Patents by Inventor Juraj George Fandli
Juraj George Fandli has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11647050Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.Type: GrantFiled: November 19, 2020Date of Patent: May 9, 2023Assignee: Illumio, Inc.Inventors: Juraj George Fandli, Russell Stuart Goodwin, Ronald Isaacson, Roy Nobuo Nakashima
-
Patent number: 11575588Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: GrantFiled: February 24, 2021Date of Patent: February 7, 2023Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Patent number: 11444920Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.Type: GrantFiled: January 30, 2020Date of Patent: September 13, 2022Assignee: Illumio, Inc.Inventors: Juraj George Fandli, Yair Harel, Ronald Isaacson, Russell Stuart Goodwin, Roy Nobuo Nakashima, Nathanael John Iversen
-
Patent number: 11425007Abstract: In a segmented network environment, a traffic flow graph provides visibility into the connections between workloads or groups of workloads under management of a segmentation policy. Squelching rules may be applied to hide traffic in the traffic flow graph that meets specified criteria. The squelching rules may be label-based rules that enable configuration of squelching rules that apply to group of workloads and enable configurations to be rapidly updated as workloads or added or dropped from the network or as their configurations change. Additionally, squelching rules may be applied based on characteristics of the traffic data or based on an identity of an administrator viewing the traffic flow graph.Type: GrantFiled: January 21, 2020Date of Patent: August 23, 2022Assignee: Illumio, Inc.Inventors: Mukesh Gupta, Joy Anne Scott, Juraj George Fandli, Joel E. Vanderkwaak, Ramnath Duggirala
-
Publication number: 20220159038Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.Type: ApplicationFiled: November 19, 2020Publication date: May 19, 2022Inventors: Juraj George Fandli, Russell Stuart Goodwin, Ronald Isaacson, Roy Nobuo Nakashima
-
Patent number: 11171991Abstract: In a segmented network environment, a segmentation server assigns labels to workloads to enable the segmentation server to implement a segmentation policy based on label-based rules. A first set of labels associated with one or more label dimensions may be assigned in a secure manner by automatically assigning the labels based on a pairing profile. A second set of labels associated with different label dimensions may be assigned automatically based on workload attributes. An administrator can manage which label dimensions are assigned in a secure way based on the pairing profile and which labels are assigned in an adaptable way based on workload attributes, thereby enabling the administrator to flexibly manage the tradeoff between adaptability and security.Type: GrantFiled: February 28, 2019Date of Patent: November 9, 2021Assignee: Illumio, Inc.Inventors: Mukesh Gupta, Juraj George Fandli
-
Patent number: 11095611Abstract: A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.Type: GrantFiled: October 1, 2018Date of Patent: August 17, 2021Assignee: Illumio, Inc.Inventor: Juraj George Fandli
-
Publication number: 20210243158Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.Type: ApplicationFiled: January 30, 2020Publication date: August 5, 2021Inventors: Juraj George Fandli, Yair Harel, Ronald Isaacson, Russell Stuart Goodwin, Roy Nobuo Nakashima, Nathanael John Iversen
-
Publication number: 20210226865Abstract: In a segmented network environment, a traffic flow graph provides visibility into the connections between workloads or groups of workloads under management of a segmentation policy. Squelching rules may be applied to hide traffic in the traffic flow graph that meets specified criteria. The squelching rules may be label-based rules that enable configuration of squelching rules that apply to group of workloads and enable configurations to be rapidly updated as workloads or added or dropped from the network or as their configurations change. Additionally, squelching rules may be applied based on characteristics of the traffic data or based on an identity of an administrator viewing the traffic flow graph.Type: ApplicationFiled: January 21, 2020Publication date: July 22, 2021Inventors: Mukesh Gupta, Joy Anne Scott, Juraj George Fandli, Joel E. Vanderkwaak, Ramnath Duggirala
-
Publication number: 20210184950Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: ApplicationFiled: February 24, 2021Publication date: June 17, 2021Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Patent number: 11012310Abstract: A container orchestration server stores pairing keys in association with container profiles. A container orchestration agent executing on an operating system instance instantiates a new container according to a particular container profile in response to an instruction from the container orchestration server and stores the pairing key as metadata associated with the container. An enforcement module detects the instantiation of the container and obtains the corresponding pairing key from the container orchestration agent. The enforcement module transmits the pairing key to a segmentation server for validation. If the segmentation server validates the key, the segmentation server determines a label set corresponding to the container profile associated with the pairing key and generates management instructions for the container based on the label set.Type: GrantFiled: June 5, 2018Date of Patent: May 18, 2021Assignee: ILLUMIO, INC.Inventors: Juraj George Fandli, Mukesh Gupta
-
Patent number: 10958545Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: GrantFiled: August 27, 2018Date of Patent: March 23, 2021Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Patent number: 10805166Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: September 24, 2019Date of Patent: October 13, 2020Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20200280586Abstract: In a segmented network environment, a segmentation server assigns labels to workloads to enable the segmentation server to implement a segmentation policy based on label-based rules. A first set of labels associated with one or more label dimensions may be assigned in a secure manner by automatically assigning the labels based on a pairing profile. A second set of labels associated with different label dimensions may be assigned automatically based on workload attributes. An administrator can manage which label dimensions are assigned in a secure way based on the pairing profile and which labels are assigned in an adaptable way based on workload attributes, thereby enabling the administrator to flexibly manage the tradeoff between adaptability and security.Type: ApplicationFiled: February 28, 2019Publication date: September 3, 2020Inventors: Mukesh Gupta, Juraj George Fandli
-
Publication number: 20200106741Abstract: A segmentation server generates and distributes management instructions for enforcing a segmentation policy. The segmentation server discovers a network configuration of workloads including an identification of workloads that are behind network address translation modules. The segmentation server generates management instructions for enforcing the rules in a manner dependent on the detected network configuration. Furthermore, the segmentation server monitors traffic flows and generates a traffic flow graph in a manner dependent on the detected network configuration.Type: ApplicationFiled: October 1, 2018Publication date: April 2, 2020Inventor: Juraj George Fandli
-
Publication number: 20200067801Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: ApplicationFiled: August 27, 2018Publication date: February 27, 2020Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Publication number: 20200021491Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: September 24, 2019Publication date: January 16, 2020Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20190372848Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: May 31, 2018Publication date: December 5, 2019Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20190372850Abstract: A container orchestration server stores pairing keys in association with container profiles. A container orchestration agent executing on an operating system instance instantiates a new container according to a particular container profile in response to an instruction from the container orchestration server and stores the pairing key as metadata associated with the container. An enforcement module detects the instantiation of the container and obtains the corresponding pairing key from the container orchestration agent. The enforcement module transmits the pairing key to a segmentation server for validation. If the segmentation server validates the key, the segmentation server determines a label set corresponding to the container profile associated with the pairing key and generates management instructions for the container based on the label set.Type: ApplicationFiled: June 5, 2018Publication date: December 5, 2019Inventors: Juraj George Fandli, Mukesh Gupta
-
Patent number: 10476745Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: May 31, 2018Date of Patent: November 12, 2019Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli