Patents by Inventor Thomas Michael McCormick
Thomas Michael McCormick has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20230353540Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: July 6, 2023Publication date: November 2, 2023Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11736443Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: GrantFiled: April 26, 2022Date of Patent: August 22, 2023Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11575588Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: GrantFiled: February 24, 2021Date of Patent: February 7, 2023Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Publication number: 20220255899Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: April 26, 2022Publication date: August 11, 2022Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Patent number: 11336620Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: GrantFiled: December 18, 2018Date of Patent: May 17, 2022Assignee: Illumio, Inc.Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Publication number: 20210184950Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: ApplicationFiled: February 24, 2021Publication date: June 17, 2021Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Patent number: 10958545Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: GrantFiled: August 27, 2018Date of Patent: March 23, 2021Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Patent number: 10805166Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: September 24, 2019Date of Patent: October 13, 2020Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20200195611Abstract: A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.Type: ApplicationFiled: December 18, 2018Publication date: June 18, 2020Inventors: Daniel Richard Cook, Anish Vinodkumar Desai, Thomas Michael McCormick
-
Publication number: 20200067801Abstract: A traffic control and monitoring module includes a firewall operating in a container namespace that is configured to control and monitor traffic to and from a container in the container namespace. The traffic control and monitoring module reports detected traffic to a traffic flow reporting module operating in a host namespace of the host operating system. The traffic control and monitoring module obtains traffic flows associated with a plurality of containers in different container namespaces and reports the traffic flows to a segmentation policy. Based on the reported traffic flows, the segmentation server may update a segmentation policy to improve network security.Type: ApplicationFiled: August 27, 2018Publication date: February 27, 2020Inventors: Thomas Michael McCormick, Juraj George Fandli
-
Publication number: 20200021491Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: September 24, 2019Publication date: January 16, 2020Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Publication number: 20190372848Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: ApplicationFiled: May 31, 2018Publication date: December 5, 2019Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli
-
Patent number: 10476745Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.Type: GrantFiled: May 31, 2018Date of Patent: November 12, 2019Assignee: Illumio, Inc.Inventors: Thomas Michael McCormick, Daniel Richard Cook, Rupesh Kumar Mishra, Matthew Kirby Glenn, Paul James Kirner, Mukesh Gupta, Juraj George Fandli