Abstract: A mechanism is provided in a network security subsystem in a virtual machine monitor for policy based load distribution among a plurality of packet processing units. Responsive to receiving a packet from a virtual machine, the network security subsystem compares the packet to rules in a load distribution policy in the network security subsystem. Responsive to the packet matching a rule in the load distribution policy, the network security subsystem identifies a packet processing unit list and an action in the matching rule. The network security subsystem distributes the packet to a selected packet processing unit from the packet processing unit list based on the action.

Abstract: A mechanism is provided in a network security subsystem in a virtual machine monitor for policy based load distribution among a plurality of packet processing units. Responsive to receiving a packet from a virtual machine, the network security subsystem compares the packet to rules in a load distribution policy in the network security subsystem. Responsive to the packet matching a rule in the load distribution policy, the network security subsystem identifies a packet processing unit list and an action in the matching rule. The network security subsystem distributes the packet to a selected packet processing unit from the packet processing unit list based on the action.

Abstract: A multiple inspection avoidance (MIA) technique is implemented in a virtualized environment. Preferably, the technique is implemented in a packet processing unit (PPU) and takes advantage of a protection scope determined in an automated manner. The protection scope may be MAC-based. The MIA technique ensures that the same packet is not inspected more than once by a same packet processing unit (PPU), and that the same packet is not inspected more than once by different PPUs. According to this disclosure, when a PPU implementing MIA receives a packet, it uses the protection scope to determine whether it needs to process the packet. Preferably, the determination of whether to process the packet depends on the source and destination addresses in the packet, whether those addresses are being protected by the PPU that receives the packet, the direction of the packet flow, and optionally one or more packet processing rules.

Abstract: An automated technique for constructing and updating protection scope is described. Preferably, the protection scope is MAC-address based. According to this technique, one or more packet processing units (PPUs) execute a MAC address learning algorithm to gather a list of MAC addresses. Packet processing units typically are one of: a kernel module residing on the hypervisor, a virtual appliance running a packet processing engine, and a software agent running on a virtual machine and that processes packet flows between and among associated virtual machines. Each of the one or more PPUs is provisioned to collect a set of MAC addresses; the PPUs exchange their lists, and the lists are then merged into a merged list from which a current protection scope is then generated. Each entry in the protection scope preferably contains information indicating which PPU is available to protect the MAC address associated with that entry.

Abstract: A multiple inspection avoidance (MIA) technique is implemented in a virtualized environment. Preferably, the technique is implemented in a packet processing unit (PPU) and takes advantage of a protection scope determined in an automated manner. The protection scope may be MAC-based. The MIA technique ensures that the same packet is not inspected more than once by a same packet processing unit (PPU), and that the same packet is not inspected more than once by different PPUs. According to this disclosure, when a PPU implementing MIA receives a packet, it uses the protection scope to determine whether it needs to process the packet. Preferably, the determination of whether to process the packet depends on the source and destination addresses in the packet, whether those addresses are being protected by the PPU that receives the packet, the direction of the packet flow, and optionally one or more packet processing rules.

Abstract: An automated technique for constructing and updating protection scope is described. Preferably, the protection scope is MAC-address based. According to this technique, one or more packet processing units (PPUs) execute a MAC address learning algorithm to gather a list of MAC addresses. Packet processing units typically are one of: a kernel module residing on the hypervisor, a virtual appliance running a packet processing engine, and a software agent running on a virtual machine and that processes packet flows between and among associated virtual machines. Each of the one or more PPUs is provisioned to collect a set of MAC addresses; the PPUs exchange their lists, and the lists are then merged into a merged list from which a current protection scope is then generated. Each entry in the protection scope preferably contains information indicating which PPU is available to protect the MAC address associated with that entry.