en) | 2008-08-15 | 2012-02-07 | Raytheon Company | Method of risk management across a mission support network |
US9715401B2 (en) | 2008-09-15 | 2017-07-25 | International Business Machines Corporation | Securing live migration of a virtual machine from a secure virtualized computing environment, over an unsecured network, to a different virtualized computing environment |
US8353021B1 (en) | 2008-09-30 | 2013-01-08 | Symantec Corporation | Determining firewall rules for an application on a client based on firewall rules and reputations of other clients |
US8689289B2 (en) | 2008-10-02 | 2014-04-01 | Microsoft Corporation | Global object access auditing |
US8572717B2 (en) | 2008-10-09 | 2013-10-29 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
US8677473B2 (en) | 2008-11-18 | 2014-03-18 | International Business Machines Corporation | Network intrusion protection |
CN101442494B (zh) * | 2008-12-16 | 2011-06-22 | 中兴通讯股份有限公司 | 一种实现快速重路由的方法 |
US8565118B2 (en) | 2008-12-30 | 2013-10-22 | Juniper Networks, Inc. | Methods and apparatus for distributed dynamic network provisioning |
US8612592B2 (en) | 2009-01-23 | 2013-12-17 | Cisco Technology, Inc. | Protected device initiated pinhole creation to allow access to the protected device in response to a domain name system (DNS) query |
US20100192225A1 (en) | 2009-01-28 | 2010-07-29 | Juniper Networks, Inc. | Efficient application identification with network devices |
US7974279B2 (en) | 2009-01-29 | 2011-07-05 | Nokia Corporation | Multipath data communication |
KR101542392B1 (ko) | 2009-02-16 | 2015-08-12 | 엘지전자 주식회사 | 이동 단말기 및 이것의 핸드오버 방법 |
US20100228962A1 (en) * | 2009-03-09 | 2010-09-09 | Microsoft Corporation | Offloading cryptographic protection processing |
CN101834833B (zh) | 2009-03-13 | 2014-12-24 | 瞻博网络公司 | 对分布式拒绝服务攻击的服务器防护 |
US8321862B2 (en) | 2009-03-20 | 2012-11-27 | Oracle America, Inc. | System for migrating a virtual machine and resource usage data to a chosen target host based on a migration policy |
US8676989B2 (en) | 2009-04-23 | 2014-03-18 | Opendns, Inc. | Robust domain name resolution |
US8914878B2 (en) | 2009-04-29 | 2014-12-16 | Juniper Networks, Inc. | Detecting malicious network software agents |
US9621516B2 (en) | 2009-06-24 | 2017-04-11 | Vmware, Inc. | Firewall configured with dynamic membership sets representing machine attributes |
US8234469B2 (en) | 2009-07-09 | 2012-07-31 | Microsoft Corporation | Backup of virtual machines using cloned virtual machines |
US8494000B1 (en) | 2009-07-10 | 2013-07-23 | Netscout Systems, Inc. | Intelligent slicing of monitored network packets for storing |
WO2011012165A1 (en) | 2009-07-30 | 2011-02-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Packet classification method and apparatus |
US8661434B1 (en) | 2009-08-05 | 2014-02-25 | Trend Micro Incorporated | Migration of computer security modules in a virtual machine environment |
JP5640982B2 (ja) | 2009-09-14 | 2014-12-17 | 日本電気株式会社 | 通信システム、転送ノード、経路管理サーバ、通信方法およびプログラム |
GB2473675B (en) | 2009-09-22 | 2011-12-28 | Virtensys Ltd | Switching method |
US8490150B2 (en) | 2009-09-23 | 2013-07-16 | Ca, Inc. | System, method, and software for enforcing access control policy rules on utility computing virtualization in cloud computing systems |
US8532108B2 (en) | 2009-09-30 | 2013-09-10 | Alcatel Lucent | Layer 2 seamless site extension of enterprises in cloud computing |
US8369333B2 (en) | 2009-10-21 | 2013-02-05 | Alcatel Lucent | Method and apparatus for transparent cloud computing with a virtualized network infrastructure |
US8800025B2 (en) | 2009-11-10 | 2014-08-05 | Hei Tao Fung | Integrated virtual desktop and security management system |
US9071614B2 (en) | 2009-11-19 | 2015-06-30 | Hitachi, Ltd. | Computer system, management system and recording medium |
US8352953B2 (en) | 2009-12-03 | 2013-01-08 | International Business Machines Corporation | Dynamically provisioning virtual machines |
US8726334B2 (en) | 2009-12-09 | 2014-05-13 | Microsoft Corporation | Model based systems management in virtualized and non-virtualized environments |
WO2011072899A1 (en) | 2009-12-15 | 2011-06-23 | International Business Machines Corporation | Method for operating cloud computing services and cloud computing information system |
US9274821B2 (en) | 2010-01-27 | 2016-03-01 | Vmware, Inc. | Independent access to virtual machine desktop content |
US8938782B2 (en) | 2010-03-15 | 2015-01-20 | Symantec Corporation | Systems and methods for providing network access control in virtual environments |
US8259571B1 (en) | 2010-03-26 | 2012-09-04 | Zscaler, Inc. | Handling overlapping IP addresses in multi-tenant architecture |
JP5190084B2 (ja) | 2010-03-30 | 2013-04-24 | 株式会社日立製作所 | 仮想マシンのマイグレーション方法およびシステム |
US8868032B2 (en) | 2010-04-23 | 2014-10-21 | Tekelec, Inc. | Methods, systems, and computer readable media for automatic, recurrent enforcement of a policy rule |
US20110299533A1 (en) | 2010-06-08 | 2011-12-08 | Brocade Communications Systems, Inc. | Internal virtual network identifier and internal policy identifier |
JP5716741B2 (ja) | 2010-06-09 | 2015-05-13 | 日本電気株式会社 | 通信システム、論理チャネル制御装置、制御装置、通信方法およびプログラム |
US8296459B1 (en) | 2010-06-30 | 2012-10-23 | Amazon Technologies, Inc. | Custom routing decisions |
US8448235B2 (en) | 2010-08-05 | 2013-05-21 | Motorola Solutions, Inc. | Method for key identification using an internet security association and key management based protocol |
US9020868B2 (en) | 2010-08-27 | 2015-04-28 | Pneuron Corp. | Distributed analytics method for creating, modifying, and deploying software pneurons to acquire, review, analyze targeted data |
CA2810663A1 (en) | 2010-09-09 | 2012-03-15 | Nec Corporation | Network system and network managing method |
US8869307B2 (en) | 2010-11-19 | 2014-10-21 | Mobile Iron, Inc. | Mobile posture-based policy, remediation and access control for enterprise resources |
US8620851B2 (en) | 2010-11-23 | 2013-12-31 | Novell, Inc. | System and method for determining fuzzy cause and effect relationships in an intelligent workload management system |
US8612744B2 (en) | 2011-02-10 | 2013-12-17 | Varmour Networks, Inc. | Distributed firewall architecture using virtual machines |
US9191327B2 (en) | 2011-02-10 | 2015-11-17 | Varmour Networks, Inc. | Distributed service processing of network gateways using virtual machines |
US9460289B2 (en) | 2011-02-18 | 2016-10-04 | Trend Micro Incorporated | Securing a virtual environment |
JP5305045B2 (ja) | 2011-03-29 | 2013-10-02 | 日本電気株式会社 | スイッチングハブ及び検疫ネットワークシステム |
CN103477593B (zh) | 2011-04-04 | 2017-03-29 | 日本电气株式会社 | 网络系统、交换机和连接终端检测方法 |
US20120287931A1 (en) | 2011-05-13 | 2012-11-15 | International Business Machines Corporation | Techniques for securing a virtualized computing environment using a physical network switch |
US20120311575A1 (en) | 2011-06-02 | 2012-12-06 | Fujitsu Limited | System and method for enforcing policies for virtual machines |
US20120324567A1 (en) | 2011-06-17 | 2012-12-20 | General Instrument Corporation | Method and Apparatus for Home Network Discovery |
US8516241B2 (en) | 2011-07-12 | 2013-08-20 | Cisco Technology, Inc. | Zone-based firewall policy model for a virtualized data center |
US8935457B2 (en) | 2011-07-29 | 2015-01-13 | International Business Machines Corporation | Network filtering in a virtualized environment |
US8798055B1 (en) | 2011-08-11 | 2014-08-05 | Juniper Networks, Inc. | Forming a multi-device layer 2 switched fabric using internet protocol (IP)-routed / switched networks |
US8875293B2 (en) | 2011-09-22 | 2014-10-28 | Raytheon Company | System, method, and logic for classifying communications |
US20130086399A1 (en) | 2011-09-30 | 2013-04-04 | Cisco Technology, Inc. | Method, system and apparatus for network power management |
US8694786B2 (en) | 2011-10-04 | 2014-04-08 | International Business Machines Corporation | Virtual machine images encryption using trusted computing group sealing |
US8984114B2 (en) | 2011-10-06 | 2015-03-17 | Varmour Networks, Inc. | Dynamic session migration between network security gateways |
US8800024B2 (en) | 2011-10-17 | 2014-08-05 | Mcafee, Inc. | System and method for host-initiated firewall discovery in a network environment |
US20130111542A1 (en) | 2011-10-31 | 2013-05-02 | Choung-Yaw Michael Shieh | Security policy tokenization |
US8813169B2 (en) | 2011-11-03 | 2014-08-19 | Varmour Networks, Inc. | Virtual security boundary for physical or virtual network devices |
US9529995B2 (en) | 2011-11-08 | 2016-12-27 | Varmour Networks, Inc. | Auto discovery of virtual machines |
US8977735B2 (en) | 2011-12-12 | 2015-03-10 | Rackspace Us, Inc. | Providing a database as a service in a multi-tenant environment |
IN2014DN06766A (zh) | 2012-01-24 | 2015-05-22 | L3 Comm Corp | |
US8990371B2 (en) | 2012-01-31 | 2015-03-24 | International Business Machines Corporation | Interconnecting data centers for migration of virtual machines |
US9122507B2 (en) | 2012-02-18 | 2015-09-01 | Cisco Technology, Inc. | VM migration based on matching the root bridge of the virtual network of the origination host and the destination host |
US9060017B2 (en) | 2012-02-21 | 2015-06-16 | Logos Technologies Llc | System for detecting, analyzing, and controlling infiltration of computer and network systems |
US20130223226A1 (en) | 2012-02-29 | 2013-08-29 | Dell Products, Lp | System and Method for Providing a Split Data Plane in a Flow-Based Switching Device |
US9742732B2 (en) | 2012-03-12 | 2017-08-22 | Varmour Networks, Inc. | Distributed TCP SYN flood protection |
US9294302B2 (en) | 2012-03-22 | 2016-03-22 | Varmour Networks, Inc. | Non-fragmented IP packet tunneling in a network |
US9419941B2 (en) | 2012-03-22 | 2016-08-16 | Varmour Networks, Inc. | Distributed computer network zone based security architecture |
US20160323245A1 (en) | 2012-04-11 | 2016-11-03 | Varmour Networks, Inc. | Security session forwarding following virtual machine migration |
US9258275B2 (en) | 2012-04-11 | 2016-02-09 | Varmour Networks, Inc. | System and method for dynamic security insertion in network virtualization |
US8955093B2 (en) | 2012-04-11 | 2015-02-10 | Varmour Networks, Inc. | Cooperative network security inspection |
US10333827B2 (en) | 2012-04-11 | 2019-06-25 | Varmour Networks, Inc. | Adaptive session forwarding following virtual machine migration detection |
CN102739645B (zh) | 2012-04-23 | 2016-03-16 | 杭州华三通信技术有限公司 | 虚拟机安全策略的迁移方法及装置 |
JP5974665B2 (ja) | 2012-06-22 | 2016-08-23 | 富士通株式会社 | 情報処理システム、中継装置、情報処理装置および情報処理方法 |
US9230096B2 (en) | 2012-07-02 | 2016-01-05 | Symantec Corporation | System and method for data loss prevention in a virtualized environment |
US9392077B2 (en) | 2012-10-12 | 2016-07-12 | Citrix Systems, Inc. | Coordinating a computing activity across applications and devices having multiple operation modes in an orchestration framework for connected devices |
US9071637B2 (en) | 2012-11-14 | 2015-06-30 | Click Security, Inc. | Automated security analytics platform |
KR101327317B1 (ko) | 2012-11-30 | 2013-11-20 | (주)소만사 | Sap 응용 트래픽 분석 및 모니터링 장치 및 방법, 이를 이용한 정보 보호 시스템 |
US9467326B2 (en) | 2012-12-03 | 2016-10-11 | Hewlett-Packard Development Company, L.P. | Rate limiting mechanism based on device load/capacity or traffic content |
US8813236B1 (en) | 2013-01-07 | 2014-08-19 | Narus, Inc. | Detecting malicious endpoints using network connectivity and flow information |
US9094445B2 (en) | 2013-03-15 | 2015-07-28 | Centripetal Networks, Inc. | Protecting networks from cyber attacks and overloading |
US9374278B2 (en) | 2013-03-15 | 2016-06-21 | NETBRAIN Technologies, Inc | Graphic user interface based network management system to define and execute troubleshooting procedure |
US9448826B2 (en) | 2013-03-15 | 2016-09-20 | Symantec Corporation | Enforcing policy-based compliance of virtual machine image configurations |
US9787686B2 (en) | 2013-04-12 | 2017-10-10 | Airwatch Llc | On-demand security policy activation |
US9647922B2 (en) | 2013-05-15 | 2017-05-09 | Salesforce, Inc. | Computer implemented methods and apparatus for trials onboarding |
RU2568295C2 (ru) | 2013-08-07 | 2015-11-20 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ временной защиты операционной системы программно-аппаратных устройств от приложений, содержащих уязвимости |
US9292684B2 (en) | 2013-09-06 | 2016-03-22 | Michael Guidry | Systems and methods for security in computer systems |
US9538423B2 (en) | 2013-11-01 | 2017-01-03 | Cisco Technology, Inc. | Routing packet traffic using hierarchical forwarding groups |
US9825908B2 (en) | 2013-12-11 | 2017-11-21 | At&T Intellectual Property I, L.P. | System and method to monitor and manage imperfect or compromised software |
US9563771B2 (en) | 2014-01-22 | 2017-02-07 | Object Security LTD | Automated and adaptive model-driven security system and method for operating the same |
US10091238B2 (en) | 2014-02-11 | 2018-10-02 | Varmour Networks, Inc. | Deception using distributed threat detection |
US9973472B2 (en) | 2015-04-02 | 2018-05-15 | Varmour Networks, Inc. | Methods and systems for orchestrating physical and virtual switches to enforce security boundaries |
US20170134422A1 (en) | 2014-02-11 | 2017-05-11 | Varmour Networks, Inc. | Deception Techniques Using Policy |
US20170374032A1 (en) | 2016-06-24 | 2017-12-28 | Varmour Networks, Inc. | Autonomic Protection of Critical Network Applications Using Deception Techniques |
US10264025B2 (en) | 2016-06-24 | 2019-04-16 | Varmour Networks, Inc. | Security policy generation for virtualization, bare-metal server, and cloud computing environments |
US9621568B2 (en) | 2014-02-11 | 2017-04-11 | Varmour Networks, Inc. | Systems and methods for distributed threat detection in a computer network |
JP6252254B2 (ja) | 2014-02-28 | 2017-12-27 | 富士通株式会社 | 監視プログラム、監視方法および監視装置 |
US9961105B2 (en) | 2014-12-31 | 2018-05-01 | Symantec Corporation | Systems and methods for monitoring virtual networks |
US9934406B2 (en) | 2015-01-08 | 2018-04-03 | Microsoft Technology Licensing, Llc | Protecting private information in input understanding system |
US9294442B1 (en) | 2015-03-30 | 2016-03-22 | Varmour Networks, Inc. | System and method for threat-driven security policy controls |
US10193929B2 (en) | 2015-03-13 | 2019-01-29 | Varmour Networks, Inc. | Methods and systems for improving analytics in distributed networks |
US9380027B1 (en) | 2015-03-30 | 2016-06-28 | Varmour Networks, Inc. | Conditional declarative policies |
US10009381B2 (en) | 2015-03-30 | 2018-06-26 | Varmour Networks, Inc. | System and method for threat-driven security policy controls |
US10191758B2 (en) | 2015-12-09 | 2019-01-29 | Varmour Networks, Inc. | Directing data traffic between intra-server virtual machines |
US9680852B1 (en) | 2016-01-29 | 2017-06-13 | Varmour Networks, Inc. | Recursive multi-layer examination for computer network security remediation |
US9762599B2 (en) | 2016-01-29 | 2017-09-12 | Varmour Networks, Inc. | Multi-node affinity-based examination for computer network security remediation |
US9521115B1 (en) | 2016-03-24 | 2016-12-13 | Varmour Networks, Inc. | Security policy generation using container metadata |
US10755334B2 (en) | 2016-06-30 | 2020-08-25 | Varmour Networks, Inc. | Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors |
-
2015
- 2015-04-02 US US14/677,827 patent/US9973472B2/en active Active
-
2016
- 2016-03-24 WO PCT/US2016/024116 patent/WO2016160533A1/en active Application Filing
- 2016-03-30 TW TW105110187A patent/TW201703485A/zh unknown
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10091238B2 (en) | 2014-02-11 | 2018-10-02 | Varmour Networks, Inc. | Deception using distributed threat detection |
US10193929B2 (en) | 2015-03-13 | 2019-01-29 | Varmour Networks, Inc. | Methods and systems for improving analytics in distributed networks |
US10333986B2 (en) | 2015-03-30 | 2019-06-25 | Varmour Networks, Inc. | Conditional declarative policies |
US10009381B2 (en) | 2015-03-30 | 2018-06-26 | Varmour Networks, Inc. | System and method for threat-driven security policy controls |
US9621595B2 (en) | 2015-03-30 | 2017-04-11 | Varmour Networks, Inc. | Conditional declarative policies |
US9973472B2 (en) | 2015-04-02 | 2018-05-15 | Varmour Networks, Inc. | Methods and systems for orchestrating physical and virtual switches to enforce security boundaries |
US10191758B2 (en) | 2015-12-09 | 2019-01-29 | Varmour Networks, Inc. | Directing data traffic between intra-server virtual machines |
US9762599B2 (en) | 2016-01-29 | 2017-09-12 | Varmour Networks, Inc. | Multi-node affinity-based examination for computer network security remediation |
US9680852B1 (en) | 2016-01-29 | 2017-06-13 | Varmour Networks, Inc. | Recursive multi-layer examination for computer network security remediation |
US10382467B2 (en) | 2016-01-29 | 2019-08-13 | Varmour Networks, Inc. | Recursive multi-layer examination for computer network security remediation |
US10009317B2 (en) | 2016-03-24 | 2018-06-26 | Varmour Networks, Inc. | Security policy generation using container metadata |
US10264025B2 (en) | 2016-06-24 | 2019-04-16 | Varmour Networks, Inc. | Security policy generation for virtualization, bare-metal server, and cloud computing environments |
US10755334B2 (en) | 2016-06-30 | 2020-08-25 | Varmour Networks, Inc. | Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors |
US11290494B2 (en) | 2019-05-31 | 2022-03-29 | Varmour Networks, Inc. | Reliability prediction for cloud security policies |
US11290493B2 (en) | 2019-05-31 | 2022-03-29 | Varmour Networks, Inc. | Template-driven intent-based security |
US11310284B2 (en) | 2019-05-31 | 2022-04-19 | Varmour Networks, Inc. | Validation of cloud security policies |
US11575563B2 (en) | 2019-05-31 | 2023-02-07 | Varmour Networks, Inc. | Cloud security management |
US11711374B2 (en) | 2019-05-31 | 2023-07-25 | Varmour Networks, Inc. | Systems and methods for understanding identity and organizational access to applications within an enterprise environment |
US11863580B2 (en) | 2019-05-31 | 2024-01-02 | Varmour Networks, Inc. | Modeling application dependencies to identify operational risk |
US11818152B2 (en) | 2020-12-23 | 2023-11-14 | Varmour Networks, Inc. | Modeling topic-based message-oriented middleware within a security system |
US11876817B2 (en) | 2020-12-23 | 2024-01-16 | Varmour Networks, Inc. | Modeling queue-based message-oriented middleware relationships in a security system |
US11777978B2 (en) | 2021-01-29 | 2023-10-03 | Varmour Networks, Inc. | Methods and systems for accurately assessing application access risk |
US11734316B2 (en) | 2021-07-08 | 2023-08-22 | Varmour Networks, Inc. | Relationship-based search in a computing environment |
Also Published As
Publication number | Publication date |
---|---|
WO2016160533A1 (en) | 2016-10-06 |
US20160294774A1 (en) | 2016-10-06 |
US9973472B2 (en) | 2018-05-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TW201703485A (zh) | 編排實體與虛擬交換器以執行安全邊界之系統及方法 | |
US20230362130A1 (en) | Distributed identity-based firewalls | |
US10187410B2 (en) | Automatically preventing and remediating network abuse | |
US10009381B2 (en) | System and method for threat-driven security policy controls | |
JP6335363B2 (ja) | 仮想クラウドインフラストラクチャへの仮想セキュリティ装置アーキテクチャの提供 | |
US9294442B1 (en) | System and method for threat-driven security policy controls | |
US20190020689A1 (en) | Network privilege manager for a dynamically programmable computer network | |
US9454392B2 (en) | Routing data packets between virtual machines using shared memory without copying the data packet | |
US9363172B2 (en) | Managing a configurable routing scheme for virtual appliances | |
TW201642616A (zh) | 條件式宣告政策 | |
JP2019525528A (ja) | 攻撃に対する防御のためのネットワークトラフィックの処理 | |
GB2503540A (en) | Applying policy wrappers to computer applications for secure communication | |
JP2019522282A (ja) | クラウドコンピューティングノードのセキュアな設定 | |
US11711241B2 (en) | Techniques for utilizing multiple network interfaces for a cloud shell | |
US9537780B2 (en) | Quality of service agreement and service level agreement enforcement in a cloud computing environment | |
US11968080B2 (en) | Synchronizing communication channel state information for high flow availability | |
US20230379303A1 (en) | Virtual firewall construction method based on openstack framework | |
US20170279624A1 (en) | Overlay network with optimized bum flooding | |
CN105490995A (zh) | 一种在nvo3网络中nve转发报文的方法和设备 | |
Santos et al. | Cisco next-generation security solutions: All-in-one cisco ASA firepower services, NGIPS, and AMP | |
US9503420B2 (en) | Logical network separation method and apparatus | |
JP2016031687A (ja) | マルウェア通信制御装置 | |
CN116746136A (zh) | 同步通信信道状态信息以实现高流量可用性 |