Abstract: Example methods are provided for flow-based forwarding element configuration in a network environment. An example method may comprise obtaining a set of security policies associated with the group of workloads; and based on the set of security policies, identifying an allowed forwarding path between a destination and a first workload. The method may also comprise configuring a whitelist set of flow entries and sending configuration information to the flow-based forwarding element to cause the flow-based forwarding element to apply the whitelist set. The whitelist set may include a first flow entry specifying match fields and a first action to allow communication over the allowed forwarding path, but excludes a second flow entry specifying a second action to block communication over a forbidden forwarding path between the destination and the second workload. The match fields may include transport layer information and network layer information.

Abstract: Described herein are systems, methods, and software to enhance packet processing. In one implementation, a host computing element identifies a packet from a process executing on the host computing element. In response to identifying the packet, the host computing element determines whether the packet originates from a container namespace corresponding to a container on the host computing element or a host namespace corresponding to the host computing element. If the packet originates from a container namespace, the host computing element may determine supplemental information for the container associated with the container namespace, and process the packet based on the supplemental information.

Abstract: A management service can be used to manage enterprise applications. Management agents can be installed in each enterprise application, e.g., in each virtual machine of each enterprise application. The management agent can check each process created by its host virtual machine against a local whitelist. If the local whitelist indicates the process is safe, the process can be executed. Otherwise, an alert including a process description is sent to the management service. An alert analyzer of t he management service can check information of the management service itself as well as third-party information to determine whether or not the process is safe. In the event the alert analyzer determines a process that was the subject of an alert is, in fact, safe, an indication that the process is safe is added to the local whitelist.

Abstract: Described herein are systems, methods, and software to enhance packet processing. In one implementation, a host computing element identifies a packet from a process executing on the host computing element. In response to identifying the packet, the host computing element determines whether the packet originates from a container namespace corresponding to a container on the host computing element or a host namespace corresponding to the host computing element. If the packet originates from a container namespace, the host computing element may determine supplemental information for the container associated with the container namespace, and process the packet based on the supplemental information.

Abstract: Described herein are systems, methods, and software to enhance packet . In one implementation, a host computing element identifies a packet from a process executing on the host computing element. In response to identifying the packet, the host computing element determines whether the packet originates from a container namespace corresponding to a container on the host computing element or a host namespace corresponding to the host computing element. If the packet originates from a container namespace, the host computing element may determine supplemental information for the container associated with the container namespace, and process the packet based on the supplemental information.

Abstract: Techniques for detecting application updates in data centers are disclosed. In one example, process information and corresponding metadata associated with a first process event of an application running on a first application host may be received. Upon receiving, the metadata associated with the first process event may be compared with statistical metadata associated with a previous version of the application using the process information. Further, the first process event may be detected as associated with a valid upgrade of the application based on the comparison and an application in-guest unit running on the first application host may be notified that the first process event is associated with the valid upgrade based on the detection.

Abstract: The technology disclosed herein enables reduction of secure protocol overhead when transferring packets between guest elements on different hosts. In a particular embodiment, the method provides, in a first virtual network interface of a first guest element, receiving one or more first packets from a first guest element directed to a second guest element. In response to determining that the first packets will be encapsulated in a secure protocol having a first integrity check procedure provided for by the secure protocol, the method provides refraining to perform a transmit-side portion of a second integrity check procedure on the first packets as provided for by a transport protocol. The method further provides passing the first packets to a first host of the first virtual network interface in the transport protocol.

Abstract: A management service can be used to manage enterprise applications. Management agents can be installed in each enterprise application, e.g., in each virtual machine of each enterprise application. The management agent can check each process created by its host virtual machine against a local whitelist. If the local whitelist indicates the process is safe, the process can be executed. Otherwise, an alert including a process description is sent to the management service. An alert analyzer of t he management service can check information of the management service itself as well as third-party information to determine whether or not the process is safe. In the event the alert analyzer determines a process that was the subject of an alert is, in fact, safe, an indication that the process is safe is added to the local whitelist.

Abstract: Described herein are systems, methods, and software to enhance packet . In one implementation, a host computing element identifies a packet from a process executing on the host computing element. In response to identifying the packet, the host computing element determines whether the packet originates from a container namespace corresponding to a container on the host computing element or a host namespace corresponding to the host computing element. If the packet originates from a container namespace, the host computing element may determine supplemental information for the container associated with the container namespace, and process the packet based on the supplemental information.

Abstract: Example methods are provided for flow-based forwarding element configuration in a network environment. An example method may comprise obtaining a set of security policies associated with the group of workloads; and based on the set of security policies, identifying an allowed forwarding path between a destination and a first workload. The method may also comprise configuring a whitelist set of flow entries and sending configuration information to the flow-based forwarding element to cause the flow-based forwarding element to apply the whitelist set. The whitelist set may include a first flow entry specifying match fields and a first action to allow communication over the allowed forwarding path, but excludes a second flow entry specifying a second action to block communication over a forbidden forwarding path between the destination and the second workload. The match fields may include transport layer information and network layer information.

Abstract: The technology disclosed herein enables reduction of secure protocol overhead when transferring packets between guest elements on different hosts. In a particular embodiment, the method provides, in a first virtual network interface of a first guest element, receiving one or more first packets from a first guest element directed to a second guest element. In response to determining that the first packets will be encapsulated in a secure protocol having a first integrity check procedure provided for by the secure protocol, the method provides refraining to perform a transmit-side portion of a second integrity check procedure on the first packets as provided for by a transport protocol. The method further provides passing the first packets to a first host of the first virtual network interface in the transport protocol.