Patents by Inventor Paul James Kirner
Paul James Kirner has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11909766Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.Type: GrantFiled: January 28, 2020Date of Patent: February 20, 2024Assignee: Illumio, Inc.Inventors: George Jeffrey Francis, Matthew Kirby Glenn, Jalandip Lepcha, Paul James Kirner
-
Publication number: 20230308488Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.Type: ApplicationFiled: May 31, 2023Publication date: September 28, 2023Inventors: Paul James Kirner, Pallavi Tyagi
-
Patent number: 11706258Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.Type: GrantFiled: September 8, 2020Date of Patent: July 18, 2023Assignee: Illumio, Inc.Inventors: Paul James Kirner, Pallavi Tyagi
-
Patent number: 11665191Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: GrantFiled: June 21, 2021Date of Patent: May 30, 2023Assignee: Illumio, Inc.Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Patent number: 11665192Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: GrantFiled: June 21, 2021Date of Patent: May 30, 2023Assignee: Illumio, Inc.Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Patent number: 11356483Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.Type: GrantFiled: November 13, 2019Date of Patent: June 7, 2022Assignee: Illumio, Inc.Inventors: Rupesh Kumar Mishra, Paul James Kirner, Rushabh Sanghvi
-
Patent number: 11303605Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.Type: GrantFiled: January 15, 2019Date of Patent: April 12, 2022Assignee: Illumio, Inc.Inventors: Jaehong Park, Mukesh Gupta, Paul James Kirner, Anish Vinodkumar Desai, Daniel Richard Cook
-
Publication number: 20210314346Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: ApplicationFiled: June 21, 2021Publication date: October 7, 2021Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Publication number: 20210314345Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: ApplicationFiled: June 21, 2021Publication date: October 7, 2021Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Publication number: 20210234900Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.Type: ApplicationFiled: January 28, 2020Publication date: July 29, 2021Inventors: George Jeffrey Francis, Matthew Kirby Glenn, Jalandip Lepcha, Paul James Kirner
-
Patent number: 11075937Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: GrantFiled: February 22, 2018Date of Patent: July 27, 2021Assignee: Illumio, Inc.Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Patent number: 11075936Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: GrantFiled: February 22, 2018Date of Patent: July 27, 2021Assignee: Illumio, Inc.Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Publication number: 20210144181Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.Type: ApplicationFiled: November 13, 2019Publication date: May 13, 2021Inventors: Rupesh Kumar Mishra, Paul James Kirner, Rushabh Sanghvi
-
Patent number: 10965648Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.Type: GrantFiled: August 28, 2018Date of Patent: March 30, 2021Assignee: Illumio, Inc.Inventors: Rupesh Kumar Mishra, Paul James Kirner
-
Publication number: 20210084074Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.Type: ApplicationFiled: September 8, 2020Publication date: March 18, 2021Inventors: Paul James Kirner, Pallavi Tyagi
-
Patent number: 10805166Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: September 24, 2019Date of Patent: October 13, 2020Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Patent number: 10785115Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.Type: GrantFiled: October 26, 2018Date of Patent: September 22, 2020Assignee: Illumio, Inc.Inventors: Rupesh Kumar Mishra, Paul James Kirner, Matthew Kirby Glenn
-
Publication number: 20200228486Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.Type: ApplicationFiled: January 15, 2019Publication date: July 16, 2020Inventors: Jaehong Park, Mukesh Gupta, Paul James Kirner, Anish Vinodkumar Desai, Daniel Richard Cook
-
Publication number: 20200136910Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.Type: ApplicationFiled: October 26, 2018Publication date: April 30, 2020Inventors: Rupesh Kumar Mishra, Paul James Kirner, Matthew Kirby Glenn
-
Publication number: 20200076769Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.Type: ApplicationFiled: August 28, 2018Publication date: March 5, 2020Inventors: Rupesh Kumar Mishra, Paul James Kirner