Abstract: A computing device (e.g., a policy management server) obtains a segmentation policy that includes a set of rules for controlling network traffic between workloads. The computing device also receives infrastructure feedback regarding configuration of third-party network infrastructure. The computing device uses the infrastructure feedback to identify a discrepancy between the segmentation policy and the configuration of the third-party network infrastructure and triggers a corrective action in response. The corrective action may include providing a notification or suggestive remedy for the discrepancy to the user or automatically remedying the discrepancy.

Abstract: A computing device (e.g., a policy management server) obtains a segmentation policy that includes a set of rules for controlling network traffic between workloads. The computing device also receives infrastructure feedback regarding configuration of third-party network infrastructure. The computing device uses the infrastructure feedback to identify a discrepancy between the segmentation policy and the configuration of the third-party network infrastructure and triggers a corrective action in response. The corrective action may include providing a notification or suggestive remedy for the discrepancy to the user or automatically remedying the discrepancy.

Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.

Abstract: A policy management server detects attack patterns in traffic flows reported by distributed enforcement modules enforcing the segmentation policy. The policy management server generates a traffic flow graph representing traffic flows between workloads or groups of workloads. Traffic flows matching one or more traffic flow patterns may be tagged in the traffic flow graph. For example, if an attack pattern is present in a connection that is blocked under the segmentation policy, the policy management server may block updates to the segmentation policy that attempt to enable the connection or may alert an administrator prior to enabling the update. If an attack pattern is present in a connection that is allowed under the segmentation policy, the segmentation policy may be updated to block the connection, alert an administrator, redirect traffic to a deception service, or take other remedial action.

Abstract: A policy management server manages a segmentation policy for segmenting a network and a deception policy for implementing deception services. The policy management server distributes segmentation rules and deception rules to distributed enforcement modules that configure respective traffic filters to enforce the policies. The deception rule may be enforced directly by the traffic filter acting as a deception service, or the traffic filter may act as a proxy to an external deception service. The deception service can behave similarly to a real service to obtain information about the malicious actor that is reported to the policy management server to enable the policy management server to take a remedial action. Furthermore, the policy management server may automatically generate the deception policy based on the segmentation policy such that connection requests that are not allowed by the segmentation policy are automatically sent to a deception service.

Abstract: A policy management server detects attack patterns in traffic flows reported by distributed enforcement modules enforcing the segmentation policy. The policy management server generates a traffic flow graph representing traffic flows between workloads or groups of workloads. Traffic flows matching one or more traffic flow patterns may be tagged in the traffic flow graph. For example, if an attack pattern is present in a connection that is blocked under the segmentation policy, the policy management server may block updates to the segmentation policy that attempt to enable the connection or may alert an administrator prior to enabling the update. If an attack pattern is present in a connection that is allowed under the segmentation policy, the segmentation policy may be updated to block the connection, alert an administrator, redirect traffic to a deception service, or take other remedial action.