Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.

Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.

Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.

Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.

Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.

Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

Abstract: Systems for providing scanning within distributed services are provided herein. In some embodiments, a system includes a plurality of segmented environments that each includes an enforcement point that has an active probe device, and a plurality of workloads that each implements at least one service. The system also has a data center server coupled with the plurality of segmented environments over a network. The data center server has a security controller configured to provide a security policy to each of the plurality of segmented environments and an active probe controller configured to cause the active probe device of the plurality of segmented environments to execute a scan.

Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.

Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

Abstract: A network system includes a security gateway that receives information from a virtual machine after the virtual machine has migrated from a first network access device to a second network access device, where the information identifies the virtual machine as one associated with a privilege level. The security gateway determines that access to the virtual machine at the first network access device was permitted by the privilege level and assigns the virtual machine at the second network access device to the privilege level. The security gateway then applies a set of rules associated with the privilege level to communications between the network and the virtual machine at the second network access device.

Abstract: Context aware microservice networks and contextual security policies for microservice networks are provided herein. In some embodiments, a system includes a plurality of microservices, each of the plurality of microservices having a plurality of distributed microservice components. At least a portion of the distributed microservice components execute on different physical or virtual servers in a data center or a cloud. The system also includes a plurality of logical security boundaries, with each of the plurality of logical security boundaries being created by a plurality of enforcement points positioned in association with the plurality of distributed microservice components. Each of plurality of microservices is bounded by one of the plurality of logical security boundaries.

Abstract: Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.

Abstract: Systems and methods for delivering security functions to a distributed network are described herein. An exemplary method may include: processing a data packet received from a switch, the data packet directed to the at least one network asset; selectively forwarding the data packet using the processing and a rule set; inspecting the forwarded packet; directing the enforcement point to at least one of forward the data packet to the at least one network asset and drop the data packet, using the inspection and the rule set; accumulating data associated with at least one of the data packet, the processing, and the inspection; analyzing the at least one of the data packet, the processing, and the inspection; and initiating compilation of a high-level security policy by the compiler using the analysis to produce an updated rule set.

Abstract: Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

Abstract: Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.