Abstract: In a segmented network environment, a segmentation server assigns labels to workloads to enable the segmentation server to implement a segmentation policy based on label-based rules. A first set of labels associated with one or more label dimensions may be assigned in a secure manner by automatically assigning the labels based on a pairing profile. A second set of labels associated with different label dimensions may be assigned automatically based on workload attributes. An administrator can manage which label dimensions are assigned in a secure way based on the pairing profile and which labels are assigned in an adaptable way based on workload attributes, thereby enabling the administrator to flexibly manage the tradeoff between adaptability and security.

Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.

Abstract: A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A container orchestration server stores pairing keys in association with container profiles. A container orchestration agent executing on an operating system instance instantiates a new container according to a particular container profile in response to an instruction from the container orchestration server and stores the pairing key as metadata associated with the container. An enforcement module detects the instantiation of the container and obtains the corresponding pairing key from the container orchestration agent. The enforcement module transmits the pairing key to a segmentation server for validation. If the segmentation server validates the key, the segmentation server determines a label set corresponding to the container profile associated with the pairing key and generates management instructions for the container based on the label set.

Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.

Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.

Abstract: A change to a state of a particular managed server within an administrative domain is processed. The administrative domain includes a plurality of managed servers that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. A first description of the particular managed server is modified to indicate the particular managed server's changed state, thereby specifying a second description of the particular managed server. The unmodified first description is compared to the second description, thereby specifying a description change. A determination is made, based on the description change, regarding whether to update management instructions previously sent to the particular managed server.

Abstract: Management instructions for a particular managed server within an administrative domain are generated according to an administrative domain-wide management policy that comprises a set of one or more rules. The administrative domain includes a plurality of managed servers. A determination is made regarding which rules within the set of rules are relevant to the particular managed server. Function-level instructions are generated based on the rules that were determined to be relevant. A determination is made regarding which managed servers within the plurality of managed servers are relevant to the particular managed server. The function-level instructions and information regarding the managed servers that were determined to be relevant are sent to the particular managed server.

Abstract: Management instructions for a particular managed server within an administrative domain are generated according to an administrative domain-wide management policy that comprises a set of one or more rules. The administrative domain includes a plurality of managed servers. A determination is made regarding which rules within the set of rules are relevant to the particular managed server. Function-level instructions are generated based on the rules that were determined to be relevant. A determination is made regarding which managed servers within the plurality of managed servers are relevant to the particular managed server. The function-level instructions and information regarding the managed servers that were determined to be relevant are sent to the particular managed server.

Abstract: A global manager computer generates management instructions for a particular managed server within an administrative domain according to a set of rules. A global manager computer identifies a traffic midpoint device through which the provider managed server provides a service to a user device. The global manager determines a relevant rule from the set of rules that is applicable to communication between the provider managed server and the user device and generates a backend rule that is applicable to communication between the provider managed server and the traffic midpoint device. The global managed generates a backend function-level instruction including a reference to an actor-set authorized to communicate with the provider managed server to use the service. The global manager sends the backend function-level instruction to the provider managed server to configure the provider managed server to enforce the backend rule on communication with the actor-set including the traffic midpoint device.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.

Abstract: A system performs hierarchical navigation through network flow data. A user interface is configured to display network flow data and allow hierarchical navigation across the network flow data. The user interface comprises a plurality of axes and lines connecting data points between axes. Data points along an axis represent values of an attribute aggregated along a set of dimensions. The system receives requests for expanding data points along a particular dimension or collapsing the data points along the particular dimension. The system reconfigures the user interface according to the received request and sends the reconfigured user interface for display via the client device. The user interface provides better visibility into the network flow data, thereby allowing security analysts to spot communication patterns associated with security issues and navigate through various dimensions to further analyze a suspect communication pattern.

Abstract: A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS's changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS.

Abstract: Management instructions for a managed servers are updated according to a set of rules included in management policy. A global manager computer receives information describing a change in a bound service executed by the particular managed server. The global manager generates an updated description of the particular managed server is generated by modifying an initial description of the particular managed server according to the received information describing the change in the bound service. The global manager determines currently relevant rules for the particular managed server. If the currently-relevant rules differ from previously-relevant rules, the global manager determines a rule is that should be added. The global manager generates a function-level instruction including a reference to an authorized actor-set of actors permitted to communicate with the bound service. The global manager configures the particular managed server to enforce the function-level instruction.

Abstract: A system enforces administrative domain wide policies specified using labels that describe characteristics of servers or services. A label comprises a label value describing a characteristic of one or more computing devices for a label dimension. The system infers label values for devices using features describing characteristics of the computing devices, for example, hardware characteristics, software characteristics, or connectivity characteristics. The system obtains communication information indicating the destination, source, volume, and duration of network traffic between computing devices. The system identifies providers of services and consumers of services based on the communication information. The system generates rules for regulating communications between computing devices and enforces the rules.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: Management instructions for a particular managed server within an administrative domain are generated according to an administrative domain-wide management policy that comprises a set of one or more rules. A bound service executed by the particular managed server is identified. The bound service has different high-level characteristics from other services executed by the particular managed server. Relevant rules within the set of rules are determined that are relevant to the bound service. A set of relevant managed servers that are relevant to the bound service are selected by identifying managed servers of the plurality that are referenced by the relevant rules. Function-level instructions are generated that regulate communication between the bound service and the set of relevant managed servers based on the relevant rules. The function-level instructions are sent to the particular managed server for use in configuring a management module to implement the administrative domain-wide management policy.