Virtual security boundary for physical or virtual network devices

摘要

A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location.

主权项

1. A method for use by a security gateway in a network topology in which the security gateway interfaces one or more virtual machines running on one or more network devices to a network, the method comprising:
receiving, by the security gateway, information from a first virtual machine after the first virtual machine has been moved from a first physical location in a network to a second physical location in the network, the information identifying the first virtual machine as one previously assigned to a virtual security boundary, wherein the virtual security boundary comprises a security policy that defines permissible communications exchanged between the first virtual machine and network devices via the security gateway, and the security gateway enforces the security policy on network communication between the network devices and the first virtual machine to create the virtual security boundary regardless of a physical location where the first virtual machine is hosted, wherein the security gateway establishes the virtual security boundary according to the security policy for a first set of one or more virtual machines to block the first set of one or more virtual machines from accessing a second virtual security boundary, except when a configuration of the security policy allows the first set of one or more virtual machines to access to the second virtual security boundary; determining, by the security gateway, that access to the first virtual machine at the first physical location was permitted by the security gateway; assigning the first virtual machine at the second physical location to the virtual security boundary; and applying, by the security gateway, the security policy associated with the virtual security boundary to network communication exchanged between the network devices and the first virtual machine at the second physical location via the security gateway to limit communications between the first virtual machine and the network devices over the network to the permissible communications defined in the security policy, wherein a second virtual machine at the first location is identified in the security policy, and the security policy is applied by the security gateway to network communications exchanged between the network devices and the second virtual machine via the security gateway to enforce the same virtual security boundary to electronic communications exchanged by different virtual machines at different physical locations.