Abstract: A data model extends or supplements an entity/resource association to include a “quality” of that association, where the quality is defined by an ordered set of relative values/characteristics. In an example scenario, an entity/resource association is augmented to include a quality characteristic that is defined by a tuple that is preferably an ordered set of relative values. The number of values and their designations in the data model will depend on nature of the underlying entity/resource association. When entity/resource associations are annotated to include relative quality values in this manner, much more useful comparisons of apparently similar entity/resource associations may be carried out.

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.

Abstract: A method, apparatus and computer program product for automatically reconfiguring a policy of a multi-tenant service is disclosed. A first tenant specific policy for a first tenant of a plurality of tenants serviced by the multi-tenant service is provided. The multi-tenant service uses a second tenant specific policy different from the first tenant specific policy for a second tenant of the plurality of tenants. An event relevant to the first tenant specific policy is detected. The first tenant specific policy is reconfigured according to the detected event.

Abstract: A method, apparatus and computer program product for automatically reconfiguring a policy of a multi-tenant service is disclosed. A first tenant specific policy for a first tenant of a plurality of tenants serviced by the multi-tenant service is provided. The multi-tenant service uses a second tenant specific policy different from the first tenant specific policy for a second tenant of the plurality of tenants. An event relevant to the first tenant specific policy is detected. The first tenant specific policy is reconfigured according to the detected event.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: An SDN controller associated with a switch maintains unique tenant/port association data, and pushes to the switch per-tenant policies. A per-tenant information processing port (IPP) on the switch enables traffic sent to or from a tenant to be distinguished from that of another tenant, even with respect to packet processing devices (PPDs) that share a particular switch. With the described approach, the properties of a non-overlay SDN are leveraged to support multi-tenancy in an efficient manner, preferably by associating a specific tenant with a specific port (on the virtual switch) once, rather than continuously parsing tenant data from the information flow. The technique enables the application of tenant-specific policy to tenant-specific network flows in a multi-tenant network.

Abstract: “Multi-tenant awareness” is added to a set of one or more packet processing devices in a Software Defined Network (SDN) having a controller. For each of one or more tenants, information in a table associates network protocol address attributes with an Internet Protocol (IP) address unique to the tenant. The table is associated with a multiple-layer translation layer being managed by the SDN controller. As a data packet traverses the translation layer, network protocol address attributes are translated according to values in the table to enable logical routing of the packet (to a given PPD. This translation occurs dynamically (or “on-the-fly”) as packets are “on route” to their destination. By implementing a multi-layer network address translation (NAT), one layer may be used to translate network protocol address source attributes, while a second layer may be used to translate network protocol address destination attributes.

Abstract: An SDN controller associated with a switch maintains unique tenant/port association data, and pushes to the switch per-tenant policies. A per-tenant information processing port (IPP) on the switch enables traffic sent to or from a tenant to be distinguished from that of another tenant, even with respect to packet processing devices (PPDs) that share a particular switch. With the described approach, the properties of a non-overlay SDN are leveraged to support multi-tenancy in an efficient manner, preferably by associating a specific tenant with a specific port (on the virtual switch) once, rather than continuously parsing tenant data from the information flow. The technique enables the application of tenant-specific policy to tenant-specific network flows in a multi-tenant network.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.

Abstract: A data model extends or supplements an entity/resource association to include a “quality” of that association, where the quality is defined by an ordered set of relative values/characteristics. In an example scenario, an entity/resource association is augmented to include a quality characteristic that is defined by a tuple that is preferably an ordered set of relative values. The number of values and their designations in the data model will depend on nature of the underlying entity/resource association. When entity/resource associations are annotated to include relative quality values in this manner, much more useful comparisons of apparently similar entity/resource associations may be carried out.