Patents by Inventor Shadab Shah

Shadab Shah has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10951656
    Abstract: Methods, apparatus and articles of manufacture to use artificial intelligence to define encryption and security policies in a software defined data center are disclosed. Example apparatus include a language parser to parse a natural language statement into a policy statement that defines a distributed network encryption policy or a distributed network security policy. Example apparatus also include a comparator to compare the policy statement to a set of reference policy templates and a template configurer to select a first policy template from the set of reference policy templates in response to the comparator determining the first policy template corresponds to the policy statement. A policy distributor distributes a policy rule defined by the first policy template for enforcement at network nodes of a software defined data center. The policy rule is a distributed network encryption policy rule or a security policy rule.
    Type: Grant
    Filed: August 16, 2017
    Date of Patent: March 16, 2021
    Assignee: NICIRA, INC.
    Inventors: Gang Xu, Xinghua Hu, Yong Wang, Shadab Shah, Sharath Bhat, Yashika Narang
  • Patent number: 10944722
    Abstract: A novel method for managing firewall configuration of a software defined data center is provided. Such a firewall configuration is divided into multiple sections that each contains a set of firewall rules. Each tenant of the software defined data center has a corresponding set of sections in the firewall configuration. The method allows each tenant to independently access and update/manage its own corresponding set of sections. Multiple tenants or users are allowed to make changes to the firewall configuration simultaneously.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: March 9, 2021
    Assignee: NICIRA, INC.
    Inventors: Radha Popuri, Shadab Shah, James Joseph Stabile, Sameer Kurkure, Kaushal Bansal
  • Patent number: 10938726
    Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.
    Type: Grant
    Filed: September 6, 2017
    Date of Patent: March 2, 2021
    Assignee: NICIRA, INC.
    Inventors: Russell Lu, Xin Qi, Shadab Shah, Sunitha Krishna, Yangyang Zhu, Subrahmanyam Manuguri, Raju Koganty
  • Publication number: 20200348983
    Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.
    Type: Application
    Filed: July 21, 2020
    Publication date: November 5, 2020
    Inventors: Xin Qi, Fenil Kavathia, Chidambareswaran Raman, Shadab Shah, Raju Koganty, Jingmin Zhou
  • Patent number: 10725833
    Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.
    Type: Grant
    Filed: October 27, 2017
    Date of Patent: July 28, 2020
    Assignee: NICIRA, INC.
    Inventors: Xin Qi, Fenil Kavathia, Chidambareswaran Raman, Shadab Shah, Raju Koganty, Jingmin Zhou
  • Patent number: 10630644
    Abstract: In a computer-implemented method for managing firewall flow records, firewall flow records of a virtual infrastructure including a distributed firewall are received, wherein the firewall flow records are captured according to firewall rules of the distributed firewall, and wherein the firewall flow records each include tuples and at least one field of network traffic data. Responsive to detecting a number of received firewall flow records exceeding a threshold value, it is determined whether the tuples are identical for any of the firewall flow records. Provided the tuples are not identical for any of the firewall flow records, the tuples for the firewall flow records are modified to generate modified firewall flow records. It is determined whether the tuples are identical for any of the modified firewall flow records.
    Type: Grant
    Filed: December 15, 2016
    Date of Patent: April 21, 2020
    Assignee: Nicira, Inc.
    Inventors: Shadab Shah, Kaushal Bansal, Uday Masurekar, Jerry Pereira, Sunitha Krishna
  • Patent number: 10608993
    Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.
    Type: Grant
    Filed: October 5, 2017
    Date of Patent: March 31, 2020
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar, Serge Maskalik, Shadab Shah, Aravind Srinivasan, Minjal Agarwal
  • Patent number: 10536383
    Abstract: The technology disclosed herein enables the enhancement of attributes used to identify network packet traffic exchanged with micro segmented guests. In a particular embodiment, a method provides receiving a plurality of attributes from a user. The plurality of attributes describes first network packet traffic that should be handled in a first manner. The method further provides processing network packet traffic to identify the first network packet traffic using the plurality of attributes. While processing the network packet traffic, the method provides identifying one or more additional attributes shared among the first network packet traffic and adding at least a portion of the one or more additional attributes to the plurality of attributes.
    Type: Grant
    Filed: September 19, 2017
    Date of Patent: January 14, 2020
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Sunitha Krishna, Jerry Pereira, Shadab Shah, Subrahmanyam Manuguri, Jayant Jain
  • Publication number: 20190207983
    Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced).
    Type: Application
    Filed: March 9, 2019
    Publication date: July 4, 2019
    Inventors: Kaushal Bansal, Uday Masurekar, Aravind Srinivasan, Shadab Shah, Serge Maskalik
  • Patent number: 10341299
    Abstract: In a computer-implemented method for collecting firewall flow records, firewall flow records are received from a plurality of data end nodes of a virtualized infrastructure comprising a distributed firewall according to a collection schedule, wherein the collection schedule defines which data end nodes of the plurality of data end nodes from which firewall flow records are collected, a frequency of collection of firewall flow records from the data end nodes, and an amount of firewall flow records collected from the data end nodes. Firewall flow records received at a firewall flow record collection queue are processed, such that the received firewall flow records are prepared for storage at a flow record data store.
    Type: Grant
    Filed: December 15, 2016
    Date of Patent: July 2, 2019
    Assignee: Nicira, Inc.
    Inventors: Kaushal Bansal, Medhavi Dhawan, Jerry Pereira, Shadab Shah, Sameer Kurkure
  • Patent number: 10264021
    Abstract: Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced). As the AppliedTo tuples of the firewall rules can refer to dynamically modifiable constructs, the application of the AppliedTo firewall rules (i.e., rules that are specified to include an AppliedTo tuple) can be dynamically adjusted for different locations within a network by dynamically adjusting the membership of these modifiable constructs.
    Type: Grant
    Filed: December 14, 2015
    Date of Patent: April 16, 2019
    Assignee: NICIRA, INC.
    Inventors: Kaushal Bansal, Uday Masurekar, Aravind Srinivasan, Shadab Shah, Serge Maskalik
  • Publication number: 20190097966
    Abstract: Systems and methods described herein provide a high availability DHCP server capable of serving multiple tenants in a data center. The DHCP server may use a different logical DHCP server instance for each tenant, and may be implemented as one process without the use of namespaces. A DHCP server is executed on a gateway virtual machine (VM) that is capable of hosting a plurality of logical DHCP servers. For each tenant in a data center, a logical network and a corresponding logical DHCP server instance are implemented. The DHCP server may service requests for DHCP services from VMs via their physical host by determining the tenant that the VM originates from and leasing a DHCP resource from that tenant's corresponding logical DHCP server instance.
    Type: Application
    Filed: September 28, 2017
    Publication date: March 28, 2019
    Inventors: Michael HU, Ansis ATTEKA, Dongping CHEN, Bo LIN, Yi ZENG, Shadab SHAH
  • Publication number: 20190089635
    Abstract: The technology disclosed herein enables the enhancement of attributes used to identify network packet traffic exchanged with micro segmented guests. In a particular embodiment, a method provides receiving a plurality of attributes from a user. The plurality of attributes describes first network packet traffic that should be handled in a first manner. The method further provides processing network packet traffic to identify the first network packet traffic using the plurality of attributes. While processing the network packet traffic, the method provides identifying one or more additional attributes shared among the first network packet traffic and adding at least a portion of the one or more additional attributes to the plurality of attributes.
    Type: Application
    Filed: September 19, 2017
    Publication date: March 21, 2019
    Inventors: Kaushal Bansal, Sunitha Krishna, Jerry Pereira, Shadab Shah, Subrahmanyam Manuguri, Jayant Jain
  • Publication number: 20190075056
    Abstract: For a network including multiple host machines that together implement at least one logical network including a firewall, some embodiments provide a method for collecting traffic flow data that includes identifiers for firewall rules applied to the traffic flow and a logical entity identifier. In some embodiments, the host machines receive traffic monitoring configuration data for a logical network. The traffic monitoring configuration data in some embodiments indicates a set of logical entities of the logical network for which to collect traffic flow data and a set of traffic flow data collectors associated with the set of logical entities. The indicated logical entities may be logical forwarding elements (logical switches, routers, etc.) or logical ports of logical forwarding elements.
    Type: Application
    Filed: September 6, 2017
    Publication date: March 7, 2019
    Inventors: Russell Lu, Xin Qi, Shadab Shah, Sunitha Krishna, Yangyang Zhu, Subrahmanyam Manuguri, Raju Koganty
  • Publication number: 20190058734
    Abstract: Methods, apparatus and articles of manufacture to use artificial intelligence to define encryption and security policies in a software defined data center are disclosed. Example apparatus include a language parser to parse a natural language statement into a policy statement that defines a distributed network encryption policy or a distributed network security policy. Example apparatus also include a comparator to compare the policy statement to a set of reference policy templates and a template configurer to select a first policy template from the set of reference policy templates in response to the comparator determining the first policy template corresponds to the policy statement. A policy distributor distributes a policy rule defined by the first policy template for enforcement at network nodes of a software defined data center. The policy rule is a distributed network encryption policy rule or a security policy rule.
    Type: Application
    Filed: August 16, 2017
    Publication date: February 21, 2019
    Inventors: Gang Xu, Xinghua Hu, Yong Wang, Shadab Shah, Sharath Bhat, Yashika Narang
  • Publication number: 20180183760
    Abstract: Network firewalls operate based on rules that define how a firewall should handle traffic passing through the firewall. At their most basic, firewall rules may indicate that certain network traffic should be denied from passing through a network firewall or indicate that certain network traffic should be allowed to pass through the network firewall. Manners of handling network traffic beyond simply allowing or denying the network traffic may also be defined by the rules. For instance, a rule may indicate that certain network traffic should be routed to a specific system. Thus, if an administrator of a network firewall determines that certain network traffic should be handled in a certain way by a network firewall, the administrator need only implement a firewall rule defining how that network traffic should be handled in the network firewall.
    Type: Application
    Filed: December 22, 2016
    Publication date: June 28, 2018
    Inventors: Sameer Kurkure, Subrahmanyam Manuguri, Anirban Sengupta, Aman Raj, Kaushal Bansal, Shadab Shah
  • Publication number: 20180176184
    Abstract: In a computer-implemented method for collecting firewall flow records, firewall flow records are received from a plurality of data end nodes of a virtualized infrastructure comprising a distributed firewall according to a collection schedule, wherein the collection schedule defines which data end nodes of the plurality of data end nodes from which firewall flow records are collected, a frequency of collection of firewall flow records from the data end nodes, and an amount of firewall flow records collected from the data end nodes. Firewall flow records received at a firewall flow record collection queue are processed, such that the received firewall flow records are prepared for storage at a flow record data store.
    Type: Application
    Filed: December 15, 2016
    Publication date: June 21, 2018
    Inventors: Kaushal BANSAL, Medhavi DHAWAN, Jerry PEREIRA, Shadab SHAH, Sameer KURKURE
  • Publication number: 20180176183
    Abstract: In a computer-implemented method for managing firewall flow records, firewall flow records of a virtual infrastructure including a distributed firewall are received, wherein the firewall flow records are captured according to firewall rules of the distributed firewall, and wherein the firewall flow records each include tuples and at least one field of network traffic data. Responsive to detecting a number of received firewall flow records exceeding a threshold value, it is determined whether the tuples are identical for any of the firewall flow records. Provided the tuples are not identical for any of the firewall flow records, the tuples for the firewall flow records are modified to generate modified firewall flow records. It is determined whether the tuples are identical for any of the modified firewall flow records.
    Type: Application
    Filed: December 15, 2016
    Publication date: June 21, 2018
    Inventors: Shadab SHAH, Kaushal BANSAL, Uday MASUREKAR, Jerry PEREIRA, Sunitha KRISHNA
  • Publication number: 20180121250
    Abstract: Some embodiments provide a method for clustering a set of data compute nodes (DCNs), which communicate with each other more frequently, on one or more host machines. The method groups together guest DCNs (GDCNs) that (1) execute on different host machines and (2) exchange network data among themselves more frequently, in order to reduce interhost network traffic. The more frequently-communicating GDCNs can be a set of GDCNs that implement a distributed application, GDCNs of a particular tier in a multi-tier network architecture (e.g., a web tier in a three-tier architecture), GDCNs that are dedicated to a particular tenant in a hosting system, or any other set of GDCNs that exchange data among each other regularly for a particular purpose.
    Type: Application
    Filed: October 27, 2017
    Publication date: May 3, 2018
    Inventors: Xin Qi, Fenil Kavathia, Chidambareswaran Raman, Shadab Shah, Raju Koganty, Jingmin Zhou
  • Publication number: 20180048623
    Abstract: Some embodiments provide a central firewall management system that can be used to manage different firewall devices from a single management interface. This management interface provides a uniform interface for defining different firewall rule sets and deploying these rules sets on different firewall devices (e.g., port-linked firewall engines, firewall service VMs, network-perimeter firewall devices, etc.). Also, this interface allows the location and/or behavior of the firewall rule sets to be dynamically modified. The management interface in some embodiments also provides controls for filtering and debugging firewall rules.
    Type: Application
    Filed: October 5, 2017
    Publication date: February 15, 2018
    Inventors: Kaushal Bansal, Uday Masurekar, Serge Maskalik, Shadab Shah, Aravind Srinivasan, Minjal Agarwal