Patents by Inventor Anish Vinodkumar Desai
Anish Vinodkumar Desai has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230353540Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: July 6, 2023Publication date: November 2, 2023Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11736443Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: GrantFiled: April 26, 2022Date of Patent: August 22, 2023Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11652637Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: GrantFiled: August 10, 2021Date of Patent: May 16, 2023Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai
-
Patent number: 11451514Abstract: An enforcement module receives management instructions from a segmentation server for enforcing a segmentation policy. The management instructions include one or more rules specifying one or more groups of workloads that a workload executing on the operating system instance is permitted to communicate with according to certain communication constraints, and membership information specifying workload identifiers for workloads in each of the groups. An optimization module processes the management instructions to reduce the number of rules and the number of workload groups to which the rules apply, thereby simplifying the firewall configuration. The enforcement module then configures a firewall according to the optimized rules to enforce the segmentation policy. The optimization process beneficially improves performance of the firewall and thereby enables more efficient enforcement of the segmentation policy utilizing fewer computing resources.Type: GrantFiled: January 3, 2019Date of Patent: September 20, 2022Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai
-
Publication number: 20220255899Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: April 26, 2022Publication date: August 11, 2022Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11336620Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: GrantFiled: December 18, 2018Date of Patent: May 17, 2022Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11303605Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.Type: GrantFiled: January 15, 2019Date of Patent: April 12, 2022Assignee: Illumio, Inc.Inventors: Jaehong Park, Mukesh Gupta, Paul James Kirner, Anish Vinodkumar Desai, Daniel Richard Cook
-
Publication number: 20220103361Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: ApplicationFiled: August 10, 2021Publication date: March 31, 2022Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai
-
Patent number: 11121875Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: GrantFiled: October 20, 2017Date of Patent: September 14, 2021Assignee: Illumio, Inc.Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai
-
Publication number: 20200228486Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.Type: ApplicationFiled: January 15, 2019Publication date: July 16, 2020Inventors: Jaehong Park, Mukesh Gupta, Paul James Kirner, Anish Vinodkumar Desai, Daniel Richard Cook
-
Publication number: 20200220845Abstract: An enforcement module receives management instructions from a segmentation server for enforcing a segmentation policy. The management instructions include one or more rules specifying one or more groups of workloads that a workload executing on the operating system instance is permitted to communicate with according to certain communication constraints, and membership information specifying workload identifiers for workloads in each of the groups. An optimization module processes the management instructions to reduce the number of rules and the number of workload groups to which the rules apply, thereby simplifying the firewall configuration. The enforcement module then configures a firewall according to the optimized rules to enforce the segmentation policy. The optimization process beneficially improves performance of the firewall and thereby enables more efficient enforcement of the segmentation policy utilizing fewer computing resources.Type: ApplicationFiled: January 3, 2019Publication date: July 9, 2020Inventors: Daniel Richard Cook, Anish Vinodkumar Desai
-
Publication number: 20200195611Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: December 18, 2018Publication date: June 18, 2020Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Publication number: 20190123905Abstract: A segmentation server defines a segmentation policy and distributes the segmentation policy to be enforced by a plurality of operating system (OS) instances. The segmentation policy includes rules controlling which workloads executing on the OS instances can communicate with other workloads and controlling how the workloads may communicate. When a connection between two OS instances is requested, each OS instance provides an identity and a cryptographic proof of the identity. The OS instances each authenticate the identity received from the other OS instance, and once authenticated, determines based on the authenticated identities if the rules permit the communication. If the rules permit the communication, the OS instances obtain session parameters that enable the OS instances to validate integrity of the messages communicated between the workloads and optionally encrypt the messages.Type: ApplicationFiled: October 20, 2017Publication date: April 25, 2019Inventors: Paul J. Kirner, Matthew K. Glenn, Mukesh Gupta, Anish Vinodkumar Desai