Patents by Inventor Paul James Kirner
Paul James Kirner has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20200136910Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.Type: ApplicationFiled: October 26, 2018Publication date: April 30, 2020Inventors: Rupesh Kumar Mishra, Paul James Kirner, Matthew Kirby Glenn
-
Publication number: 20200076769Abstract: An enforcement module operating on a server or on a network midpoint device obtains a management instruction controlling communications of a target workload. The enforcement module configures a firewall of a network midpoint device upstream from the target workload to enforce the management instruction. The configuration mechanism may be dependent on the particular capabilities and characteristics of the network midpoint device.Type: ApplicationFiled: August 28, 2018Publication date: March 5, 2020Inventors: Rupesh Kumar Mishra, Paul James Kirner
-
Publication number: 20200021491Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: September 24, 2019Publication date: January 16, 2020Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20190372848Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: May 31, 2018Publication date: December 5, 2019Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Patent number: 10476745Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: May 31, 2018Date of Patent: November 12, 2019Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20190258804Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: ApplicationFiled: February 22, 2018Publication date: August 22, 2019Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Publication number: 20190258525Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.Type: ApplicationFiled: February 22, 2018Publication date: August 22, 2019Inventors: Matthew Kirby Glenn, Paul James Kirner, Seth Bruce Ford, Mukesh Gupta, Joy Anne Scott, Nathaniel Jurist Gleicher
-
Publication number: 20190089773Abstract: A segmentation system includes a cluster of segmentation servers that interoperate to obtain and manage a segmentation policy for controlling communications between workloads in an administrative domain. The cluster of segmentation servers includes a leader segmentation server and at least one member segmentation server. The leader segmentation server controls policy generation and distributes the segmentation policy to the member segmentation servers. The segmentation servers are each optionally paired with a respective set of workloads. The segmentation servers each distribute descriptions of their respective paired workloads to the other segmentation servers. Each segmentation server processes the segmentation policy to generate management instructions for controlling communications to and from their respective paired workloads and distributes the management instructions to the operating system instances executing the workloads to enforce the segmentation policy.Type: ApplicationFiled: August 27, 2018Publication date: March 21, 2019Inventors: Antonio Pedro Alexandre Rainha Dias, Joel E. Vanderkwaak, Bryan Patrick Pelham, Mukesh Gupta, Juraj George Fandli, Charles Zou Liu, Thukalan V. Verghese, Paul James Kirner
-
Patent number: 9479538Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.Type: GrantFiled: January 31, 2014Date of Patent: October 25, 2016Assignee: Juniper Networks, Inc.Inventors: Roger Chickering, Stephen R. Hanna, Paul Funk, Panagiotis Kougiouris, Paul James Kirner
-
Publication number: 20140150053Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.Type: ApplicationFiled: January 31, 2014Publication date: May 29, 2014Applicant: JUNIPER NETWORKS, INC.Inventors: Roger CHICKERING, Stephen R. HANNA, Paul FUNK, Panagiotis KOUGIOURIS, Paul James KIRNER
-
Patent number: 8661505Abstract: A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device.Type: GrantFiled: December 27, 2012Date of Patent: February 25, 2014Assignee: Juniper Networks, Inc.Inventors: Panagiotis Kougiouris, Roger Chickering, Paul James Kirner, Stephen R. Hanna
-
Patent number: 8644167Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.Type: GrantFiled: January 14, 2013Date of Patent: February 4, 2014Assignee: Juniper Networks, Inc.Inventors: Roger Allen Chickering, Stephen Hanna, Paul Funk, Panagiotis Kougiouris, Paul James Kirner
-
Patent number: 8369224Abstract: An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.Type: GrantFiled: September 8, 2006Date of Patent: February 5, 2013Assignee: Juniper Networks, Inc.Inventors: Roger Chickering, Stephen R. Hanna, Paul Funk, Panagiotis Kouriouris, Paul James Kirner
-
Patent number: 8352998Abstract: A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device.Type: GrantFiled: August 17, 2006Date of Patent: January 8, 2013Assignee: Juniper Networks, Inc.Inventors: Panagiotis Kougiouris, Roger Chickering, Paul James Kirner, Stephen R. Hanna