Patents by Inventor Daniel Richard Cook
Daniel Richard Cook has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230353540Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: July 6, 2023Publication date: November 2, 2023Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11736443Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: GrantFiled: April 26, 2022Date of Patent: August 22, 2023Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11451514Abstract: An enforcement module receives management instructions from a segmentation server for enforcing a segmentation policy. The management instructions include one or more rules specifying one or more groups of workloads that a workload executing on the operating system instance is permitted to communicate with according to certain communication constraints, and membership information specifying workload identifiers for workloads in each of the groups. An optimization module processes the management instructions to reduce the number of rules and the number of workload groups to which the rules apply, thereby simplifying the firewall configuration. The enforcement module then configures a firewall according to the optimized rules to enforce the segmentation policy. The optimization process beneficially improves performance of the firewall and thereby enables more efficient enforcement of the segmentation policy utilizing fewer computing resources.Type: GrantFiled: January 3, 2019Date of Patent: September 20, 2022Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai
-
Publication number: 20220255899Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: April 26, 2022Publication date: August 11, 2022Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11336620Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: GrantFiled: December 18, 2018Date of Patent: May 17, 2022Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11303605Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.Type: GrantFiled: January 15, 2019Date of Patent: April 12, 2022Assignee: Illumio, Inc.Inventors: Jaehong Park, Mukesh Gupta, Paul James Kirner, Anish Vinodkumar Desai, Daniel Richard Cook
-
Patent number: 10805166Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: September 24, 2019Date of Patent: October 13, 2020Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20200228486Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.Type: ApplicationFiled: January 15, 2019Publication date: July 16, 2020Inventors: Jaehong Park, Mukesh Gupta, Paul James Kirner, Anish Vinodkumar Desai, Daniel Richard Cook
-
Publication number: 20200220845Abstract: An enforcement module receives management instructions from a segmentation server for enforcing a segmentation policy. The management instructions include one or more rules specifying one or more groups of workloads that a workload executing on the operating system instance is permitted to communicate with according to certain communication constraints, and membership information specifying workload identifiers for workloads in each of the groups. An optimization module processes the management instructions to reduce the number of rules and the number of workload groups to which the rules apply, thereby simplifying the firewall configuration. The enforcement module then configures a firewall according to the optimized rules to enforce the segmentation policy. The optimization process beneficially improves performance of the firewall and thereby enables more efficient enforcement of the segmentation policy utilizing fewer computing resources.Type: ApplicationFiled: January 3, 2019Publication date: July 9, 2020Inventors: Daniel Richard Cook, Anish Vinodkumar Desai
-
Publication number: 20200195611Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: December 18, 2018Publication date: June 18, 2020Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Publication number: 20200021491Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: September 24, 2019Publication date: January 16, 2020Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20190372848Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: May 31, 2018Publication date: December 5, 2019Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Patent number: 10476745Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: May 31, 2018Date of Patent: November 12, 2019Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Patent number: 9237796Abstract: The assistive apparatus for hand held vessels or items is a device worn on the hand to facilitate the holding of anything of weight and to reduce the need for gripping strength. The device is a length of flexible material with at least two loops; one at either end; such that the loops are worn over the thumb and the pinky or one or more other fingers. The flexible material hangs like a hammock and allows the weight of an object, such as a glass or tool, to rest on the skeletal structure of the hand rather than depending upon the mechanical gripping force exerted by fingers. The device has application to help individuals suffering from a weakened grip from an ailment, such as arthritis, or that are in professions that require holding heavy objects for extend periods of time.Type: GrantFiled: February 26, 2014Date of Patent: January 19, 2016Inventors: Theresa Rose Finch, Peter Denis Finch, Daniel Richard Cook