Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.

Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.

Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.

Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.

Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.

Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.