Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.

Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.

Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.

Abstract: In a segmented network environment, a traffic flow graph provides visibility into the connections between workloads or groups of workloads under management of a segmentation policy. Squelching rules may be applied to hide traffic in the traffic flow graph that meets specified criteria. The squelching rules may be label-based rules that enable configuration of squelching rules that apply to group of workloads and enable configurations to be rapidly updated as workloads or added or dropped from the network or as their configurations change. Additionally, squelching rules may be applied based on characteristics of the traffic data or based on an identity of an administrator viewing the traffic flow graph.

Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.

Abstract: In a segmented network environment, a segmentation server assigns labels to workloads to enable the segmentation server to implement a segmentation policy based on label-based rules. A first set of labels associated with one or more label dimensions may be assigned in a secure manner by automatically assigning the labels based on a pairing profile. A second set of labels associated with different label dimensions may be assigned automatically based on workload attributes. An administrator can manage which label dimensions are assigned in a secure way based on the pairing profile and which labels are assigned in an adaptable way based on workload attributes, thereby enabling the administrator to flexibly manage the tradeoff between adaptability and security.

Abstract: A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.

Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.

Abstract: In a segmented network environment, a traffic flow graph provides visibility into the connections between workloads or groups of workloads under management of a segmentation policy. Squelching rules may be applied to hide traffic in the traffic flow graph that meets specified criteria. The squelching rules may be label-based rules that enable configuration of squelching rules that apply to group of workloads and enable configurations to be rapidly updated as workloads or added or dropped from the network or as their configurations change. Additionally, squelching rules may be applied based on characteristics of the traffic data or based on an identity of an administrator viewing the traffic flow graph.

Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.

Abstract: A container orchestration server stores pairing keys in association with container profiles. A container orchestration agent executing on an operating system instance instantiates a new container according to a particular container profile in response to an instruction from the container orchestration server and stores the pairing key as metadata associated with the container. An enforcement module detects the instantiation of the container and obtains the corresponding pairing key from the container orchestration agent. The enforcement module transmits the pairing key to a segmentation server for validation. If the segmentation server validates the key, the segmentation server determines a label set corresponding to the container profile associated with the pairing key and generates management instructions for the container based on the label set.

Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: In a segmented network environment, a segmentation server assigns labels to workloads to enable the segmentation server to implement a segmentation policy based on label-based rules. A first set of labels associated with one or more label dimensions may be assigned in a secure manner by automatically assigning the labels based on a pairing profile. A second set of labels associated with different label dimensions may be assigned automatically based on workload attributes. An administrator can manage which label dimensions are assigned in a secure way based on the pairing profile and which labels are assigned in an adaptable way based on workload attributes, thereby enabling the administrator to flexibly manage the tradeoff between adaptability and security.

Abstract: A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.

Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: A container orchestration server stores pairing keys in association with container profiles. A container orchestration agent executing on an operating system instance instantiates a new container according to a particular container profile in response to an instruction from the container orchestration server and stores the pairing key as metadata associated with the container. An enforcement module detects the instantiation of the container and obtains the corresponding pairing key from the container orchestration agent. The enforcement module transmits the pairing key to a segmentation server for validation. If the segmentation server validates the key, the segmentation server determines a label set corresponding to the container profile associated with the pairing key and generates management instructions for the container based on the label set.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.