Providing a virtual security appliance architecture to a virtual cloud infrastructure

摘要

A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.

主权项

1. A method for providing a virtual security appliance (VSA) architecture in a virtual network infrastructure, the method comprising:
detecting a change for a guest virtual machine (VM) in the virtual network infrastructure, wherein the change comprises moving the guest VM from a first virtual server to a second virtual server of the virtual network infrastructure; determining a policy of one or more security policies requires a security control for the guest VM; determining whether there is an already present VSA configured as a VM capable of applying the required security control to the guest VM running in the second virtual server, wherein the applying comprises performing security inspections on network packets of a packet stream associated with the guest VM; upon determining there is not the already present VSA running in the second virtual server, performing a process comprising:
initiating the guest VM in the second virtual server and sending a request to create a new VSA capable of applying the required security control in the second virtual server, wherein the initiating comprises running the quest VM in the second virtual server and routing the packet stream associated with the quest VM through an existing VSA capable of applying the required security control running on another virtual server of the virtual network infrastructure;creating the new VSA on the second virtual server and running the new VSA, wherein the creating is based at least in part on the request and is performed at least partially concurrently with the running of the quest VM; androuting, when the new VSA is running on the second server, the packet stream through the new VSA instead of the existing VSA; and upon determining there is the already present VSA running in the second virtual server, running the guest VM in the second virtual server and routing the packet stream associated with the guest VM through the already present VSA.