Abstract: A segmentation system includes a cluster of segmentation servers that interoperate to obtain and manage a segmentation policy for controlling communications between workloads in an administrative domain. The cluster of segmentation servers includes a leader segmentation server and at least one member segmentation server. The leader segmentation server controls policy generation and distributes the segmentation policy to the member segmentation servers. The segmentation servers are each optionally paired with a respective set of workloads. The segmentation servers each distribute descriptions of their respective paired workloads to the other segmentation servers. Each segmentation server processes the segmentation policy to generate management instructions for controlling communications to and from their respective paired workloads and distributes the management instructions to the operating system instances executing the workloads to enforce the segmentation policy.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: A computer-implemented method, system, and non-transitory computer-readable medium provide for detection and accounting for scanners in a network. A statistical approach is used to identify scanners in a network. The network traffic generated by identified scanners can be filtered out to give a cleaner, more detailed perspective of traffic flows between applications in the network.

Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.

Abstract: An enforcement module receives a DNS-based rule of a segmentation policy that controls access of a managed workload to workloads in a DNS domain in which the IP addresses of the workloads associated with a domain name are resolved by a DNS server. When the managed workload makes a connection request to the workload associated with the domain name, the enforcement module snoops on a DNS response from the DNS server to learn the IP address of the workload associated with the domain name. If a domain name of the DNS domain is in a whitelist of domain names permitted by the DNS-based rule, the enforcement module adds the learned IP address to a whitelist of IP addresses and configures a firewall associated with the managed workload to permit connections to the IP addresses in the whitelist.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.

Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.