Patents by Inventor Paul J. Kirner
Paul J. Kirner has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11652637Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: GrantFiled: August 10, 2021Date of Patent: May 16, 2023Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai
-
Patent number: 11503042Abstract: A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS's changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS.Type: GrantFiled: May 12, 2020Date of Patent: November 15, 2022Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Daniel R. Cook, Juraj G. Fandli, Matthew K. Glenn, Mukesh Gupta, Andrew S. Rubin, Jerry B. Scott, Thukalan V. Verghese
-
Patent number: 11425139Abstract: State information is received from a server indicating an identity of a user logged into the server. An administrative domain wide policy is determined that specifies a relationship between user a group and services or servers accessible to users belonging to the user group. Relevant servers are sent updated management instructions corresponding to rules of the administrative domain wide policy. Such rules provide access to a service or server to users belonging to user groups related to the service. As a result, the servers allow communications that provide access to users based on the specified relationships.Type: GrantFiled: May 14, 2020Date of Patent: August 23, 2022Assignee: Illumio, Inc.Inventors: Anish V. Desai, Juraj G. Fandli, Matthew Glenn, Mukesh Gupta, Paul J. Kirner
-
Patent number: 11381603Abstract: A segmentation server enables user-based management of a segmentation policy. Administrators belonging to different user groups may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, and modifying rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment.Type: GrantFiled: April 14, 2020Date of Patent: July 5, 2022Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Dhanalakshmi Balasubramaniam, Seth Bruce Ford, Mukesh Gupta, Matthew K. Glenn
-
Publication number: 20220103361Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: ApplicationFiled: August 10, 2021Publication date: March 31, 2022Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai
-
Patent number: 11121875Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: GrantFiled: October 20, 2017Date of Patent: September 14, 2021Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai
-
Publication number: 20210051161Abstract: A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS's changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS.Type: ApplicationFiled: May 12, 2020Publication date: February 18, 2021Inventors: Paul J. Kirner, Daniel R. Cook, Juraj G. Fandli, Matthew K. Glenn, Mukesh Gupta, Andrew S. Rubin, Jerry B. Scott, Thukalan V. Verghese
-
Publication number: 20210051154Abstract: State information is received from a server indicating an identity of a user logged into the server. An administrative domain wide policy is determined that specifies a relationship between user a group and services or servers accessible to users belonging to the user group. Relevant servers are sent updated management instructions corresponding to rules of the administrative domain wide policy. Such rules provide access to a service or server to users belonging to user groups related to the service. As a result, the servers allow communications that provide access to users based on the specified relationships.Type: ApplicationFiled: May 14, 2020Publication date: February 18, 2021Inventors: Anish V. Desai, Juraj G. Fandli, Matthew Glenn, Mukesh Gupta, Paul J. Kirner
-
Patent number: 10924355Abstract: A change to a state of a particular managed server within an administrative domain is processed. The administrative domain includes a plurality of managed servers that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. A first description of the particular managed server is modified to indicate the particular managed server's changed state, thereby specifying a second description of the particular managed server. The unmodified first description is compared to the second description, thereby specifying a description change. A determination is made, based on the description change, regarding whether to update management instructions previously sent to the particular managed server.Type: GrantFiled: March 7, 2018Date of Patent: February 16, 2021Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Daniel R. Cook, Juraj G. Fandli, Matthew K. Glenn, Mukesh Gupta, Andrew S. Rubin, Jerry B. Scott, Sehyo Chang, Alan B. Stokel
-
Patent number: 10917309Abstract: Management instructions for a particular managed server within an administrative domain are generated according to an administrative domain-wide management policy that comprises a set of one or more rules. The administrative domain includes a plurality of managed servers. A determination is made regarding which rules within the set of rules are relevant to the particular managed server. Function-level instructions are generated based on the rules that were determined to be relevant. A determination is made regarding which managed servers within the plurality of managed servers are relevant to the particular managed server. The function-level instructions and information regarding the managed servers that were determined to be relevant are sent to the particular managed server.Type: GrantFiled: May 16, 2017Date of Patent: February 9, 2021Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Daniel R. Cook, Juraj G. Fandli, Matthew K. Glenn, Mukesh Gupta, Andrew S. Rubin, Jerry B. Scott, Sehyo Chang, Alan B. Stokol
-
Patent number: 10897403Abstract: Management instructions for a particular managed server within an administrative domain are generated according to an administrative domain-wide management policy that comprises a set of one or more rules. The administrative domain includes a plurality of managed servers. A determination is made regarding which rules within the set of rules are relevant to the particular managed server. Function-level instructions are generated based on the rules that were determined to be relevant. A determination is made regarding which managed servers within the plurality of managed servers are relevant to the particular managed server. The function-level instructions and information regarding the managed servers that were determined to be relevant are sent to the particular managed server.Type: GrantFiled: January 3, 2018Date of Patent: January 19, 2021Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Daniel R. Cook, Juraj G. Fandli, Matthew K. Glenn, Mukesh Gupta, Andrew S. Rubin, Jerry B. Scott, Sehyo Chang, Alan B. Stokol
-
Publication number: 20200389498Abstract: A segmentation server enables user-based management of a segmentation policy. Administrators belonging to different user groups may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, and modifying rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment.Type: ApplicationFiled: April 14, 2020Publication date: December 10, 2020Inventors: Paul J. Kirner, Dhanalakshmi Balasubramaniam, Seth Bruce Ford, Mukesh Gupta, Matthew K. Glenn
-
Patent number: 10819590Abstract: A global manager computer generates management instructions for a particular managed server within an administrative domain according to a set of rules. A global manager computer identifies a traffic midpoint device through which the provider managed server provides a service to a user device. The global manager determines a relevant rule from the set of rules that is applicable to communication between the provider managed server and the user device and generates a backend rule that is applicable to communication between the provider managed server and the traffic midpoint device. The global managed generates a backend function-level instruction including a reference to an actor-set authorized to communicate with the provider managed server to use the service. The global manager sends the backend function-level instruction to the provider managed server to configure the provider managed server to enforce the backend rule on communication with the actor-set including the traffic midpoint device.Type: GrantFiled: October 4, 2019Date of Patent: October 27, 2020Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Hai Xiao, Juraj G. Fandli, Michael J. Carlton
-
Patent number: 10701090Abstract: A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS's changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS.Type: GrantFiled: December 14, 2017Date of Patent: June 30, 2020Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Daniel R. Cook, Juraj G. Fandli, Matthew K. Glenn, Mukesh Gupta, Andrew S. Rubin, Jerry B. Scott, Thukalan V. Verghese
-
Patent number: 10693718Abstract: Management instructions for a managed servers are updated according to a set of rules included in management policy. A global manager computer receives information describing a change in a bound service executed by the particular managed server. The global manager generates an updated description of the particular managed server is generated by modifying an initial description of the particular managed server according to the received information describing the change in the bound service. The global manager determines currently relevant rules for the particular managed server. If the currently-relevant rules differ from previously-relevant rules, the global manager determines a rule is that should be added. The global manager generates a function-level instruction including a reference to an authorized actor-set of actors permitted to communicate with the bound service. The global manager configures the particular managed server to enforce the function-level instruction.Type: GrantFiled: March 11, 2019Date of Patent: June 23, 2020Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Juraj G. Fandli, Antonio P. A. Rainha Dias
-
Patent number: 10608945Abstract: A system enforces administrative domain wide policies specified using labels that describe characteristics of servers or services. A label comprises a label value describing a characteristic of one or more computing devices for a label dimension. The system infers label values for devices using features describing characteristics of the computing devices, for example, hardware characteristics, software characteristics, or connectivity characteristics. The system obtains communication information indicating the destination, source, volume, and duration of network traffic between computing devices. The system identifies providers of services and consumers of services based on the communication information. The system generates rules for regulating communications between computing devices and enforces the rules.Type: GrantFiled: February 27, 2017Date of Patent: March 31, 2020Assignee: Illumio, Inc.Inventors: William R. Long, III, Michael J. Carlton, Mukesh Gupta, Paul J. Kirner
-
Publication number: 20200036607Abstract: A global manager computer generates management instructions for a particular managed server within an administrative domain according to a set of rules. A global manager computer identifies a traffic midpoint device through which the provider managed server provides a service to a user device. The global manager determines a relevant rule from the set of rules that is applicable to communication between the provider managed server and the user device and generates a backend rule that is applicable to communication between the provider managed server and the traffic midpoint device. The global managed generates a backend function-level instruction including a reference to an actor-set authorized to communicate with the provider managed server to use the service. The global manager sends the backend function-level instruction to the provider managed server to configure the provider managed server to enforce the backend rule on communication with the actor-set including the traffic midpoint device.Type: ApplicationFiled: October 4, 2019Publication date: January 30, 2020Inventors: Paul J. Kirner, Hai Xiao, Juraj G. Fandli, Michael J. Carlton
-
Patent number: 10476762Abstract: A global manager computer generates management instructions for a particular managed server within an administrative domain according to a set of rules. A global manager computer identifies a traffic midpoint device through which the provider managed server provides a service to a user device. The global manager determines a relevant rule from the set of rules that is applicable to communication between the provider managed server and the user device and generates a backend rule that is applicable to communication between the provider managed server and the traffic midpoint device. The global managed generates a backend function-level instruction including a reference to an actor-set authorized to communicate with the provider managed server to use the service. The global manager sends the backend function-level instruction to the provider managed server to configure the provider managed server to enforce the backend rule on communication with the actor-set including the traffic midpoint device.Type: GrantFiled: January 10, 2018Date of Patent: November 12, 2019Assignee: Ilumio, Inc.Inventors: Paul J. Kirner, Hai Xiao, Juraj G. Fandli, Michael J. Carlton
-
Publication number: 20190222610Abstract: A segmentation server enables user-based management of a segmentation policy. Administrators belonging to different user groups may have different limited visibility into traffic flows controlled by the segmentation policy and may be assigned different privileges with respect to viewing, creating, and modifying rules of the segmentation policy. Thus, the burden of administering the segmentation policy may be distributed between administrators associated with different user groups that each may have responsibility for a different segment.Type: ApplicationFiled: January 18, 2018Publication date: July 18, 2019Inventors: Paul J. Kirner, Dhanalakshmi Balasubramaniam, Seth Bruce Ford, Mukesh Gupta, Matthew K. Glenn
-
Publication number: 20190207815Abstract: Management instructions for a managed servers are updated according to a set of rules included in management policy. A global manager computer receives information describing a change in a bound service executed by the particular managed server. The global manager generates an updated description of the particular managed server is generated by modifying an initial description of the particular managed server according to the received information describing the change in the bound service. The global manager determines currently relevant rules for the particular managed server. If the currently-relevant rules differ from previously-relevant rules, the global manager determines a rule is that should be added. The global manager generates a function-level instruction including a reference to an authorized actor-set of actors permitted to communicate with the bound service. The global manager configures the particular managed server to enforce the function-level instruction.Type: ApplicationFiled: March 11, 2019Publication date: July 4, 2019Inventors: Paul J. Kirner, Juraj G. Fandli, Antonio P.A. Rainha Dias