Abstract: A context-aware distributed firewall scheme is provided. A firewall engine tasked to provide firewall protection for a set of network addresses applies a reduced set of firewall rules that are relevant to the set of addresses associated with the machine. A hypervisor implements a search structure that allows each virtual machine's filter to quickly identify relevant rules from all of the received rules. The search structure is constructed as a binary prefix tree, each node corresponding to an IP CIDR (Classless Inter-Domain Routing) block. A query for relevant rules traverses nodes of the search structure according to a queried IP address and collect all rules that are associated with the traversed nodes.

Abstract: A novel method for distributing firewall configuration of a software defined data center is provided. The network manager of the data center receives update requests from tenants of the data center and correspondingly generates update fragments and delivers the generated update fragment to local control planes controlling the enforcing devices. Each local control plane in turn integrates the update fragments it receives into its firewall rules table. For each rule and/or section thusly integrated, the local control plane uses the rule or the section's assigned priority number to establish ordering in the firewall rules table of the local control plane.

Abstract: A context-aware distributed firewall scheme is provided. A firewall engine tasked to provide firewall protection for a set of network addresses applies a reduced set of firewall rules that are relevant to the set of addresses associated with the machine. A hypervisor implements a search structure that allows each virtual machine's filter to quickly identify relevant rules from all of the received rules. The search structure is constructed as a binary prefix tree, each node corresponding to an IP CIDR (Classless Inter-Domain Routing) block. A query for relevant rules traverses nodes of the search structure according to a queried IP address and collect all rules that are associated with the traversed nodes.

Abstract: Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

Abstract: A context-aware distributed firewall scheme is provided. A firewall engine tasked to provide firewall protection for a set of network addresses applies a reduced set of firewall rules that are relevant to the set of addresses associated with the machine. A hypervisor implements a search structure that allows each virtual machine's filter to quickly identify relevant rules from all of the received rules. The search structure is constructed as a binary prefix tree, each node corresponding to an IP CIDR (Classless Inter-Domain Routing) block. A query for relevant rules traverses nodes of the search structure according to a queried IP address and collect all rules that are associated with the traversed nodes.