Patents Assigned to VARMOUR NETWORKS, INC.
  • Patent number: 9621595
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Grant
    Filed: May 10, 2016
    Date of Patent: April 11, 2017
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 9621568
    Abstract: A method and apparatus for distributed threat detection in a computer network is described. The method may include receiving, by a threat detection system of a first computer network, a request for a service from a threat sensor of a second computer network, the service requested of the threat sensor within the second computer network from a network element of the second computer network. The method may also include emulating the service identified in the request to generate a response to the request, and sending the response to the threat sensor for forwarding to the network element within the second computer network. Furthermore, the method may include analyzing one or more communications between the threat detection system and the network element during emulation of the service requested by the network element to determine whether the network element is a threat to the second network.
    Type: Grant
    Filed: September 8, 2014
    Date of Patent: April 11, 2017
    Assignee: VARMOUR NETWORKS, INC.
    Inventor: Choung-Yaw Michael Shieh
  • Patent number: 9609026
    Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.
    Type: Grant
    Filed: July 25, 2016
    Date of Patent: March 28, 2017
    Assignee: vArmour Networks, Inc.
    Inventors: Colin Ross, Choung-Yaw Shieh, Jia-Jyi Lian, Meng Xu, Yi Sun
  • Patent number: 9609083
    Abstract: A network gateway device includes an ingress interface, an egress interface, and a load balancing module coupled to the ingress and egress interfaces. The load balancing module configured to receive a packet from the ingress interface, determine a set of a plurality of processes corresponding to a connections session associated with the packet based on a policy. For each of the identified processes, the load balancing module is to identify a service processing module executed by a virtual machine that is capable of handling the identified process, and to send the packet to the identified service processing module to perform the identified process on the packet. The packet is then transmitted to the egress interface of the gateway device to be forwarded to a destination.
    Type: Grant
    Filed: October 7, 2015
    Date of Patent: March 28, 2017
    Assignee: vArmour Networks, Inc.
    Inventor: Choung-Yaw Shieh
  • Patent number: 9560081
    Abstract: Methods and systems for microsegmentation of data networks are provided herein. Exemplary methods include: receiving a high-level declarative policy; getting metadata associated with a plurality of containers from an orchestration layer; determining a low-level firewall rule set using the high-level declarative policy and the metadata; and configuring by a plurality of enforcement points a respective virtual switch of a plurality of virtual switches to process packets in accordance with the low-level firewall ruleset, the virtual switches being collectively communicatively coupled to the plurality of containers, such that network communications between a first group of containers and a second group of containers of the plurality of containers are not permitted, and communications between containers of the first group of containers are permitted.
    Type: Grant
    Filed: June 24, 2016
    Date of Patent: January 31, 2017
    Assignee: vArmour Networks, Inc.
    Inventor: Marc Woolward
  • Patent number: 9529995
    Abstract: A method and apparatus is disclosed herein for performing auto discovery of virtual machines. In one embodiment, the method includes monitoring, using an interface of the device, one or more packets being sent from one or more virtual machines, the one or more packets being sent determining, using a processor of the device, if one of the monitored packets includes a discovery packet from one virtual machine of the one or more virtual machines, wherein the discovery packet includes an address of a destination location; sending, using the interface of the device, a reply packet to the one virtual machine using an address in the discovery packet identified in the monitored packets, the reply packet including an Internet Protocol (IP) address of the device.
    Type: Grant
    Filed: November 8, 2011
    Date of Patent: December 27, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventor: Choung-Yaw Michael Shieh
  • Patent number: 9525697
    Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.
    Type: Grant
    Filed: April 2, 2015
    Date of Patent: December 20, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Marc Woolward, Choung-Yaw Shieh, Jia-Jyi Lian
  • Patent number: 9521115
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include: receiving metadata about a deployed container from a container orchestration layer; determining an application or service associated with the container from the received metadata; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the container; and generating a high-level declarative security policy associated with the container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the container can communicate.
    Type: Grant
    Filed: March 24, 2016
    Date of Patent: December 13, 2016
    Assignee: vArmour Networks, Inc.
    Inventor: Marc Woolward
  • Patent number: 9483317
    Abstract: Systems and methods for using a plurality of processing cores for packet processing in a virtualized network environment are described herein. An example system can comprise a scheduler operable to initiate a processing core of the plurality of processing cores. The processing core is operable to process a plurality of data packets. Based on the determination that the processing core exceeds a threshold processing capacity associated with the processing core, the scheduler sequentially initiates at least one subsequent processing core. The at least one subsequent processing core has a corresponding threshold processing capacity and is operable to process data packets of the plurality of data packets in excess of threshold processing capacities associated with preceding processing cores. Thus, the threshold processing capacities associated with the preceding processing cores are not exceeded.
    Type: Grant
    Filed: August 17, 2015
    Date of Patent: November 1, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Choung-Yaw Shieh, Marc Woolward, Yi Sun
  • Patent number: 9467476
    Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.
    Type: Grant
    Filed: August 28, 2015
    Date of Patent: October 11, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Choung-Yaw Shieh, Jia-Jyi Lian, Yi Sun, Meng Xu
  • Patent number: 9438634
    Abstract: Systems for providing vulnerability scanning within distributed microservices are provided herein. In some embodiments, a system includes a plurality of microsegmented environments that each includes a hypervisor, an enforcement point that has an active probe device, and a plurality of virtual machines that each implements at least one microservice. The system also has a cloud data center server coupled with the plurality of microsegmented environments over a network. The cloud data center server has a security controller configured to provide a security policy to each of the plurality of microsegmented environments and an active probe controller configured to cause the active probe device of the plurality of microsegmented environments to execute a vulnerability scan.
    Type: Grant
    Filed: August 28, 2015
    Date of Patent: September 6, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Colin Ross, Choung-Yaw Michael Shieh, Jia-Jyi Roger Lian, Meng Xu, Yi Sun
  • Patent number: 9419941
    Abstract: A method and apparatus is disclosed herein for distributed zone-based security. In one embodiment, the method comprises: determining an ingress security zone associated with an ingress of a first network device based on a first key and a media access control (MAC) address of a source of a packet; determining an egress security zone of a second network device based on a MAC address of a destination for the packet and a second key; performing a policy lookup based on the ingress security zone and the egress security zone to identify a policy to apply to the packet; and applying the policy to the packet.
    Type: Grant
    Filed: March 22, 2013
    Date of Patent: August 16, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventors: Yi Sun, Meng Xu, Lee Cheung, Hsisheng Wang, Chuong-Yaw Michael Shieh
  • Patent number: 9380027
    Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: June 28, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 9294442
    Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; accumulating the network traffic and metadata associated with the network traffic; and initiating an update to the firewall security policy by the policy compiler using at least one of the accumulated network traffic and metadata.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: March 22, 2016
    Assignee: vArmour Networks, Inc.
    Inventors: Jia-Jyi Lian, Anthony Paterra, Marc Woolward
  • Patent number: 9294302
    Abstract: A method and apparatus is disclosed herein for IP packet tunneling in a network. In one embodiment, the method comprises receiving, at a first network device, a first IP packet of a IP connection; creating a second IP packet by replacing information in a field in the first IP packet with a session ID identifying the IP connection; and forwarding, by the first network device, the second IP packet to the second network device in the distributed network environment.
    Type: Grant
    Filed: March 20, 2013
    Date of Patent: March 22, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventors: Yi Sun, Meng Xu, Choung-Yaw Michael Shieh
  • Patent number: 9258275
    Abstract: A method and apparatus for dynamic security insertion into virtualized networks is described. The method may include receiving, at a network device from a second network device, a data packet and application data extracted from the data packet. The method may also include generating a routing decision for a network connection associated with the data packet based, at least in part, on the application data. Furthermore, the method may include transmitting the routing decision for the data packet to the second device for the second device to route the data based on the routing decision.
    Type: Grant
    Filed: April 11, 2013
    Date of Patent: February 9, 2016
    Assignee: VARMOUR NETWORKS, INC.
    Inventors: Yi Sun, Meng Xu, Jia-Jyi Roger Lian, Choung-Yaw Michael Shieh
  • Patent number: 9191327
    Abstract: A network gateway device includes an ingress interface, an egress interface, and a load balancing module coupled to the ingress and egress interfaces. The load balancing module configured to receive a packet from the ingress interface, determine a set of a plurality of processes corresponding a connections session associated with the packet based on a policy. For each of the identified processes, the load balancing module is to identify a service processing module executed by a virtual machine that is capable of handling the identified process, and to send the packet to the identified service processing module to perform the identified process on the packet. The packet is then transmitted to the egress interface of the gateway device to be forwarded to a destination.
    Type: Grant
    Filed: January 31, 2012
    Date of Patent: November 17, 2015
    Assignee: VARMOUR NETWORKS, INC.
    Inventor: Choung-Yaw Michael Shieh
  • Patent number: 8984114
    Abstract: A method and apparatus is disclosed herein for migrating session information between security gateways are disclosed. In one embodiment, receiving, at a first security gateway, session information associated with a session corresponding to a network connection, the session information having been transferred from a second security gateway, the first and second security gateway being separate physical devices; and thereafter performing security processing for the session at the first security gateway.
    Type: Grant
    Filed: October 4, 2012
    Date of Patent: March 17, 2015
    Assignee: Varmour Networks, Inc.
    Inventors: Choung-Yaw Michael Shieh, Meng Xu, Yi Sun
  • Patent number: 8955093
    Abstract: A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.
    Type: Grant
    Filed: April 10, 2013
    Date of Patent: February 10, 2015
    Assignee: Varmour Networks, Inc.
    Inventors: Choung-Yaw Michael Shieh, Meng Xu, Yi Sun, Jia-Jyi Roger Lian
  • Patent number: 8813169
    Abstract: A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.
    Type: Grant
    Filed: November 3, 2011
    Date of Patent: August 19, 2014
    Assignee: Varmour Networks, Inc.
    Inventors: Choung-Yaw Michael Shieh, Jia-Jyi Roger Lian