Abstract: A controller connects to endpoints. Profiles specify valid flows between groups of endpoints. Endpoints are provisioned according to the profiles. Provisioning includes the controller generating static routing tables. A static routing table includes an IP subnet that an endpoint will be allowed to connect to. The static routing table is programmed into a network kernel table of an OS at the endpoint. The network kernel table includes other routing information not provided by the controller. A copy is made of the network kernel table, maintained at the endpoint, and another copy is sent to the controller. The table in the OS is periodically compared with the copy of the table to detect tampering of the table in the OS. Upon detection of tampering, the tampered table in the OS is replaced with the copy of the table maintained at the endpoint and an alert is issued to the controller.

Abstract: A secure virtual network platform connects two or more subnets in different or separate network domains. The secure virtual network can use the under layer physical networks in various domains as an IP forwarding fabric without changing any existing firewalls, security settings, or network topology. A first type of connection across the virtual network involves connecting server groups. A second type of connection across the virtual network involves connecting a server group to a physical network. A third type of connection across the virtual network involves connecting a physical network to another physical network.

Abstract: An application profile is provided to manage security of an application deployed across two or more cloud computing networks. A user can define in the application profile first and second server groups, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber. A firewall rule is generated based on the computing flow. The firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.

Abstract: A system and technique for securing communications between endpoints in a local area network (LAN) includes receiving at a first endpoint in the LAN, a request from an application to connect to a second endpoint in the LAN. Approval from a controller to establish a Secure Socket Layer (SSL) tunnel to the second endpoint is requested. Upon receiving approval from the controller, the first endpoint receives from the controller a session identifier for the SSL tunnel. The controller also distributes a copy of the session identifier to the second endpoint. After receipt of the session identifier at the first endpoint, the session identifier is forwarded from the first endpoint to the second endpoint for security authorization, and the SSL tunnel is established. The SSL tunnel extends from the first endpoint in the LAN to the second endpoint in the LAN.

Abstract: Cloud endpoints are secured using agents and a controller connected to the agents. A whitelist identifies components and processes of an authorized multi-tiered application for the cloud. An application profile for the application specifies valid computing flows between components of a tier and components of another tier, where components of the tier are executed at an endpoint and the other components of the other tier are executed at another endpoint. Endpoints are provisioned with static routing tables identifying at least one subnet destination. A request is received at a first endpoint to connect to a second endpoint. If the second endpoint falls within the at least one subnet destination, the controller performs one or more further security checks including checking the application profile flow, whitelist, and endpoint quarantine list. A network kernel table at an endpoint that includes the static routing table may be periodically checked to detect tampering.

Abstract: A secure virtual network platform connects two or more subnets in different or separate network domains. The secure virtual network can use the under layer physical networks in various domains as an IP forwarding fabric without changing any existing firewalls, security settings, or network topology. A first type of connection across the virtual network involves connecting server groups. A second type of connection across the virtual network involves connecting a server group to a physical network. A third type of connection across the virtual network involves connecting a physical network to another physical network.

Abstract: Clusters of virtual network switches (VNS) and controllers are provided. The controller cluster is connected to the VNS cluster which is between first and second network domains. A request is received at a first end point in the first network domain to connect to a second end point in the second network domain. If the connection should be through a virtual network connecting the network domains, a virtual network connection is established as allowed by a controller of the controller cluster. The establishment includes initiating first outbound traffic from the first end point to a VNS of the VNS cluster and initiating second outbound traffic from the second end point to the VNS. The VNS places a payload from the first outbound traffic into a reply to the second outbound traffic.

Abstract: A secure virtual network platform connects two or more subnets in different or separate network domains. The secure virtual network can use the under layer physical networks in various domains as an IP forwarding fabric without changing any existing firewalls, security settings, or network topology. A first type of connection across the virtual network involves connecting server groups. A second type of connection across the virtual network involves connecting a server group to a physical network. A third type of connection across the virtual network involves connecting a physical network to another physical network.

Abstract: An application profile specifies server groups, components, and computing flows among the server groups and components. Each computing flow may be identified as malicious or not malicious. Firewall rules are generated based on the computing flows. The firewall rules are distributed to a server group. According to the firewall rules distributed to the server group, data that is malicious is directed to another server for quarantine.

Abstract: A data transfer profile defines the transfer of data among different domains. The data transfer profile is processed to generate data transfer rules. Subsets of the rules are distributed to the different domains. A rule can specify a folder in a particular domain in which files stored in the folder will be transferred to another domain.

Abstract: Clusters of virtual network switches (VNS) and controllers are provided. The controller cluster is connected to the VNS cluster which is between first and second network domains. A request is received at a first end point in the first network domain to connect to a second end point in the second network domain. If the connection should be through a virtual network connecting the network domains, a virtual network connection is established as allowed by a controller of the controller cluster. The establishment includes initiating first outbound traffic from the first end point to a VNS of the VNS cluster and initiating second outbound traffic from the second end point to the VNS.

Abstract: A secure virtual network platform connects two or more different or separate network domains. When a data packet is received at an end point in one network domain, a determination is made as to whether the data packet should be forwarded outside the virtual network platform, or transmitted via the virtual network to a destination in another network domain connected by the virtual network platform.

Abstract: A file system monitoring layer is positioned between a virtual file system (VFS) encryption layer and a lower level file system layer. The file system monitoring layer stores a list of applications that are allowed to access encrypted files stored in the lower level file system. The monitoring layer receives from the VFS encryption layer a request by an application to access an encrypted file. If the application is not listed on the list, the VFS encryption layer is instructed to provide the application a denial of service. If the application is listed, the VFS encryption layer is instructed to decrypt the encrypted file for the application.

Abstract: An application profile specifies server groups, components, and computing flows among the server groups and components. Each computing flow may be identified as malicious or not malicious. Firewall rules are generated based on the computing flows. The firewall rules are distributed to a server group. According to the firewall rules distributed to the server group, data that is malicious is directed to another server for quarantine.

Abstract: User input including an application profile is received. The profile specifies a first server group, a second server group, and computing flows between the first and second server groups. User input identifying at least the first server group to include in a cloud chamber is received. Internet Protocol (IP) addresses assigned to virtual machines provisioned into the first and second server groups are obtained. Based on the computing flows specified in the application profile and the IP addresses assigned to the virtual machines, a set of firewall rules are generated for each virtual machine in the cloud chamber.

Abstract: A file system monitoring layer is positioned between a virtual file system (VFS) encryption layer and a lower level file system layer. The file system monitoring layer stores a list of applications that are allowed to access encrypted files stored in the lower level file system. The monitoring layer receives from the VFS encryption layer a request by an application to access an encrypted file. If the application is not listed on the list, the VFS encryption layer is instructed to provide the application a denial of service. If the application is listed, the VFS encryption layer is instructed to decrypt the encrypted file for the application.

Abstract: A data transfer profile defines the transfer of data among different domains. The data transfer profile is processed to generate data transfer rules. Subsets of the rules are distributed to the different domains. A rule can specify a folder in a particular domain in which files stored in the folder will be transferred to another domain.

Abstract: A secure virtual network platform connects two or more subnets in different or separate network domains. The secure virtual network can use the under layer physical networks in various domains as an IP forwarding fabric without changing any existing firewalls, security settings, or network topology. A first type of connection across the virtual network involves connecting server groups. A second type of connection across the virtual network involves connecting a server group to a physical network. A third type of connection across the virtual network involves connecting a physical network to another physical network.

Abstract: A secure virtual network platform connects two or more different or separate network domains. When a data packet is received at an end point in one network domain, a determination is made as to whether the data packet should be forwarded outside the virtual network platform, or transmitted via the virtual network to a destination in another network domain connected by the virtual network platform.

Abstract: User input including an application profile is received. The profile specifies a first server group, a second server group, and computing flows between the first and second server groups. User input identifying at least the first server group to include in a cloud chamber is received. Internet Protocol (IP) addresses assigned to virtual machines provisioned into the first and second server groups are obtained. Based on the computing flows specified in the application profile and the IP addresses assigned to the virtual machines, a set of firewall rules are generated for each virtual machine in the cloud chamber.