US20190222610A1 - User-Based Visibility and Control of a Segmentation Policy - Google Patents
User-Based Visibility and Control of a Segmentation Policy Download PDFInfo
- Publication number
- US20190222610A1 US20190222610A1 US15/873,896 US201815873896A US2019222610A1 US 20190222610 A1 US20190222610 A1 US 20190222610A1 US 201815873896 A US201815873896 A US 201815873896A US 2019222610 A1 US2019222610 A1 US 2019222610A1
- Authority
- US
- United States
- Prior art keywords
- workloads
- generating
- rules
- subset
- workload
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G06F17/30958—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Definitions
- This application relates to managing a segmentation policy that controls communications between workloads.
- a segmentation policy comprises a set of rules that control which workloads may communicate on a network and may place restrictions on how such workloads may communicate.
- a system administrator may manually configure the segmentation policy by defining individual rules.
- manually configuring the segmentation policy may be a highly burdensome task.
- an enterprise may need to devote significant resources to administrating the segmentation policy.
- an enterprise may face increased security risks if the segmentation policy is not carefully configured.
- a system, non-transitory computer-readable storage medium, and method facilitate creation of a segmentation policy that controls communications between a plurality of workloads.
- a segmentation servers identifies a user group that is associated with one or more administrators logged into a client accessing a segmentation server.
- the segmentation server identifies one or more label sets associated with the user group from a user group database.
- the segmentation server identifies a subset of workloads of the plurality of workloads from a workload database that have at least one of the group of label sets associated with the identified user group.
- the segmentation server generates a set of rules for controlling communications associated with the subset of workloads. Management instructions are generated for enforcing the set of rules.
- the management instructions are sent to respective operating system instances executing the subset of workloads.
- the respective operating system instances may enforce the set of rules based on the management instructions.
- the segmentation server monitors traffic flows between the subset of workloads and generates a traffic flow graph based on the monitored traffic flows.
- the traffic flow graph comprises a plurality of nodes representing the subset of workloads and a plurality of edges representing the monitored traffic flows between the subset of workloads.
- a graphical representation of the traffic flow graph is generated.
- the graphical representation of the traffic flow graph is outputted to the administrative client.
- the rules may be generated according to different segmentation strategies selectable via the administrative client.
- a first configuration e.g., a low granularity segmentation strategy
- rules are generated that permit communication between workloads sharing a particular predefined label set (e.g., workloads within an application group).
- the segmentation server may monitor traffic flows associated with the subset of workloads and generate the set of rules based on the monitored traffic flows so that the rules permit the monitored traffic flows.
- a second configuration e.g., a moderate granularity segmentation strategy
- a detected traffic flow between a first workload and a second workload is detected.
- the segmentation server determines a first label set is corresponding to the first workload and a second label set corresponding to the second workload.
- a rule is then generated permitting communications between workloads having the first label set and workloads having the second label set.
- a third configuration e.g., a high granularity segmentation strategy
- one or more ports and one or more protocols associated with a detected traffic flow between a first workload and a second workload are each determined.
- a label set associated with the first workload and second label set associated with the second workload are determined.
- a rule is then generated permitting communications using the one or more ports and the one or more protocols between workloads having the first label set and workloads having the second label set.
- rules may be generated differently depending on privileges associated with the user group.
- the segmentation server may determine that the user group has limited ruleset creation privileges.
- the segmentation server generates the rule set to only include rules permitting communications between pairs workloads in the subset of workloads that both have at least one of the group of label sets associated with the user group.
- the segmentation server may determine that the user group has expanded ruleset creation privileges.
- the segmentation server generates the rule set to also include rules permitting communications in which a workload in the subset of workloads having at least one of the group of label sets associated with the user group provides a service to a workload outside the subset of workloads.
- the generated rules are stored to a rules database prior to generating the management instructions.
- the segmentation server identifies access by a provisioner associated with a provisioner user group, which may be different from a rule creator or other roles.
- a user interface is presented for providing the rules for review by the provisioner.
- the management instructions are then generated response to receiving confirmation from the provisioner to implement the rules.
- FIG. 1 is a high-level block diagram illustrating an environment for managing a segmentation policy, according to one embodiment.
- FIG. 2 is a block diagram illustrating example embodiments of operating system instances.
- FIG. 3 is a block diagram illustrating an example embodiment of a segmentation server.
- FIG. 4 is a flowchart illustrating an example process for managing user groups assigned to administer a segmentation policy.
- FIG. 5 is a flowchart illustrating an example process for generating rules for a segmentation policy.
- a segmentation server enables role-based visibility and management of a segmentation policy. Administrators belonging to different user groups associated with different roles may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, modifying, and provisioning rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment of an administrative domain. The division of responsibility beneficially enables an enterprise to ease the administrative burden of managing the global segmentation policy for any single individual. Furthermore, exposure associated with a security breach of an administrator account can be contained to a particular segment, thereby improving overall security.
- FIG. 1 is a high-level block diagram illustrating a networked computing environment 100 .
- the networked computing environment 100 includes a segmentation server 120 , a network 110 , an administrative client 160 , and an administrative domain 150 that includes a plurality of operating system (OS) instances 130 (e.g., OS instances 130 - 1 , 130 - 2 , . . . , 130 -N).
- the administrative domain 150 can correspond to an enterprise such as, for example, a service provider, a corporation, a university, or a government agency under control of the segmentation server 120 .
- OS operating system
- the network 110 represents the communication pathways between the segmentation server 120 , the administrative client 160 , and the OS instances 130 .
- the network 110 uses standard communications technologies and/or protocols and can include the Internet.
- the entities on the network 110 can use custom and/or dedicated data communications technologies.
- the OS instances 130 comprise instances of an operating system executing on one or more computing devices.
- An OS instance 130 may execute directly on a physical machine or on a virtual machine that executes on one or more computing devices.
- a single physical or virtual machine may operate a single OS instance 130 or may operate multiple OS instances 130 .
- the OS instances 130 each execute one or more workloads 138 (e.g., one or more workloads 138 - 1 , one or more workloads 138 - 2 , etc.).
- the workloads 138 comprise independently addressable computing units for performing computing tasks.
- a workload 138 may comprise, for example, an application or application component, a process, a container, or other sub-component thereof executing on the OS instance 130 .
- an OS instance 130 may operate only a single workload 138 .
- an OS instance 130 may operate multiple workloads 138 that may be independently addressable and may perform different independent computing functions.
- the workloads 138 on the OS instances 130 may communicate with other workloads 138 on different OS instances 130 within the administrative
- the segmentation server 120 is a computer (or set of computers) that obtains and stores information about the OS instances 130 on the network 120 and the workloads 138 executing on the OS instances 130 .
- the segmentation server 120 manages a segmentation policy for the administrative domain 150 that regulates communications between workloads 138 within the administrative domain 150 .
- the segmentation policy is set forth using permissive rules that specify the communications that are permitted.
- the segmentation policy is enforced by blocking any communications that are not expressly permitted by the rules.
- the segmentation policy includes a set of rules specifying whether certain workloads 138 are allowed to provide services to or receive services from other workloads 138 , and may place restrictions on how those workloads 138 are allowed to communicate when providing or consuming the services.
- a segmentation policy may include a rule specifying that a workload 138 - 1 operating on an OS instance 130 - 1 is allowed to provide a particular service to a workload 138 - 2 operating on an OS instance 130 - 2 . Absent other rules, the workload 138 - 1 will thus be blocked from providing the service to a workload 138 -N operating on an OS instance 130 -N.
- the rule may furthermore specify the type of service that the workload 138 - 1 is allowed to provide to workload 138 - 2 (e.g., a database service, a web service, etc.).
- the rule may specify how the workloads 138 - 1 , 138 - 2 may communicate when providing this service (e.g., using encrypted communication only, using authenticated communication only, etc.).
- a rule may be specified as a plurality of fields including a “service,” a “provided-by” portion that identifies one or more workloads 138 that is permitted to provide the service, a “used-by” portion that identifies one or more workloads 138 that is permitted to use the service provided by the workloads 138 in the “provided-by portion,” and a “rule function” that may place one or more restrictions on the communications between the workloads 138 while facilitating the service.
- the segmentation server 120 may assign one or more labels to each workload 138 that define one or more high-level characteristics of the workload 138 .
- Labels may be defined for multiple different dimensions.
- each label may comprise a “dimension” (a high-level characteristic) and a “value” (the value of that high-level characteristic).
- one possible label dimension may specify a “role” of the workload 138 and may have values such as “web,” “API,” or “database” specifying the role of the workload 138 within the administrative domain 150 .
- a label dimension may specify a “location” of the workload 138 and may have values such as “United States” or “Europe.”
- Workloads 138 may also be labeled based on a user group of a user that is logged into the workload 138 or the corresponding OS instance 130 on which the workload 138 executes. For example, a workload 138 may have a label with a dimension “user group” and a value “managers.”
- Each workload 138 may be assigned labels for one or more dimensions but each workload 138 does not necessarily have a label assigned for every possible dimension.
- a workload 138 may have a label specifying its location but may not necessarily have a label specifying its role.
- a logical management model specifying the number and types of dimensions available and those dimensions' possible values may be configurable.
- the logical management model includes the following dimensions and possible values, as shown in Table 1:
- V logical management model Dimension Meaning (M), Values (V) Role M: The role of the managed server within the administrative domain.
- V web, API, database Environment M: The lifecycle stage of the managed server.
- V production, staging, development Application M: The logical application (higher-level grouping of managed servers) to which the managed server belongs.
- V trading, human resources Line of Business M: The business unit to which the managed server belongs.
- V marketing, engineering Location M: The location of the managed server. Can be physical (e.g., country or geographical region) or logical (e.g., network). Physical is particularly useful for expressing geographic compliance requirements.
- V US or EU (physical), us-west-1 or us-east-2 (logical)
- User Group M The user group containing the user logged onto the managed server.
- V Engineers, Contractors, Managers, System Administrators
- Labels may be logically grouped into label sets.
- a label set comprises a set of one or more labels.
- a label set may include only a single label dimension and value (e.g., Role: Database) or may include multiple label dimensions and corresponding values (e.g., Role: Database; Location: New York).
- the segmentation server 120 may utilize label sets to enable the segmentation policy to be defined at a high level of abstraction by specifying rules based on label sets instead of by identifying individual workloads 138 .
- a rule of the segmentation policy may identify a group of workloads 138 to which a portion of the rule is applicable by referencing one or more label sets.
- a rule may specify that workloads 138 with a label set A may provide a service B to workloads 138 with a label set C.
- a rule that specifies a label set A that specifies label values in fewer than all of the available dimensions is applied to any workloads 138 that have all of the labels in the label set A (i.e., are within the “scope” of the label set A), regardless of the workloads' labels in other dimensions not part of the label set A.
- a rule that references a label set “Role: Database; Location: New York” is applicable to all workloads having both of the labels “Role: Database” and “Location: New York,” regardless of their labels in other dimensions.
- special groups of workloads 138 may be defined as a group of workloads 138 having the same label set with respect to a predefined group of label dimensions.
- an “application group” may be defined as a group of workloads 138 having the same label values for the “environment” and “application” dimensions without necessarily having the same values in the other dimensions.
- an “application group” may defined as a group of workloads 138 having the same label values for the “environment,” “application” and “location” dimensions without necessarily having the same values in the other dimensions.
- a “tier” may be defined as a group of workloads 138 having the same label values for the “environment,” “application,” and “role” labels without necessarily having the same values in the other dimensions.
- a “tier” may be defined as a group of workloads 138 having the same label values for the “environment,” “application,” “role,” and “location” dimensions without necessarily have the same values in the other dimensions. Rules may be specified that control communications between application groups or between tiers based on the definitions above.
- the segmentation server 120 may retain a repository storing information about the OS instances 130 and the workloads 138 managed by the segmentation server 120 .
- the segmentation server 120 may store, for each OS instance 130 , an OS instance identifier that uniquely identifies the OS instance 130 , workload identifiers for workloads 138 associated with the OS instance 138 , and membership information indicating one or more groups of workloads 138 to which each workload 138 belong (e.g., as defined by the respective label sets for the workloads 138 ).
- Table 2 illustrates an example of information stored by the segmentation server 120 .
- the “ID” represents the OS instance identifier for each OS instance 130 .
- the workload ID(s) represent the workload identifier for the workload(s) 138 executing on each OS instance 130 . If only a single workload executes on a particular OS instance 130 , the workload ID may be synonymous with the OS instance ID (e.g., in the case of ID 1 and IDn). If more than one workload 138 executes on a given OS instance 130 , the workload ID may include the OS instance ID in combination with a sub-identifier for the workload 138 (e.g., in the case of ID 2 ).
- the sub-identifier may comprise, for example, a port number, IP address, process name, or other identifier that uniquely identifies the workload 138 when taken in combination with the identifier for the OS instance 130 .
- the memberships represent groups to which one or more workloads 138 executing on the OS instance 130 belongs. Each group may correspond to a unique label set (e.g., a different combination of labels) involving one or more dimensions. For example, group A may represent a group of workloads 138 having the label set (Role: Web; Location: Europe).
- the segmentation policy is instead enforced by at least a subset of the OS instances 130 .
- the segmentation server 120 generates a set of management instructions and distributes the management instructions to the OS instances 130 .
- the management instructions include the rules controlling communications between different groups of workloads 138 (e.g., specified by their label sets or directly by an identifier of the workload 138 ) and membership information indicating workloads 138 belonging to each group (e.g., which workloads 138 have certain label sets).
- the segmentation server 120 may send different management instructions to different OS instances 130 so that each OS instance 130 gets only the management instructions relevant to its operation.
- the segmentation server 120 may determine which rules are relevant to a given OS instance 130 and distribute the relevant rules to that OS instance 130 .
- a rule may be deemed relevant to a particular OS instance 130 if that OS instance 130 executes one or more workloads 138 that belongs to a group (defined by one or more label sets) referenced by the rule.
- the segmentation server 120 may furthermore determine which membership information is relevant to each OS instance 130 and distribute the relevant membership information to each respective OS instance 130 .
- membership information may be relevant to a particular OS instance 130 if it defines membership of a group referenced by a rule deemed relevant to the particular OS instance 130 . Further details of a segmentation system for controlling communications between OS instances 130 based on labels is described in U.S. Patent Application Publication No. 2014/0373091 entitled “Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model,” to Paul J. Kirner, et al., which is incorporated by reference herein.
- the administrative client 160 comprises a computing device that may be operated by an administrator of the administrative domain 150 being managed by the segmentation server 120 .
- the administrative client 160 may execute an interface (e.g., via an application or web browser) that enables the administrator to interact with the segmentation server 120 to configure or view the segmentation policy.
- the interface may furthermore enable the administrator to obtain various information about the OS instances 130 and workloads 138 on the network 120 and view traffic flows between the workloads 138 .
- a particular administrator may log into a client 160 using credentials that uniquely identify the administrator and may be used to identify a user group 165 to which the administrator is a member.
- User groups may have multiple members or may have only a single member.
- an administrator may be a member of multiple user groups.
- Administrators that are members of different user groups 165 may have different privileges and access to different information associated with administering the segmentation policy.
- different user groups 165 may be associated with one or more label sets.
- a member of a particular user group 165 may be limited to viewing, generating, or modifying rules within the scope of the label set for the user group.
- the member of the user group 165 may be unable to access or control rules associated with label sets outside the scope of those associated with to the user group 165 .
- administration of the segmentation policy may be divided between user groups 165 that control respective subsets of the rules relating to different label sets.
- administration of the segmentation policy may be divided between different user groups 165 based on the different label dimensions such as location, business line, role, environment, application, or different combinations of label dimensions.
- a benefit to enabling user-based administration of the segmentation policy is that it significantly eases the administrative burden of managing the segmentation policy a large network. For example, multiple administrators can operate in parallel to generate or modify the segmentation policy without the actions of one administrator necessarily affecting the actions of others. Furthermore, by assigning different user groups to administer different portions of the segmentation policy, different administrators may become more specialized in the particular security needs associated with specific applications or their portion of the network and may therefore be able to better cater the segmentation policy to those needs. Further still, limiting the access of administrators to only a limited portion of the segmentation policy makes it more difficult for an administrator to create a vulnerability in the segmentation policy (e.g., by mistake or by intentional malicious action). Examples of techniques for enforcing user-based control of a segmentation policy are described in further detail below.
- FIG. 2 illustrates example embodiments of OS instances 130 .
- An OS instance 130 may correspond to a managed OS instance 230 or an unmanaged OS instance 240 .
- a managed OS instance 230 includes an enforcement modules 235 that enables the managed OS instance 230 to enforce the segmentation policy for the workloads 138 it executes.
- the unmanaged OS instance 235 does not include an enforcement module 235 and is unable to directly contribute to enforcement of the segmentation policy.
- the segmentation server 120 thus only distributes management instructions to the managed OS instances 230 .
- the unmanaged OS instances 240 may still be affected by the segmentation policy because the managed OS instances 230 may limit communications between workloads 138 on the managed OS instances 130 and workloads 138 on the unmanaged OS instance 240 .
- Workloads 138 executing on the unmanaged OS instances 240 may be assigned labels and may be referenced in the rules of the segmentation policy in the same way as workloads 138 on managed OS instances 130 .
- communications between workloads 138 on managed OS instances 230 and unmanaged OS instances 240 may be controlled by the segmentation policy by enforcing the rules at the managed OS instances 230 .
- the segmentation policy may be effectively enforced on an unmanaged OS instance 240 by a separate device that can control communication to and from the unmanaged OS instance 240 on which workloads 138 execute.
- a separate device that can control communication to and from the unmanaged OS instance 240 on which workloads 138 execute.
- an enforcement module 235 on an upstream switch port, or other physical or logical device may control communications to and from workloads 138 on a downstream unmanaged OS instance 240 .
- the segmentation policy can be enforced directly on the workloads 138 on an unmanaged OS instance 240 similarly to enforcement on a managed OS instance 230 .
- the enforcement module 235 includes a management module 232 , a management module configuration 234 , and a policy implementation module 236 .
- the management module 232 comprises a low-level network or security engine that controls incoming and outgoing traffic associated with each of the workloads 138 executing on the OS instance 130 .
- the management module 232 may include an operating system-level firewall, an Internet Protocol security (IPsec) engine, or a network traffic filtering engine (e.g., based on the Windows Filtering Platform (WFP) development platform).
- IPsec Internet Protocol security
- WFP Windows Filtering Platform
- the management module 232 may permit a particular workload 138 to communicate with a limited set of workloads 138 on other OS instances 130 , and may block all other communications. Furthermore, the management module 232 may place restrictions on how each workload 138 is permitted to communicate. For example, for a particular workload 138 , the management module 232 may enable the workload 138 to communicate using only encrypted protocols and block any unencrypted communications.
- the policy implementation module 236 receives the management instructions from the segmentation server 120 and translates the management instructions from a high level of abstraction to a low level of abstraction represented by the management module configuration 234 .
- the policy implementation module 236 may obtain the relevant rules and relevant membership information from the management instructions, and identify the specific workloads 138 and services controlled by the rules.
- the policy implementation module 236 then generates a management module configuration 234 that enables the management module 232 to enforce the management instructions.
- FIG. 3 is a high-level block diagram of an embodiment of a segmentation server 120 .
- the segmentation server 120 comprises a presentation module 302 , an authentication module 306 , a traffic flow module 308 , a rule generation module 310 , an instruction distribution module 312 , and a repository 350 including a workloads database 314 , a rules database 316 , and a user groups database 318 .
- the segmentation server 120 may include different or additional components.
- the various components of the segmentation server 120 may be implemented as one or more processors and a non-transitory computer-readable storage medium that stores instructions executed by the one or more processors to carry out the functions attributed to the segmentation server 120 described herein.
- the traffic flow module 308 monitors traffic between workloads 138 and presents information relating to the traffic flows. For example, the traffic flow module 308 may identify each pair of workloads 138 that communicates with each other during a particular time period. For each detected traffic flow between a pair of workloads 138 , the traffic flow module 308 may identify what services are communicated between the pair of workloads, what sub-components of the respective workloads (e.g., specific applications) 138 utilize those services, what ports are used by the respective workloads for the communications, and what protocols are used for the communications.
- the traffic flow module 308 may identify what services are communicated between the pair of workloads, what sub-components of the respective workloads (e.g., specific applications) 138 utilize those services, what ports are used by the respective workloads for the communications, and what protocols are used for the communications.
- the traffic flow module 308 may identify statistical information relating to the traffic flow between a pair of workloads 138 such as, for example, a volume of data transferred between the pair of workloads within a particular time period, a frequency of communications between the pair of workloads 138 , a duration of communications between the pair of workloads 138 , or other statistical information indicative of the extent of the communications.
- the traffic flow module 308 may generate a representation of the traffic flows in the form of a traffic flow graph in which each workload 138 is represented by a node and a traffic flow between a pair of workloads 138 is represented by an edge connecting the respective nodes corresponding to the pair of workloads 138 .
- the nodes may store information relating to the workloads 138 and the edges may store information relating to the traffic flow.
- the traffic flow graph may be limited to traffic flows meeting predefined criteria.
- the traffic flow graph may be limited to traffic flows meeting a predefined threshold volume of the traffic (e.g., amount of data, frequency, duration, or a combination thereof).
- a predefined threshold volume of the traffic e.g., amount of data, frequency, duration, or a combination thereof.
- the traffic flow module 308 may generate a traffic flow graph corresponding to a limited group of label sets and according to different configuration parameters.
- the traffic flow graph may be limited to traffic flows between pairs of workloads 138 in which both workloads 138 in the pair have label sets within the scope of the limited group of label sets.
- the traffic flow graph may include traffic flows between any pairs of workloads 138 in which the provider of the service has a label set within the scope of the limited group of label sets, without necessarily requiring that the user of the service has a label set within the scope of the limited group of label sets.
- Limiting the traffic flow graph based on label sets can beneficially simplify analysis of a particular segment of the network 110 . For example, an administrator may obtain traffic flow information pertaining only to a particular geographic location, role, environment, line of business, application, or a combination thereof.
- the rule generation module 310 automatically generates rules.
- the particular strategy for generating the rules may be based on configuration settings for the rule generation module 310 .
- the rules may be generated based at least in part on the observed traffic flow graph.
- the rule generation module 310 generates a set of rules that permits the traffic flows in the traffic flow graph, without permitting other traffic flows unrelated to the observed traffic flow graph.
- the rule generation module 310 identifies a traffic flow and identifies the service associated with the traffic flow, the workload 138 corresponding to the provider of the service, and the workload 138 corresponding to the consumer of the service.
- the rule generation module 310 then generates a rule, if it does not already exist, that permits providing of the service from the identified provider of the service to the identified consumer of the service.
- the rule may be constructed using the label sets of the identified provider and the identified consumer. For example, if the provider has a first label set A and the consumer has a second label set B, the rule may specify the first label set A in the provided-by portion and the second label set B in the used-by portion of the newly created rule. Rules may be similarly generated for each observed traffic flow in the traffic flow graph and may be stored to the rules database 316 .
- the rule generation module 310 will therefore produce a set of rules that permits communications observed during normal operation of the workloads 138 in the administrative domain 150 without permitting abnormal communications that are potentially malicious.
- the OS instances 130 will block such potentially malicious communications that are not expressly permitted by the rules.
- the rule generation module 310 may generate rules based on different segmentation strategies depending on configuration parameters. For example, under a high granularity segmentation strategy, the rule generation module 310 generates a set of rules that only permits communications relating to the particular services that are observed between pairs of workloads 138 and which are limited to the specific ports and protocols observed in the traffic flows. Thus, for example, if the traffic flow module 308 only observes communications between a particular pair of workloads 138 using port X (corresponding to a particular service) and a protocol Y, a rule will be generated that permits communications between the particular pair of workloads 138 only if it uses the ports X and the protocol Y.
- the generated rule may be specified in accordance with respective label sets of the pair of workloads along a predefined set of dimensions (e.g., the dimensions defining a tier).
- a predefined set of dimensions e.g., the dimensions defining a tier.
- the rule will also permit communications conforming to the specified ports and protocols between different pairs of workloads that conform to the same respective label sets along the same predefined set of dimensions (e.g., the same respective tiers) as the observed pair of workloads.
- a rule may be generated that permits workloads 138 in a first tier associated with the label set “App: Point of Sale; Environment: PCI; Role: Database” to provide a service on port 5432 using TCP protocol to workloads 138 in a second tier associated with the label set “App: Point of Sale: Environment: PCI; Role: Processing.”
- the rule generation module 310 identifies the respective label sets along a predefined set of dimensions (e.g., the dimensions associated with a tier) associated with connected workload pairs observed in the traffic flow graph and generates a set of rules that permits communications between all pairs of workloads 138 having the respective label sets along the predefined set of dimensions (e.g., the same respective tiers), without regard to the specific ports or protocols observed.
- a predefined set of dimensions e.g., the dimensions associated with a tier
- the predefined set of dimensions e.g., the dimensions associated with a tier
- a rule is generated to permit communications between all workloads 138 having the label set X along the predefined set of dimensions and all workloads 138 having the label set Y along the predefined set of dimensions.
- a rule may be generated that permits workloads 138 in a first tier associated with the label set “App: Point of Sale; Environment: PCI; Role: Database” to provide any service (using any port and any protocol) to workloads 138 in a second tier associated with the label set “App: Point of Sale: Environment: PCI; Role: Processing.”
- Upon enforcement of the segmentation policy communications between pairs of workloads that are not expressly permitted by the rules will be blocked.
- the rule generation module 310 may generate rules based on the label sets of workloads 138 independently of the observed traffic flows. For example, in a low granularity segmentation strategy, the rule generation module 310 generates a set of rules that permits communications between all workloads 135 that share a set of labels along a predefined set of dimensions without regard to observed communications. For example, the rule generation module 310 may generate rules that permit communications between all workloads 138 within the same application group (i.e., having at least the same application and environment labels). For example, a rule may be generated that permits workloads 138 in an application group associated with the label set “App: Point of Sale; Environment: PCI” to provide any service (using any port and any protocol) to other workloads 138 in the application group. Upon enforcement of the segmentation policy, communications between pairs of workloads that are not expressly permitted by the rules will be blocked.
- configuration settings may cause the rule generation module 310 to generate additional rules permitting communications between groups of workloads 138 having label sets meeting other specified criteria.
- an administrator may specify configuration settings that enable the rule generation module 310 to generate rules permitting communications between a first application group X and a second application group Y.
- rules may be generated differently for different groups of workloads 138 by specifying different configuration settings for different groups. For example, rules may be generated for workloads 138 in a first application group according to a moderate level of granularity while rules may be generated for workloads 138 in a second application group according to a high level of granularity. Furthermore, rules controlling communications between different groups of workloads 138 may be generated according to different configuration settings. For example, rules controlling communications between workloads 138 in a first application group and workloads 138 in a second application group may be generated according to a moderate level of granularity while rules controlling communications between workloads 138 in a first application group and workloads 138 in a third application group may be generated according to a low level of granularity.
- the rule generation module 310 may be configured to generate rules that only affect workloads 138 associated within a scope of a limited group of label sets. Different rule generation schemes based on label sets may be configured. For example, in a limited rule generation configuration, the rule generation module 310 only generates rules in which both the label set associated with the provider of the service and the label set associated with the consumer of the service are within the scope of the limited group of label sets. In an expanded rule generation configuration, the rule generation module 310 may instead generate rules in which the provider the service has a label set within the scope of the limited group of label sets, without necessarily requiring that the user of the service also has a label set within the scope of the limited group of label sets.
- rules may permit providing of a service by a workload 138 having a label set within the scope of the limited group of label sets to a workload 138 with a label set outside the scope of the limited group of label sets.
- Limiting the generated rules based on label sets beneficially enables rule generation that is limited to a particular segment of the network 110 .
- the rule generation module 310 may operate to generate rules only for a portion of the workloads 138 associated with particular label values along certain label dimensions including geographic locations, roles, environments, lines of business, applications, or combinations thereof.
- the presentation module 302 interfaces with the administrative client 160 to present a user interface enabling an administrator to manage the administrative domain 150 or a portion thereof.
- the presentation module 302 may enable an administrator to view a representation of the traffic flows generated by the traffic flow module 308 and generate or modify rules associated with the segmentation policy using the rule generation module 310 .
- the presentation module 302 may generate a graphical interface representing all or a portion of the traffic flow graph with the workloads 138 illustrated as nodes and the traffic flows illustrated as edges connecting relevant nodes.
- An administrator may select a particular node to view information about the corresponding workload 138 (e.g., an identifier for the workload, a label set for the workload, services provided by or consumed by the workload, etc.).
- An administrator may similarly select a particular edge on the graph to view information about the corresponding traffic flow such as, for example, services associated with the traffic flow, ports and protocols associated with the traffic flow, or statistical information associated with the traffic flow.
- the presentation module 302 may furthermore enable an administrator to execute the rule generation module 310 to generate a recommended rule set.
- the presentation module 302 may generate a presentation that enables the administrator to view the rules, modify the rules, or control whether a rule is activated or de-activated. For example, an administrator may toggle a particular rule on or off to modify the segmentation policy, or the administrator may manually edit the label sets associated with different portions of the rule.
- the presentation module 302 may furthermore present various configuration options that enable an administrator to control operation of the traffic flow module 308 and the rule generation module 310 .
- the presentation module 302 may present a control for controlling which label sets contribute to generating the traffic flow graph and whether to generate an expanded traffic flow graph (including any traffic flows where the provider of the service corresponds to the label set) or a limited traffic flow graph (including only traffic flows where both the consumer and the provider correspond to the label set).
- the presentation module 302 may present a control for specifying a segmentation strategy for operating the rule generation module 310 (e.g., a high granularity, moderate granularity, or low granularity segmentation strategy).
- the configuration options may be automatically configured based on the privileges associated with the user group of the administrator accessing the presentation module 302 .
- the presentation module 302 , traffic flow module 308 , and the rule generation module 310 may present different information or enable access to different controls dependent on the user group associated with an administrator accessing the presentation module 302 .
- Each user group may be assigned one or more roles and one or more label sets.
- the one or more label sets assigned to a user group constrains what information associated with the traffic flow module 308 and the rule generation module 310 are available to the user group. For example, when viewing traffic flow information, a member of a particular user group may have access only to traffic flow information associated with traffic flows involving workloads 138 within the scope of the one or more label sets assigned to the user group.
- a member of a particular user group may have access only to rules that specify a label set within the scope of at least one of the one or more label sets assigned to the user group.
- Different user groups may be given broader or narrower access to viewing traffic flows and managing rules depending on the one or more label sets assigned to the user group. For example, by associating a user group with a label set in only a single dimension (e.g., Location: New York), the user group will have broad access to viewing traffic flows and managing rules associated with all workloads 138 having a matching label in that dimension (e.g., all workloads 138 in New York) regardless of the labels in other dimensions.
- a single dimension e.g., Location: New York
- a user group by associating a user group with a label set that spans multiple dimensions (e.g., Location: New York; Environment: Production: Role: Web), the user group will have narrower access to viewing traffic flows and managing rules associated with a smaller number of workloads 138 that have matching labels across all the specified dimensions.
- a user group may be associated with multiple label sets, thus allowing access to viewing traffic flows and managing rules associated with workloads 138 associated with any one of the associated label sets. For example, a user group associated with a first label set “Location: New York; Role: Web” and a second label set “Location: San Francisco; Role: Web” may give the user group access to all “web” workloads in both San Francisco and New York. In some cases, a user group may be associated with all possible label sets.
- the role assigned to a user group dictates which specific privileges are available to user groups having that role. For example, administrators in one user group may have broad privileges to view information and control various parameters associated with viewing traffic flows and controlling rules, while administrators in another user group may have very limited privileges that may enable the administrator to access only a limited set of features.
- the role may furthermore dictate how the traffic flow module 308 and rule generation module 310 are respectively configured, or may limit which configurations the administrator may choose between.
- one user group may only be able to view traffic flows and generate rules associated with a limited traffic view configuration (including only traffic flows where both the consumer and the provider are within the scope of the limited group of label sets associated with the user group), while another user group may be allowed to view traffic flows or generate rules associated with an expanded traffic view configuration (including any traffic flows where the provider of the service is within the scope of the limited group of label sets associated with the user group).
- a limited traffic view configuration including only traffic flows where both the consumer and the provider are within the scope of the limited group of label sets associated with the user group
- another user group may be allowed to view traffic flows or generate rules associated with an expanded traffic view configuration (including any traffic flows where the provider of the service is within the scope of the limited group of label sets associated with the user group).
- a super user role provides special high-level privileges. For example, a super user may access functions on the presentation module 302 to create new labels and assign labels to workloads 138 . The associations between workloads and labels are stored in the workloads database 314 . A super user may additionally assign roles and label sets to other user groups. The associations between user groups and their respective roles and label sets are stored in the user group database 318 . A super user also generally has wide privileges to view traffic flows and generate or modify rules associated with any label sets. Furthermore, a super user can cause the segmentation server 120 to generate management instructions for a set of rules and distribute them to the OS instances 130 .
- a manager role generally provides fewer privileges than the super user role.
- a manager is generally assigned to one or more specific label sets that limits which traffic flows the manager has visibility into and accordingly limits the manager to generating rules related to the limited traffic flows.
- a manager can generally not modify the roles or label sets assigned to different user groups.
- a manager may have the ability to create rules as a recommendation, but does not have privileges associated with causing the segmentation server 120 to generate and distribute the associated management instructions to the OS instances 130 enforce the rules.
- a provisioner role may be a specialized role for reviewing and approving rules to cause the segmentation server 120 to generate and distribute the management instructions to the OS instances 130 .
- the visibility of a provisioner may be limited to a particular group of label sets or may be unlimited.
- the provisioner can review rules generated by a plurality of different managers for different segments, optionally modify the rules, and cause the segmentation server 120 to generate and distribute the management instructions embodying the rules.
- the division of responsibility between the managers and provisioners beneficially enforces a check on the rules so that at least two administrators (a manager and a provisioner) have to approve the rules before they are enforced.
- the authentication module 306 identifies a user group associated with an administrator accessing the segmentation server 120 via the administrative client 160 , and authenticates the identity of the administrator.
- the authentication module 306 furthermore determines the role and label set associated with the user group so that the segmentation server 120 may restrict what information the administrator can access in the segmentation server 120 or what configuration changes the administrator can make.
- a role-based access control (RBAC) system may be used to control permissions associated with different user groups.
- the instruction distribution module 312 generates the management instructions from the rules and distributes the relevant management instructions to the OS instances 130 as described above. In an embodiment, the instruction distribution module 312 generates and distributes the relevant management instructions to the OS instances 130 upon approval from an administrator having a provisioner role. Alternatively, the instruction distribution module 312 may automatically distribute the instructions upon being generated by the rule generation module 310 without necessarily requiring an additional approval.
- FIG. 4 is a flowchart illustrating an example embodiment of a process for managing user groups controlling a segmentation policy.
- the process of FIG. 4 may be executed when a super user accesses the segmentation server 120 via the administrative client 160 .
- the segmentation server 120 Based on inputs received from the administrative client 160 , the segmentation server 120 creates 402 labels that are assignable to workloads 138 within the administrative domain 150 .
- the segmentation server 120 then assigns 404 labels to workloads 404 .
- the assignments may be stored to the workload database 314 .
- the segmentation server 120 assigns 406 one or more label sets to user groups.
- the assignments may be stored to the user groups database 318 .
- a first user group may be assigned to a first label set (e.g., “Location: San Francisco, Role: Web”) while a second user group be assigned to a second label set (e.g., “Location: New York, Role: Database.”) Then, the members of the first user group may view traffic flows and/or generate rules within the scope of the first label set, while members of the second user group may view traffic flows and/or generate rules within the scope of the second label set. Assignments of labels to workloads 138 and assignments of label sets to user groups may be performed in either order or in parallel.
- FIG. 5 is a flowchart illustrating an embodiment of a process for managing a portion of a segmentation policy based on a user group.
- the segmentation server 120 identifies 502 the user group associated with an administrator accessing the segmentation server 120 .
- the segmentation server 120 identifies 504 one or more label sets associated with the user group. For example, the segmentation server 120 may perform a lookup in the user group database 318 to identify the one or more label sets associated with the user group.
- the segmentation server 120 identifies 506 workloads 138 with a label set ascribed to the user group.
- the segmentation server 120 performs a lookup in the workloads database 314 to determine which workloads 138 have a label set within the scope of one of the label sets associated with the user group.
- the segmentation server 120 generates 508 rules applicable to the workloads 138 associated with the one or more label sets ascribed to the user group in accordance with one or more configuration parameters.
- the segmentation server 120 may generate the rules differently dependent on the segmentation strategy specified in the configuration parameters (e.g., high granularity, moderate granularity, or low granularity segmentation strategy) as described above.
- the segmentation server 120 monitors traffic flows associated with the identified workloads, and for each monitored traffic flow, the segmentation server 120 generates a rule (if it does not already exist) that permits traffic flow between an observed provider of a service and an observed consumer of the service.
- the rule generation module 310 may generate rules based only on the labels of the workloads 138 independently of the observed traffic flows. The segmentation server 120 then sends 510 management instructions to OS instances 130 to enforce the generated rules.
- a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.
- Embodiments of the invention may also relate to an apparatus for performing the operations herein.
- This apparatus may be specially constructed for the required purposes, and/or it may comprise a general-purpose computing device selectively activated or reconfigured by a computer program stored in the computer.
- a computer program may be stored in a tangible computer readable storage medium or any type of media suitable for storing electronic instructions, and coupled to a computer system bus.
- any computing systems referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
Abstract
A segmentation server enables user-based management of a segmentation policy. Administrators belonging to different user groups may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, and modifying rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment.
Description
- This application relates to managing a segmentation policy that controls communications between workloads.
- A segmentation policy comprises a set of rules that control which workloads may communicate on a network and may place restrictions on how such workloads may communicate. Conventionally, a system administrator may manually configure the segmentation policy by defining individual rules. For a complex network with a large number of workloads, manually configuring the segmentation policy may be a highly burdensome task. As a result, an enterprise may need to devote significant resources to administrating the segmentation policy. Furthermore, an enterprise may face increased security risks if the segmentation policy is not carefully configured.
- A system, non-transitory computer-readable storage medium, and method facilitate creation of a segmentation policy that controls communications between a plurality of workloads. A segmentation servers identifies a user group that is associated with one or more administrators logged into a client accessing a segmentation server. The segmentation server identifies one or more label sets associated with the user group from a user group database. The segmentation server identifies a subset of workloads of the plurality of workloads from a workload database that have at least one of the group of label sets associated with the identified user group. The segmentation server generates a set of rules for controlling communications associated with the subset of workloads. Management instructions are generated for enforcing the set of rules. The management instructions are sent to respective operating system instances executing the subset of workloads. The respective operating system instances may enforce the set of rules based on the management instructions.
- In an embodiment, the segmentation server monitors traffic flows between the subset of workloads and generates a traffic flow graph based on the monitored traffic flows. The traffic flow graph comprises a plurality of nodes representing the subset of workloads and a plurality of edges representing the monitored traffic flows between the subset of workloads. A graphical representation of the traffic flow graph is generated. The graphical representation of the traffic flow graph is outputted to the administrative client.
- The rules may be generated according to different segmentation strategies selectable via the administrative client. In a first configuration (e.g., a low granularity segmentation strategy), rules are generated that permit communication between workloads sharing a particular predefined label set (e.g., workloads within an application group). In other configurations, the segmentation server may monitor traffic flows associated with the subset of workloads and generate the set of rules based on the monitored traffic flows so that the rules permit the monitored traffic flows. For example, in a second configuration, (e.g., a moderate granularity segmentation strategy), a detected traffic flow between a first workload and a second workload is detected. The segmentation server determines a first label set is corresponding to the first workload and a second label set corresponding to the second workload. A rule is then generated permitting communications between workloads having the first label set and workloads having the second label set. In a third configuration, (e.g., a high granularity segmentation strategy), one or more ports and one or more protocols associated with a detected traffic flow between a first workload and a second workload are each determined. Furthermore, a label set associated with the first workload and second label set associated with the second workload are determined. A rule is then generated permitting communications using the one or more ports and the one or more protocols between workloads having the first label set and workloads having the second label set.
- In an embodiment, rules may be generated differently depending on privileges associated with the user group. For example, the segmentation server may determine that the user group has limited ruleset creation privileges. Here, the segmentation server generates the rule set to only include rules permitting communications between pairs workloads in the subset of workloads that both have at least one of the group of label sets associated with the user group. In another case, the segmentation server may determine that the user group has expanded ruleset creation privileges. In this case, the segmentation server generates the rule set to also include rules permitting communications in which a workload in the subset of workloads having at least one of the group of label sets associated with the user group provides a service to a workload outside the subset of workloads.
- In one embodiment, the generated rules are stored to a rules database prior to generating the management instructions. The segmentation server identifies access by a provisioner associated with a provisioner user group, which may be different from a rule creator or other roles. A user interface is presented for providing the rules for review by the provisioner. The management instructions are then generated response to receiving confirmation from the provisioner to implement the rules.
-
FIG. 1 is a high-level block diagram illustrating an environment for managing a segmentation policy, according to one embodiment. -
FIG. 2 is a block diagram illustrating example embodiments of operating system instances. -
FIG. 3 is a block diagram illustrating an example embodiment of a segmentation server. -
FIG. 4 is a flowchart illustrating an example process for managing user groups assigned to administer a segmentation policy. -
FIG. 5 is a flowchart illustrating an example process for generating rules for a segmentation policy. - The Figures (FIGS.) and the following description describe certain embodiments by way of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein. Reference will now be made to several embodiments, examples of which are illustrated in the accompanying figures. It is noted that wherever practicable similar or like reference numbers may be used in the figures and may indicate similar or like functionality.
- A segmentation server enables role-based visibility and management of a segmentation policy. Administrators belonging to different user groups associated with different roles may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, modifying, and provisioning rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment of an administrative domain. The division of responsibility beneficially enables an enterprise to ease the administrative burden of managing the global segmentation policy for any single individual. Furthermore, exposure associated with a security breach of an administrator account can be contained to a particular segment, thereby improving overall security.
-
FIG. 1 is a high-level block diagram illustrating anetworked computing environment 100. Thenetworked computing environment 100 includes asegmentation server 120, anetwork 110, anadministrative client 160, and anadministrative domain 150 that includes a plurality of operating system (OS) instances 130 (e.g., OS instances 130-1, 130-2, . . . , 130-N). Theadministrative domain 150 can correspond to an enterprise such as, for example, a service provider, a corporation, a university, or a government agency under control of thesegmentation server 120. - The
network 110 represents the communication pathways between thesegmentation server 120, theadministrative client 160, and theOS instances 130. In one embodiment, thenetwork 110 uses standard communications technologies and/or protocols and can include the Internet. In another embodiment, the entities on thenetwork 110 can use custom and/or dedicated data communications technologies. - The
OS instances 130 comprise instances of an operating system executing on one or more computing devices. AnOS instance 130 may execute directly on a physical machine or on a virtual machine that executes on one or more computing devices. A single physical or virtual machine may operate asingle OS instance 130 or may operatemultiple OS instances 130. TheOS instances 130 each execute one or more workloads 138 (e.g., one or more workloads 138-1, one or more workloads 138-2, etc.). Theworkloads 138 comprise independently addressable computing units for performing computing tasks. Aworkload 138 may comprise, for example, an application or application component, a process, a container, or other sub-component thereof executing on theOS instance 130. In some instances, anOS instance 130 may operate only asingle workload 138. In other instances, anOS instance 130 may operatemultiple workloads 138 that may be independently addressable and may perform different independent computing functions. Theworkloads 138 on theOS instances 130 may communicate withother workloads 138 ondifferent OS instances 130 within theadministrative domain 150 to perform various tasks. - The
segmentation server 120 is a computer (or set of computers) that obtains and stores information about theOS instances 130 on thenetwork 120 and theworkloads 138 executing on theOS instances 130. Thesegmentation server 120 manages a segmentation policy for theadministrative domain 150 that regulates communications betweenworkloads 138 within theadministrative domain 150. In an embodiment, the segmentation policy is set forth using permissive rules that specify the communications that are permitted. The segmentation policy is enforced by blocking any communications that are not expressly permitted by the rules. For example, the segmentation policy includes a set of rules specifying whethercertain workloads 138 are allowed to provide services to or receive services fromother workloads 138, and may place restrictions on how thoseworkloads 138 are allowed to communicate when providing or consuming the services. For example, a segmentation policy may include a rule specifying that a workload 138-1 operating on an OS instance 130-1 is allowed to provide a particular service to a workload 138-2 operating on an OS instance 130-2. Absent other rules, the workload 138-1 will thus be blocked from providing the service to a workload 138-N operating on an OS instance 130-N. The rule may furthermore specify the type of service that the workload 138-1 is allowed to provide to workload 138-2 (e.g., a database service, a web service, etc.). Additionally, the rule may specify how the workloads 138-1, 138-2 may communicate when providing this service (e.g., using encrypted communication only, using authenticated communication only, etc.). A rule may be specified as a plurality of fields including a “service,” a “provided-by” portion that identifies one ormore workloads 138 that is permitted to provide the service, a “used-by” portion that identifies one ormore workloads 138 that is permitted to use the service provided by theworkloads 138 in the “provided-by portion,” and a “rule function” that may place one or more restrictions on the communications between theworkloads 138 while facilitating the service. - In an embodiment, the
segmentation server 120 may assign one or more labels to eachworkload 138 that define one or more high-level characteristics of theworkload 138. Labels may be defined for multiple different dimensions. Here, each label may comprise a “dimension” (a high-level characteristic) and a “value” (the value of that high-level characteristic). For example, one possible label dimension may specify a “role” of theworkload 138 and may have values such as “web,” “API,” or “database” specifying the role of theworkload 138 within theadministrative domain 150. In another example, a label dimension may specify a “location” of theworkload 138 and may have values such as “United States” or “Europe.”Workloads 138 may also be labeled based on a user group of a user that is logged into theworkload 138 or thecorresponding OS instance 130 on which theworkload 138 executes. For example, aworkload 138 may have a label with a dimension “user group” and a value “managers.” Eachworkload 138 may be assigned labels for one or more dimensions but eachworkload 138 does not necessarily have a label assigned for every possible dimension. For example, aworkload 138 may have a label specifying its location but may not necessarily have a label specifying its role. - A logical management model specifying the number and types of dimensions available and those dimensions' possible values may be configurable. In one embodiment, the logical management model includes the following dimensions and possible values, as shown in Table 1:
-
TABLE 1 Example of logical management model Dimension Meaning (M), Values (V) Role M: The role of the managed server within the administrative domain. V: web, API, database Environment M: The lifecycle stage of the managed server. V: production, staging, development Application M: The logical application (higher-level grouping of managed servers) to which the managed server belongs. V: trading, human resources Line of Business M: The business unit to which the managed server belongs. V: marketing, engineering Location M: The location of the managed server. Can be physical (e.g., country or geographical region) or logical (e.g., network). Physical is particularly useful for expressing geographic compliance requirements. V: US or EU (physical), us-west-1 or us-east-2 (logical) User Group M: The user group containing the user logged onto the managed server. V: Engineers, Contractors, Managers, System Administrators - Labels may be logically grouped into label sets. Here, a label set comprises a set of one or more labels. A label set may include only a single label dimension and value (e.g., Role: Database) or may include multiple label dimensions and corresponding values (e.g., Role: Database; Location: New York). The
segmentation server 120 may utilize label sets to enable the segmentation policy to be defined at a high level of abstraction by specifying rules based on label sets instead of by identifyingindividual workloads 138. Thus, a rule of the segmentation policy may identify a group ofworkloads 138 to which a portion of the rule is applicable by referencing one or more label sets. For example, a rule may specify thatworkloads 138 with a label set A may provide a service B toworkloads 138 with a label set C. Here, a rule that specifies a label set A that specifies label values in fewer than all of the available dimensions is applied to anyworkloads 138 that have all of the labels in the label set A (i.e., are within the “scope” of the label set A), regardless of the workloads' labels in other dimensions not part of the label set A. Thus, for example, a rule that references a label set “Role: Database; Location: New York” is applicable to all workloads having both of the labels “Role: Database” and “Location: New York,” regardless of their labels in other dimensions. - In an embodiment, special groups of
workloads 138 may be defined as a group ofworkloads 138 having the same label set with respect to a predefined group of label dimensions. For example, an “application group” may be defined as a group ofworkloads 138 having the same label values for the “environment” and “application” dimensions without necessarily having the same values in the other dimensions. Alternatively, an “application group” may defined as a group ofworkloads 138 having the same label values for the “environment,” “application” and “location” dimensions without necessarily having the same values in the other dimensions. In another example, a “tier” may be defined as a group ofworkloads 138 having the same label values for the “environment,” “application,” and “role” labels without necessarily having the same values in the other dimensions. Alternatively, a “tier” may be defined as a group ofworkloads 138 having the same label values for the “environment,” “application,” “role,” and “location” dimensions without necessarily have the same values in the other dimensions. Rules may be specified that control communications between application groups or between tiers based on the definitions above. - The
segmentation server 120 may retain a repository storing information about theOS instances 130 and theworkloads 138 managed by thesegmentation server 120. For example, thesegmentation server 120 may store, for eachOS instance 130, an OS instance identifier that uniquely identifies theOS instance 130, workload identifiers forworkloads 138 associated with theOS instance 138, and membership information indicating one or more groups ofworkloads 138 to which eachworkload 138 belong (e.g., as defined by the respective label sets for the workloads 138 ). - Table 2 illustrates an example of information stored by the
segmentation server 120. Here, the “ID” represents the OS instance identifier for eachOS instance 130. The workload ID(s) represent the workload identifier for the workload(s) 138 executing on eachOS instance 130. If only a single workload executes on aparticular OS instance 130, the workload ID may be synonymous with the OS instance ID (e.g., in the case of ID1 and IDn). If more than oneworkload 138 executes on a givenOS instance 130, the workload ID may include the OS instance ID in combination with a sub-identifier for the workload 138 (e.g., in the case of ID2). The sub-identifier may comprise, for example, a port number, IP address, process name, or other identifier that uniquely identifies theworkload 138 when taken in combination with the identifier for theOS instance 130. The memberships represent groups to which one ormore workloads 138 executing on theOS instance 130 belongs. Each group may correspond to a unique label set (e.g., a different combination of labels) involving one or more dimensions. For example, group A may represent a group ofworkloads 138 having the label set (Role: Web; Location: Europe). -
TABLE 2 Example of a Repository Table OS Instance ID Workload ID(s) Memberships ID1 ID1 A, C, D ID2 ID2 + subID1 B, C ID2 + subID2 D . . . . . . IDn IDn B, D, E, F - Instead of enforcing the segmentation policy at a centralized device, the segmentation policy is instead enforced by at least a subset of the
OS instances 130. To enable enforcement of the segmentation policy, thesegmentation server 120 generates a set of management instructions and distributes the management instructions to theOS instances 130. The management instructions include the rules controlling communications between different groups of workloads 138 (e.g., specified by their label sets or directly by an identifier of the workload 138 ) and membershipinformation indicating workloads 138 belonging to each group (e.g., whichworkloads 138 have certain label sets). For efficiency of distribution, thesegmentation server 120 may send different management instructions todifferent OS instances 130 so that eachOS instance 130 gets only the management instructions relevant to its operation. Here, thesegmentation server 120 may determine which rules are relevant to a givenOS instance 130 and distribute the relevant rules to thatOS instance 130. A rule may be deemed relevant to aparticular OS instance 130 if thatOS instance 130 executes one ormore workloads 138 that belongs to a group (defined by one or more label sets) referenced by the rule. Thesegmentation server 120 may furthermore determine which membership information is relevant to eachOS instance 130 and distribute the relevant membership information to eachrespective OS instance 130. Here, membership information may be relevant to aparticular OS instance 130 if it defines membership of a group referenced by a rule deemed relevant to theparticular OS instance 130. Further details of a segmentation system for controlling communications betweenOS instances 130 based on labels is described in U.S. Patent Application Publication No. 2014/0373091 entitled “Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model,” to Paul J. Kirner, et al., which is incorporated by reference herein. - The
administrative client 160 comprises a computing device that may be operated by an administrator of theadministrative domain 150 being managed by thesegmentation server 120. Theadministrative client 160 may execute an interface (e.g., via an application or web browser) that enables the administrator to interact with thesegmentation server 120 to configure or view the segmentation policy. The interface may furthermore enable the administrator to obtain various information about theOS instances 130 andworkloads 138 on thenetwork 120 and view traffic flows between theworkloads 138. - A particular administrator may log into a
client 160 using credentials that uniquely identify the administrator and may be used to identify a user group 165 to which the administrator is a member. User groups may have multiple members or may have only a single member. Furthermore, an administrator may be a member of multiple user groups. Administrators that are members of different user groups 165 may have different privileges and access to different information associated with administering the segmentation policy. Particularly, different user groups 165 may be associated with one or more label sets. A member of a particular user group 165 may be limited to viewing, generating, or modifying rules within the scope of the label set for the user group. The member of the user group 165 may be unable to access or control rules associated with label sets outside the scope of those associated with to the user group 165. In this way, administration of the segmentation policy may be divided between user groups 165 that control respective subsets of the rules relating to different label sets. For example, administration of the segmentation policy may be divided between different user groups 165 based on the different label dimensions such as location, business line, role, environment, application, or different combinations of label dimensions. - A benefit to enabling user-based administration of the segmentation policy is that it significantly eases the administrative burden of managing the segmentation policy a large network. For example, multiple administrators can operate in parallel to generate or modify the segmentation policy without the actions of one administrator necessarily affecting the actions of others. Furthermore, by assigning different user groups to administer different portions of the segmentation policy, different administrators may become more specialized in the particular security needs associated with specific applications or their portion of the network and may therefore be able to better cater the segmentation policy to those needs. Further still, limiting the access of administrators to only a limited portion of the segmentation policy makes it more difficult for an administrator to create a vulnerability in the segmentation policy (e.g., by mistake or by intentional malicious action). Examples of techniques for enforcing user-based control of a segmentation policy are described in further detail below.
-
FIG. 2 illustrates example embodiments ofOS instances 130. AnOS instance 130 may correspond to a managedOS instance 230 or anunmanaged OS instance 240. A managedOS instance 230 includes anenforcement modules 235 that enables the managedOS instance 230 to enforce the segmentation policy for theworkloads 138 it executes. In contrast, theunmanaged OS instance 235 does not include anenforcement module 235 and is unable to directly contribute to enforcement of the segmentation policy. Thesegmentation server 120 thus only distributes management instructions to the managedOS instances 230. Nevertheless, theunmanaged OS instances 240 may still be affected by the segmentation policy because the managedOS instances 230 may limit communications betweenworkloads 138 on the managedOS instances 130 andworkloads 138 on theunmanaged OS instance 240.Workloads 138 executing on theunmanaged OS instances 240 may be assigned labels and may be referenced in the rules of the segmentation policy in the same way asworkloads 138 on managedOS instances 130. Thus, communications betweenworkloads 138 on managedOS instances 230 andunmanaged OS instances 240 may be controlled by the segmentation policy by enforcing the rules at the managedOS instances 230. - In some embodiments, the segmentation policy may be effectively enforced on an
unmanaged OS instance 240 by a separate device that can control communication to and from theunmanaged OS instance 240 on whichworkloads 138 execute. For example, anenforcement module 235 on an upstream switch port, or other physical or logical device may control communications to and fromworkloads 138 on a downstreamunmanaged OS instance 240. In this case, the segmentation policy can be enforced directly on theworkloads 138 on anunmanaged OS instance 240 similarly to enforcement on a managedOS instance 230. - The
enforcement module 235 includes amanagement module 232, a management module configuration 234, and apolicy implementation module 236. Themanagement module 232 comprises a low-level network or security engine that controls incoming and outgoing traffic associated with each of theworkloads 138 executing on theOS instance 130. For example, themanagement module 232 may include an operating system-level firewall, an Internet Protocol security (IPsec) engine, or a network traffic filtering engine (e.g., based on the Windows Filtering Platform (WFP) development platform). The management module 132 on a given managedOS instance 230 restricts communications to or from theworkloads 138 executing on the given managedOS instances 230 based on the management module configuration 134. For example, themanagement module 232 may permit aparticular workload 138 to communicate with a limited set ofworkloads 138 onother OS instances 130, and may block all other communications. Furthermore, themanagement module 232 may place restrictions on how eachworkload 138 is permitted to communicate. For example, for aparticular workload 138, themanagement module 232 may enable theworkload 138 to communicate using only encrypted protocols and block any unencrypted communications. - The
policy implementation module 236 receives the management instructions from thesegmentation server 120 and translates the management instructions from a high level of abstraction to a low level of abstraction represented by the management module configuration 234. For example, thepolicy implementation module 236 may obtain the relevant rules and relevant membership information from the management instructions, and identify thespecific workloads 138 and services controlled by the rules. Thepolicy implementation module 236 then generates a management module configuration 234 that enables themanagement module 232 to enforce the management instructions. -
FIG. 3 is a high-level block diagram of an embodiment of asegmentation server 120. Thesegmentation server 120 comprises apresentation module 302, anauthentication module 306, atraffic flow module 308, arule generation module 310, aninstruction distribution module 312, and arepository 350 including aworkloads database 314, arules database 316, and auser groups database 318. In alternative embodiments, thesegmentation server 120 may include different or additional components. The various components of thesegmentation server 120 may be implemented as one or more processors and a non-transitory computer-readable storage medium that stores instructions executed by the one or more processors to carry out the functions attributed to thesegmentation server 120 described herein. - The
traffic flow module 308 monitors traffic betweenworkloads 138 and presents information relating to the traffic flows. For example, thetraffic flow module 308 may identify each pair ofworkloads 138 that communicates with each other during a particular time period. For each detected traffic flow between a pair ofworkloads 138, thetraffic flow module 308 may identify what services are communicated between the pair of workloads, what sub-components of the respective workloads (e.g., specific applications) 138 utilize those services, what ports are used by the respective workloads for the communications, and what protocols are used for the communications. Furthermore, thetraffic flow module 308 may identify statistical information relating to the traffic flow between a pair ofworkloads 138 such as, for example, a volume of data transferred between the pair of workloads within a particular time period, a frequency of communications between the pair ofworkloads 138, a duration of communications between the pair ofworkloads 138, or other statistical information indicative of the extent of the communications. - The
traffic flow module 308 may generate a representation of the traffic flows in the form of a traffic flow graph in which eachworkload 138 is represented by a node and a traffic flow between a pair ofworkloads 138 is represented by an edge connecting the respective nodes corresponding to the pair ofworkloads 138. The nodes may store information relating to theworkloads 138 and the edges may store information relating to the traffic flow. In an embodiment, the traffic flow graph may be limited to traffic flows meeting predefined criteria. For example, the traffic flow graph may be limited to traffic flows meeting a predefined threshold volume of the traffic (e.g., amount of data, frequency, duration, or a combination thereof). Thus, pairs of workloads having only very limited or sporadic communications may be omitted from the traffic flow graph. - The
traffic flow module 308 may generate a traffic flow graph corresponding to a limited group of label sets and according to different configuration parameters. For example, in a limited traffic view configuration, the traffic flow graph may be limited to traffic flows between pairs ofworkloads 138 in which bothworkloads 138 in the pair have label sets within the scope of the limited group of label sets. In an expanded traffic view configuration, the traffic flow graph may include traffic flows between any pairs ofworkloads 138 in which the provider of the service has a label set within the scope of the limited group of label sets, without necessarily requiring that the user of the service has a label set within the scope of the limited group of label sets. Limiting the traffic flow graph based on label sets can beneficially simplify analysis of a particular segment of thenetwork 110. For example, an administrator may obtain traffic flow information pertaining only to a particular geographic location, role, environment, line of business, application, or a combination thereof. - The
rule generation module 310 automatically generates rules. The particular strategy for generating the rules may be based on configuration settings for therule generation module 310. Under some configuration settings, the rules may be generated based at least in part on the observed traffic flow graph. Particularly, therule generation module 310 generates a set of rules that permits the traffic flows in the traffic flow graph, without permitting other traffic flows unrelated to the observed traffic flow graph. For example, therule generation module 310 identifies a traffic flow and identifies the service associated with the traffic flow, theworkload 138 corresponding to the provider of the service, and theworkload 138 corresponding to the consumer of the service. Therule generation module 310 then generates a rule, if it does not already exist, that permits providing of the service from the identified provider of the service to the identified consumer of the service. The rule may be constructed using the label sets of the identified provider and the identified consumer. For example, if the provider has a first label set A and the consumer has a second label set B, the rule may specify the first label set A in the provided-by portion and the second label set B in the used-by portion of the newly created rule. Rules may be similarly generated for each observed traffic flow in the traffic flow graph and may be stored to therules database 316. Assuming that there are no abnormal or malicious communications in theadministrative domain 150 in the observed traffic flow graph, therule generation module 310 will therefore produce a set of rules that permits communications observed during normal operation of theworkloads 138 in theadministrative domain 150 without permitting abnormal communications that are potentially malicious. When the segmentation policy is enforced by theOS instances 130, theOS instances 130 will block such potentially malicious communications that are not expressly permitted by the rules. Embodiments of processes for generating rules are further described in U.S. Pat. No. 9,485,279 issued on Nov. 1, 2016 to Paul J. Kirner, et al., which is incorporated by reference herein. - The
rule generation module 310 may generate rules based on different segmentation strategies depending on configuration parameters. For example, under a high granularity segmentation strategy, therule generation module 310 generates a set of rules that only permits communications relating to the particular services that are observed between pairs ofworkloads 138 and which are limited to the specific ports and protocols observed in the traffic flows. Thus, for example, if thetraffic flow module 308 only observes communications between a particular pair ofworkloads 138 using port X (corresponding to a particular service) and a protocol Y, a rule will be generated that permits communications between the particular pair ofworkloads 138 only if it uses the ports X and the protocol Y. Thus, absent other separately generated rules, communications between the pair ofworkloads 138 not conforming to the specified ports and protocols, will be blocked. In an embodiment, the generated rule may be specified in accordance with respective label sets of the pair of workloads along a predefined set of dimensions (e.g., the dimensions defining a tier). As a result, the rule will also permit communications conforming to the specified ports and protocols between different pairs of workloads that conform to the same respective label sets along the same predefined set of dimensions (e.g., the same respective tiers) as the observed pair of workloads. For example, a rule may be generated that permitsworkloads 138 in a first tier associated with the label set “App: Point of Sale; Environment: PCI; Role: Database” to provide a service on port 5432 using TCP protocol toworkloads 138 in a second tier associated with the label set “App: Point of Sale: Environment: PCI; Role: Processing.” - In a moderate granularity segmentation strategy, the
rule generation module 310 identifies the respective label sets along a predefined set of dimensions (e.g., the dimensions associated with a tier) associated with connected workload pairs observed in the traffic flow graph and generates a set of rules that permits communications between all pairs ofworkloads 138 having the respective label sets along the predefined set of dimensions (e.g., the same respective tiers), without regard to the specific ports or protocols observed. Thus, for example, if a connection is observed between aworkload 138 having a label set X along the predefined set of dimensions and aworkload 138 having a label set Y along the predefined set of dimensions, a rule is generated to permit communications between allworkloads 138 having the label set X along the predefined set of dimensions and allworkloads 138 having the label set Y along the predefined set of dimensions. For example, a rule may be generated that permitsworkloads 138 in a first tier associated with the label set “App: Point of Sale; Environment: PCI; Role: Database” to provide any service (using any port and any protocol) toworkloads 138 in a second tier associated with the label set “App: Point of Sale: Environment: PCI; Role: Processing.” Upon enforcement of the segmentation policy, communications between pairs of workloads that are not expressly permitted by the rules will be blocked. - Under other configuration settings, the
rule generation module 310 may generate rules based on the label sets ofworkloads 138 independently of the observed traffic flows. For example, in a low granularity segmentation strategy, therule generation module 310 generates a set of rules that permits communications between all workloads 135 that share a set of labels along a predefined set of dimensions without regard to observed communications. For example, therule generation module 310 may generate rules that permit communications between allworkloads 138 within the same application group (i.e., having at least the same application and environment labels). For example, a rule may be generated that permitsworkloads 138 in an application group associated with the label set “App: Point of Sale; Environment: PCI” to provide any service (using any port and any protocol) toother workloads 138 in the application group. Upon enforcement of the segmentation policy, communications between pairs of workloads that are not expressly permitted by the rules will be blocked. - In another embodiment, configuration settings may cause the
rule generation module 310 to generate additional rules permitting communications between groups ofworkloads 138 having label sets meeting other specified criteria. For example, an administrator may specify configuration settings that enable therule generation module 310 to generate rules permitting communications between a first application group X and a second application group Y. - In an embodiment, rules may be generated differently for different groups of
workloads 138 by specifying different configuration settings for different groups. For example, rules may be generated forworkloads 138 in a first application group according to a moderate level of granularity while rules may be generated forworkloads 138 in a second application group according to a high level of granularity. Furthermore, rules controlling communications between different groups ofworkloads 138 may be generated according to different configuration settings. For example, rules controlling communications betweenworkloads 138 in a first application group andworkloads 138 in a second application group may be generated according to a moderate level of granularity while rules controlling communications betweenworkloads 138 in a first application group andworkloads 138 in a third application group may be generated according to a low level of granularity. - The
rule generation module 310 may be configured to generate rules that only affectworkloads 138 associated within a scope of a limited group of label sets. Different rule generation schemes based on label sets may be configured. For example, in a limited rule generation configuration, therule generation module 310 only generates rules in which both the label set associated with the provider of the service and the label set associated with the consumer of the service are within the scope of the limited group of label sets. In an expanded rule generation configuration, therule generation module 310 may instead generate rules in which the provider the service has a label set within the scope of the limited group of label sets, without necessarily requiring that the user of the service also has a label set within the scope of the limited group of label sets. Thus, under the expanded rule set generation configuration, rules may permit providing of a service by aworkload 138 having a label set within the scope of the limited group of label sets to aworkload 138 with a label set outside the scope of the limited group of label sets. Limiting the generated rules based on label sets beneficially enables rule generation that is limited to a particular segment of thenetwork 110. For example, therule generation module 310 may operate to generate rules only for a portion of theworkloads 138 associated with particular label values along certain label dimensions including geographic locations, roles, environments, lines of business, applications, or combinations thereof. - The
presentation module 302 interfaces with theadministrative client 160 to present a user interface enabling an administrator to manage theadministrative domain 150 or a portion thereof. For example, thepresentation module 302 may enable an administrator to view a representation of the traffic flows generated by thetraffic flow module 308 and generate or modify rules associated with the segmentation policy using therule generation module 310. For example, thepresentation module 302 may generate a graphical interface representing all or a portion of the traffic flow graph with theworkloads 138 illustrated as nodes and the traffic flows illustrated as edges connecting relevant nodes. An administrator may select a particular node to view information about the corresponding workload 138 (e.g., an identifier for the workload, a label set for the workload, services provided by or consumed by the workload, etc.). An administrator may similarly select a particular edge on the graph to view information about the corresponding traffic flow such as, for example, services associated with the traffic flow, ports and protocols associated with the traffic flow, or statistical information associated with the traffic flow. - The
presentation module 302 may furthermore enable an administrator to execute therule generation module 310 to generate a recommended rule set. Thepresentation module 302 may generate a presentation that enables the administrator to view the rules, modify the rules, or control whether a rule is activated or de-activated. For example, an administrator may toggle a particular rule on or off to modify the segmentation policy, or the administrator may manually edit the label sets associated with different portions of the rule. - The
presentation module 302 may furthermore present various configuration options that enable an administrator to control operation of thetraffic flow module 308 and therule generation module 310. For example, thepresentation module 302 may present a control for controlling which label sets contribute to generating the traffic flow graph and whether to generate an expanded traffic flow graph (including any traffic flows where the provider of the service corresponds to the label set) or a limited traffic flow graph (including only traffic flows where both the consumer and the provider correspond to the label set). Furthermore, thepresentation module 302 may present a control for specifying a segmentation strategy for operating the rule generation module 310 (e.g., a high granularity, moderate granularity, or low granularity segmentation strategy). Alternatively, the configuration options may be automatically configured based on the privileges associated with the user group of the administrator accessing thepresentation module 302. - The
presentation module 302,traffic flow module 308, and therule generation module 310 may present different information or enable access to different controls dependent on the user group associated with an administrator accessing thepresentation module 302. Each user group may be assigned one or more roles and one or more label sets. The one or more label sets assigned to a user group constrains what information associated with thetraffic flow module 308 and therule generation module 310 are available to the user group. For example, when viewing traffic flow information, a member of a particular user group may have access only to traffic flow information associated with trafficflows involving workloads 138 within the scope of the one or more label sets assigned to the user group. Similarly, when generating, viewing, or modifying rules, a member of a particular user group may have access only to rules that specify a label set within the scope of at least one of the one or more label sets assigned to the user group. Different user groups may be given broader or narrower access to viewing traffic flows and managing rules depending on the one or more label sets assigned to the user group. For example, by associating a user group with a label set in only a single dimension (e.g., Location: New York), the user group will have broad access to viewing traffic flows and managing rules associated with allworkloads 138 having a matching label in that dimension (e.g., allworkloads 138 in New York) regardless of the labels in other dimensions. Alternatively, by associating a user group with a label set that spans multiple dimensions (e.g., Location: New York; Environment: Production: Role: Web), the user group will have narrower access to viewing traffic flows and managing rules associated with a smaller number ofworkloads 138 that have matching labels across all the specified dimensions. A user group may be associated with multiple label sets, thus allowing access to viewing traffic flows and managing rules associated withworkloads 138 associated with any one of the associated label sets. For example, a user group associated with a first label set “Location: New York; Role: Web” and a second label set “Location: San Francisco; Role: Web” may give the user group access to all “web” workloads in both San Francisco and New York. In some cases, a user group may be associated with all possible label sets. - The role assigned to a user group dictates which specific privileges are available to user groups having that role. For example, administrators in one user group may have broad privileges to view information and control various parameters associated with viewing traffic flows and controlling rules, while administrators in another user group may have very limited privileges that may enable the administrator to access only a limited set of features. The role may furthermore dictate how the
traffic flow module 308 andrule generation module 310 are respectively configured, or may limit which configurations the administrator may choose between. For example, one user group may only be able to view traffic flows and generate rules associated with a limited traffic view configuration (including only traffic flows where both the consumer and the provider are within the scope of the limited group of label sets associated with the user group), while another user group may be allowed to view traffic flows or generate rules associated with an expanded traffic view configuration (including any traffic flows where the provider of the service is within the scope of the limited group of label sets associated with the user group). - Examples of possible roles may include, for example, a “super user,” a “manager,” and a “provisioner.” A super user role provides special high-level privileges. For example, a super user may access functions on the
presentation module 302 to create new labels and assign labels toworkloads 138. The associations between workloads and labels are stored in theworkloads database 314. A super user may additionally assign roles and label sets to other user groups. The associations between user groups and their respective roles and label sets are stored in theuser group database 318. A super user also generally has wide privileges to view traffic flows and generate or modify rules associated with any label sets. Furthermore, a super user can cause thesegmentation server 120 to generate management instructions for a set of rules and distribute them to theOS instances 130. - A manager role generally provides fewer privileges than the super user role. A manager is generally assigned to one or more specific label sets that limits which traffic flows the manager has visibility into and accordingly limits the manager to generating rules related to the limited traffic flows. Unlike a super user, a manager can generally not modify the roles or label sets assigned to different user groups. In an embodiment, a manager may have the ability to create rules as a recommendation, but does not have privileges associated with causing the
segmentation server 120 to generate and distribute the associated management instructions to theOS instances 130 enforce the rules. - A provisioner role may be a specialized role for reviewing and approving rules to cause the
segmentation server 120 to generate and distribute the management instructions to theOS instances 130. The visibility of a provisioner may be limited to a particular group of label sets or may be unlimited. For example, in one embodiment, the provisioner can review rules generated by a plurality of different managers for different segments, optionally modify the rules, and cause thesegmentation server 120 to generate and distribute the management instructions embodying the rules. The division of responsibility between the managers and provisioners beneficially enforces a check on the rules so that at least two administrators (a manager and a provisioner) have to approve the rules before they are enforced. - The
authentication module 306 identifies a user group associated with an administrator accessing thesegmentation server 120 via theadministrative client 160, and authenticates the identity of the administrator. Theauthentication module 306 furthermore determines the role and label set associated with the user group so that thesegmentation server 120 may restrict what information the administrator can access in thesegmentation server 120 or what configuration changes the administrator can make. For example, in one embodiment, a role-based access control (RBAC) system may be used to control permissions associated with different user groups. - The
instruction distribution module 312 generates the management instructions from the rules and distributes the relevant management instructions to theOS instances 130 as described above. In an embodiment, theinstruction distribution module 312 generates and distributes the relevant management instructions to theOS instances 130 upon approval from an administrator having a provisioner role. Alternatively, theinstruction distribution module 312 may automatically distribute the instructions upon being generated by therule generation module 310 without necessarily requiring an additional approval. -
FIG. 4 is a flowchart illustrating an example embodiment of a process for managing user groups controlling a segmentation policy. The process ofFIG. 4 may be executed when a super user accesses thesegmentation server 120 via theadministrative client 160. Based on inputs received from theadministrative client 160, thesegmentation server 120 creates 402 labels that are assignable toworkloads 138 within theadministrative domain 150. Based on inputs received from theadministrative client 160, thesegmentation server 120 then assigns 404 labels toworkloads 404. The assignments may be stored to theworkload database 314. Based on inputs received from theadministrative client 160, thesegmentation server 120 assigns 406 one or more label sets to user groups. The assignments may be stored to theuser groups database 318. For example, a first user group may be assigned to a first label set (e.g., “Location: San Francisco, Role: Web”) while a second user group be assigned to a second label set (e.g., “Location: New York, Role: Database.”) Then, the members of the first user group may view traffic flows and/or generate rules within the scope of the first label set, while members of the second user group may view traffic flows and/or generate rules within the scope of the second label set. Assignments of labels toworkloads 138 and assignments of label sets to user groups may be performed in either order or in parallel. -
FIG. 5 is a flowchart illustrating an embodiment of a process for managing a portion of a segmentation policy based on a user group. Thesegmentation server 120 identifies 502 the user group associated with an administrator accessing thesegmentation server 120. Thesegmentation server 120 identifies 504 one or more label sets associated with the user group. For example, thesegmentation server 120 may perform a lookup in theuser group database 318 to identify the one or more label sets associated with the user group. Thesegmentation server 120 identifies 506workloads 138 with a label set ascribed to the user group. For example, thesegmentation server 120 performs a lookup in theworkloads database 314 to determine whichworkloads 138 have a label set within the scope of one of the label sets associated with the user group. Thesegmentation server 120 generates 508 rules applicable to theworkloads 138 associated with the one or more label sets ascribed to the user group in accordance with one or more configuration parameters. Thesegmentation server 120 may generate the rules differently dependent on the segmentation strategy specified in the configuration parameters (e.g., high granularity, moderate granularity, or low granularity segmentation strategy) as described above. For example, under one configuration, thesegmentation server 120 monitors traffic flows associated with the identified workloads, and for each monitored traffic flow, thesegmentation server 120 generates a rule (if it does not already exist) that permits traffic flow between an observed provider of a service and an observed consumer of the service. Under another configuration, therule generation module 310 may generate rules based only on the labels of theworkloads 138 independently of the observed traffic flows. Thesegmentation server 120 then sends 510 management instructions toOS instances 130 to enforce the generated rules. - The foregoing description of the embodiments of the invention has been presented for the purpose of illustration; it is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Persons skilled in the relevant art can appreciate that many modifications and variations are possible in light of the above disclosure.
- Some portions of this description describe the embodiments of the invention in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations are commonly used by those skilled in the data processing arts to convey the substance of their work effectively to others skilled in the art. These operations, while described functionally, computationally, or logically, are understood to be implemented by computer programs or equivalent electrical circuits, microcode, or the like. Furthermore, it has also proven convenient at times, to refer to these arrangements of operations as modules, without loss of generality. The described operations and their associated modules may be embodied in software, firmware, hardware, or any combinations thereof.
- Any of the steps, operations, or processes described herein may be performed or implemented with one or more hardware or software modules, alone or in combination with other devices. In one embodiment, a software module is implemented with a computer program product comprising a computer-readable medium containing computer program code, which can be executed by a computer processor for performing any or all of the steps, operations, or processes described.
- Embodiments of the invention may also relate to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, and/or it may comprise a general-purpose computing device selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a tangible computer readable storage medium or any type of media suitable for storing electronic instructions, and coupled to a computer system bus. Furthermore, any computing systems referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
- Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based hereon. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.
Claims (20)
1. A method for facilitating creation of a segmentation policy controlling communications between a plurality of workloads, the method comprising:
identifying a user group associated with an administrator logged into an administrative client accessing a segmentation server;
identifying, from a user group database, a group of label sets associated with the user group;
identifying, from a workload database, a subset of workloads of the plurality of workloads having at least one of the group of label sets associated with the user group;
generating a set of rules for controlling communications associated with the subset of workloads;
generating management instructions for enforcing the set of rules; and
sending the management instructions to respective operating system instances executing the subset of workloads, wherein the respective operating system instances enforce the set of rules based on the management instructions.
2. The method of claim 1 , further comprising:
monitoring traffic flows associated with the subset of workloads;
generating a traffic flow graph based on the monitored traffic flows, the traffic flow graph comprising a plurality of nodes representing the subset of workloads, and a plurality of edges representing the monitored traffic flows between the subset of workloads;
generating a graphical representation of the traffic flow graph; and
outputting the graphical representation of the traffic flow graph to the administrative client.
3. The method of claim 1 , wherein generating the set of rules comprises:
generating a rule permitting any communications between workloads having a same predefined label set.
4. The method of claim 1 , wherein generating the set of rules comprises:
monitoring traffic flows associated with the subset of workloads; and
generating the set of rules based on the monitored traffic flows, the set of rules permitting the monitored traffic flows.
5. The method of claim 4 , wherein generating the set of rules comprises:
detecting traffic flow between a first workload in the subset of workloads and a second workload in the plurality of workloads;
determining a first label set associated with the first workload and a second label set associated with the second workload; and
generating a rule permitting communications between workloads having the first label set and workloads having the second label set.
6. The method of claim 4 , wherein generating the set of rules comprises:
detecting traffic flow between a first workload in the subset of workloads and a second workload in the plurality of workloads;
detecting one or more ports and one or more protocols over which the traffic flow is communicated;
determining a first label set associated with the first workload and a second label set associated with the second workload; and
generating a rule permitting communications using the one or more ports and the one or more protocols between workloads having the first label set and workloads having the second label set.
7. The method of claim 1 , wherein generating the rule set comprises:
determining that the user group has limited ruleset creation privileges; and
generating the rule set to only include rules permitting communications between pairs workloads in the subset of workloads that both have at least one of the group of label sets associated with the user group.
8. The method of claim 1 , wherein generating the initial rule set comprises:
determining that the user group has expanded ruleset creation privileges; and
generating the rule set to include rules permitting communications in which a workload in the subset of workloads having at least one of the group of label sets associated with the user group provides a service to a workload outside the subset of workloads.
9. The method of claim 1 , wherein generating the management instructions comprises:
storing the rules to a rules database;
identifying access of the segmentation server by a provisioner associated with a provisioner user group;
generating a user interface presenting the rules for review; and
generating the management instructions responsive to receiving confirmation from the provisioner via the user interface to implement the rules.
10. A non-transitory computer-readable storage medium storing instructions executable by one or more processors for facilitating creation of a segmentation policy, the instructions when executed causing the one or more processors to perform steps including:
identifying a user group associated with an administrator logged into an administrative client accessing a segmentation server;
identifying, from a user group database, a group of label sets associated with the user group;
identifying, from a workload database, a subset of workloads of the plurality of workloads having at least one of the group of label sets associated with the user group;
generating a set of rules for controlling communications associated with the subset of workloads;
generating management instructions for enforcing the set of rules; and
sending the management instructions to respective operating system instances executing the subset of workloads, wherein the respective operating system instances enforce the set of rules based on the management instructions.
11. The non-transitory computer-readable storage medium of claim 10 , wherein the instructions when executed further cause the processor to perform steps including:
monitoring traffic flows associated with the subset of workloads;
generating a traffic flow graph based on the monitored traffic flows, the traffic flow graph comprising a plurality of nodes representing the subset of workloads, and a plurality of edges representing the monitored traffic flows between the subset of workloads;
generating a graphical representation of the traffic flow graph; and
outputting the graphical representation of the traffic flow graph to the administrative client.
12. The non-transitory computer-readable storage medium of claim 10 , wherein generating the set of rules comprises:
generating a rule permitting any communications between workloads having a same predefined label set.
13. The non-transitory computer-readable storage medium of claim 10 , wherein generating the set of rules comprises:
monitoring traffic flows associated with the subset of workloads; and
generating the set of rules based on the monitored traffic flows, the set of rules permitting the monitored traffic flows.
14. The non-transitory computer-readable storage medium of claim 13 , wherein generating the set of rules comprises:
detecting traffic flow between a first workload in the subset of workloads and a second workload in the plurality of workloads;
determining a first label set associated with the first workload and a second label set associated with the second workload; and
generating a rule permitting communications between workloads having the first label set and workloads having the second label set.
15. The non-transitory computer-readable storage medium of claim 13 , wherein generating the set of rules comprises:
detecting traffic flow between a first workload in the subset of workloads and a second workload in the plurality of workloads;
detecting one or more ports and one or more protocols over which the traffic flow is communicated;
determining a first label set associated with the first workload and a second label set associated with the second workload; and
generating a rule permitting communications using the one or more ports and the one or more protocols between workloads having the first label set and workloads having the second label set.
16. The non-transitory computer-readable storage medium of claim 10 , wherein generating the rule set comprises:
determining that the user group has limited ruleset creation privileges; and
generating the rule set to only include rules permitting communications between pairs workloads in the subset of workloads that both have at least one of the group of label sets associated with the user group.
17. The non-transitory computer-readable storage medium of claim 10 , wherein generating the initial rule set comprises:
determining that the user group has expanded ruleset creation privileges; and
generating the rule set to include rules permitting communications in which a workload in the subset of workloads having at least one of the group of label sets associated with the user group provides a service to a workload outside the subset of workloads.
18. A system for facilitating creation of a segmentation policy, the system comprising:
one or more processors; and
a non-transitory computer-readable storage medium storing instructions executable by the one or more processors, the instructions when executed causing the one or more processor to perform steps including:
identifying a user group associated with an administrator logged into an administrative client accessing a segmentation server;
identifying, from a user group database, a group of label sets associated with the user group;
identifying, from a workload database, a subset of workloads of the plurality of workloads having at least one of the group of label sets associated with the user group;
generating a set of rules for controlling communications associated with the subset of workloads;
generating management instructions for enforcing the set of rules; and
sending the management instructions to respective operating system instances executing the subset of workloads, wherein the respective operating system instances enforce the set of rules based on the management instructions.
19. The system of claim 18 , wherein the instructions when executed further cause the one or more processors to perform steps including:
monitoring traffic flows associated with the subset of workloads;
generating a traffic flow graph based on the monitored traffic flows, the traffic flow graph comprising a plurality of nodes representing the subset of workloads, and a plurality of edges representing the monitored traffic flows between the subset of workloads;
generating a graphical representation of the traffic flow graph; and
outputting the graphical representation of the traffic flow graph to the administrative client.
20. The system of claim 18 , wherein generating the set of rules comprises:
monitoring traffic flows associated with the subset of workloads; and
generating the set of rules based on the monitored traffic flows, the set of rules permitting the monitored traffic flows.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/873,896 US20190222610A1 (en) | 2018-01-18 | 2018-01-18 | User-Based Visibility and Control of a Segmentation Policy |
US16/848,769 US11381603B2 (en) | 2018-01-18 | 2020-04-14 | User-based visibility and control of a segmentation policy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/873,896 US20190222610A1 (en) | 2018-01-18 | 2018-01-18 | User-Based Visibility and Control of a Segmentation Policy |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/848,769 Continuation US11381603B2 (en) | 2018-01-18 | 2020-04-14 | User-based visibility and control of a segmentation policy |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190222610A1 true US20190222610A1 (en) | 2019-07-18 |
Family
ID=67213149
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/873,896 Abandoned US20190222610A1 (en) | 2018-01-18 | 2018-01-18 | User-Based Visibility and Control of a Segmentation Policy |
US16/848,769 Active 2038-03-11 US11381603B2 (en) | 2018-01-18 | 2020-04-14 | User-based visibility and control of a segmentation policy |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/848,769 Active 2038-03-11 US11381603B2 (en) | 2018-01-18 | 2020-04-14 | User-based visibility and control of a segmentation policy |
Country Status (1)
Country | Link |
---|---|
US (2) | US20190222610A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10785115B2 (en) * | 2018-10-26 | 2020-09-22 | Illumio, Inc. | Allocating enforcement of a segmentation policy between host and network devices |
US20210126920A1 (en) * | 2018-06-22 | 2021-04-29 | One-Simple U.S., LLC | Systems and methods for deploying and managing secure limited-administration server systems |
US11425007B2 (en) * | 2020-01-21 | 2022-08-23 | Illumio, Inc. | Label-based rules for squelching visible traffic in a segmented network environment |
US20230198837A1 (en) * | 2018-02-20 | 2023-06-22 | Huawei Technologies Co., Ltd. | Stitching enterprise virtual private networks (vpns) with cloud virtual private clouds (vpcs) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230115982A1 (en) * | 2021-10-13 | 2023-04-13 | Zscaler, Inc. | Generating zero-trust policy for application access using machine learning |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090235324A1 (en) * | 2008-03-17 | 2009-09-17 | International Business Machines Corporation | Method for discovering a security policy |
US20140373091A1 (en) * | 2013-04-10 | 2014-12-18 | Illumio, Inc. | Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model |
US20160277308A1 (en) * | 2015-03-19 | 2016-09-22 | International Business Machines Corporation | Dynamic management of computing platform resources |
US20160359872A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US20170293534A1 (en) * | 2016-04-11 | 2017-10-12 | International Business Machines Corporation | Assigning storage locations based on a graph structure of a workload |
US20170364698A1 (en) * | 2015-06-02 | 2017-12-21 | ALTR Solutions, Inc. | Fragmenting data for the purposes of persistent storage across multiple immutable data structures |
US20170374101A1 (en) * | 2016-06-24 | 2017-12-28 | Varmour Networks, Inc. | Security Policy Generation for Virtualization, Bare-Metal Server, and Cloud Computing Environments |
US20180234459A1 (en) * | 2017-01-23 | 2018-08-16 | Lisun Joao Kung | Automated Enforcement of Security Policies in Cloud and Hybrid Infrastructure Environments |
US20190065278A1 (en) * | 2017-08-31 | 2019-02-28 | Cisco Technology, Inc. | Tenant-specific policy generation and enforcement within containers |
US20190158541A1 (en) * | 2017-11-21 | 2019-05-23 | Juniper Networks, Inc. | Scalable policy management for virtual networks |
US20190220298A1 (en) * | 2016-04-01 | 2019-07-18 | Alcatel Lucent | A method and system for scaling resources, and a computer program product |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8925101B2 (en) * | 2010-07-28 | 2014-12-30 | Mcafee, Inc. | System and method for local protection against malicious software |
US9503475B2 (en) * | 2012-08-14 | 2016-11-22 | Ca, Inc. | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment |
EP3066607B1 (en) * | 2013-11-04 | 2018-12-12 | Illumio, Inc. | Pairing in a distributed network management system that uses a logical multi-dimensional label-based policy model |
CN105684391B (en) | 2013-11-04 | 2019-06-07 | 伊尔拉米公司 | Access control rule based on label automatically generates |
US9401933B1 (en) * | 2015-01-20 | 2016-07-26 | Cisco Technology, Inc. | Classification of security policies across multiple security products |
US9910713B2 (en) * | 2015-12-21 | 2018-03-06 | Amazon Technologies, Inc. | Code execution request routing |
US10567440B2 (en) * | 2016-12-16 | 2020-02-18 | Nicira, Inc. | Providing application visibility for micro-segmentation of a network deployment |
US10587578B2 (en) * | 2016-12-19 | 2020-03-10 | Nicira, Inc. | Firewall rule management for hierarchical entities |
-
2018
- 2018-01-18 US US15/873,896 patent/US20190222610A1/en not_active Abandoned
-
2020
- 2020-04-14 US US16/848,769 patent/US11381603B2/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090235324A1 (en) * | 2008-03-17 | 2009-09-17 | International Business Machines Corporation | Method for discovering a security policy |
US20140373091A1 (en) * | 2013-04-10 | 2014-12-18 | Illumio, Inc. | Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model |
US20160277308A1 (en) * | 2015-03-19 | 2016-09-22 | International Business Machines Corporation | Dynamic management of computing platform resources |
US20170364698A1 (en) * | 2015-06-02 | 2017-12-21 | ALTR Solutions, Inc. | Fragmenting data for the purposes of persistent storage across multiple immutable data structures |
US20160359872A1 (en) * | 2015-06-05 | 2016-12-08 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US20190220298A1 (en) * | 2016-04-01 | 2019-07-18 | Alcatel Lucent | A method and system for scaling resources, and a computer program product |
US20170293534A1 (en) * | 2016-04-11 | 2017-10-12 | International Business Machines Corporation | Assigning storage locations based on a graph structure of a workload |
US20170374101A1 (en) * | 2016-06-24 | 2017-12-28 | Varmour Networks, Inc. | Security Policy Generation for Virtualization, Bare-Metal Server, and Cloud Computing Environments |
US20180234459A1 (en) * | 2017-01-23 | 2018-08-16 | Lisun Joao Kung | Automated Enforcement of Security Policies in Cloud and Hybrid Infrastructure Environments |
US20190065278A1 (en) * | 2017-08-31 | 2019-02-28 | Cisco Technology, Inc. | Tenant-specific policy generation and enforcement within containers |
US20190158541A1 (en) * | 2017-11-21 | 2019-05-23 | Juniper Networks, Inc. | Scalable policy management for virtual networks |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230198837A1 (en) * | 2018-02-20 | 2023-06-22 | Huawei Technologies Co., Ltd. | Stitching enterprise virtual private networks (vpns) with cloud virtual private clouds (vpcs) |
US20210126920A1 (en) * | 2018-06-22 | 2021-04-29 | One-Simple U.S., LLC | Systems and methods for deploying and managing secure limited-administration server systems |
US11528278B2 (en) * | 2018-06-22 | 2022-12-13 | One-Simple U.S., LLC | Systems and methods for deploying and managing secure limited-administration server systems |
US20230370471A1 (en) * | 2018-06-22 | 2023-11-16 | One-Simple U.S., LLC | Systems and methods for deploying and managing secure limited-administration server systems |
US11870784B2 (en) * | 2018-06-22 | 2024-01-09 | One-Simple U.S., Inc. | Systems and methods for deploying and managing secure limited-administration server systems |
US10785115B2 (en) * | 2018-10-26 | 2020-09-22 | Illumio, Inc. | Allocating enforcement of a segmentation policy between host and network devices |
US11425007B2 (en) * | 2020-01-21 | 2022-08-23 | Illumio, Inc. | Label-based rules for squelching visible traffic in a segmented network environment |
Also Published As
Publication number | Publication date |
---|---|
US20200389498A1 (en) | 2020-12-10 |
US11381603B2 (en) | 2022-07-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11381603B2 (en) | User-based visibility and control of a segmentation policy | |
US11665191B2 (en) | Generating vulnerability exposure scores in a segmented computing environment | |
CN110214311B (en) | Differential segmentation of virtual computing elements | |
US11665192B2 (en) | Generating a segmentation policy based on vulnerabilities | |
US11095611B2 (en) | Traffic visibility and segmentation policy enforcement for workloads in different address spaces | |
US10805166B2 (en) | Infrastructure-agnostic network-level visibility and policy enforcement for containers | |
US11223643B2 (en) | Managing a segmentation policy based on attack pattern detection | |
US11425007B2 (en) | Label-based rules for squelching visible traffic in a segmented network environment | |
JP2020528609A (en) | Intrusion detection and mitigation in data processing | |
US11516242B2 (en) | Virtual patching in a label-based segmented network environment | |
US11303605B2 (en) | Domain name based visibility and policy enforcement in a segmented network environment | |
US11012310B2 (en) | Managing containers based on pairing keys in a segmented network environment | |
US11575588B2 (en) | Monitoring traffic flows of containers in a segmented network environment | |
US20190123905A1 (en) | Enforcing a Segmentation Policy Using Cryptographic Proof of Identity | |
US11063982B2 (en) | Object scope definition for enterprise security management tool | |
US20190089773A1 (en) | Segmentation server cluster for managing a segmentation policy | |
US11425139B2 (en) | Enforcing label-based rules on a per-user basis in a distributed network management system | |
US10785115B2 (en) | Allocating enforcement of a segmentation policy between host and network devices | |
US20210234900A1 (en) | Managing a segmentation policy for workloads in a secure enclave | |
US20200280586A1 (en) | Automatically Assigning Labels To Workloads While Maintaining Security Boundaries | |
Vijaya Bharati et al. | Data storage security in cloud using a functional encryption algorithm | |
US11743142B1 (en) | Segmentation using infrastructure policy feedback | |
US11444920B2 (en) | Selective enforcement of a segmentation policy | |
US11647050B2 (en) | Constraint rules for constraining creation of a segmentation policy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ILLUMIO, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIRNER, PAUL J.;BALASUBRAMANIAM, DHANALAKSHMI;FORD, SETH BRUCE;AND OTHERS;SIGNING DATES FROM 20180109 TO 20180116;REEL/FRAME:044660/0278 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |