Encryption System in a Virtualized Environment

Abstract

For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host. When two different GVMs are part of two different logical overlay networks that are implemented on common network fabric, the method in some embodiments encrypts the data messages exchanged between the GVMs of one logical network differently than the data messages exchanged between the GVMs of another logical network. In some embodiments, the method can also encrypt different types of data messages from the same GVM differently. Also, in some embodiments, the method can dynamically enforce encryption rules in response to dynamically detected events, such as malware infections.

Description

BACKGROUND[0001]Enterprises (e.g., financial service providers, healthcare providers, critical infrastructure providers, etc.) store valuable data, and transfer it over networks. Information spreads across datacenters often through dedicated telco-provided networks. Overlay networks provide the same service across the wide area network (WAN) on a public network for enterprises, and are susceptible to threats such as snooping, man in the middle attack (MITM), and forging. As enterprises widely adopt cloud-based Software-Defined Data Center (SDDC) instead of dedicated datacenters, new challenges are introduced, and protecting the data flowing into, within, and out of the cloud becomes a necessity. The privacy guarantee of private datacenters is no longer assumed, and threats similar to those in the Internet prevail.[0002]Cryptography protects data and communication channels from malicious parties, provides confidentiality to enterprise dataflow in the cloud, and provides control over ...

AI Technical Summary

Benefits of technology

[0012]The above-described hypervisor-based encryption scheme combines the best of in-guest encryption and network-based encryption. It avoids the overhead of key management of N-to-N GVMs, and it performs encryption based on fine-grained, context aware policies. As such, it provi

Problems solved by technology

Overlay networks provide the same service across the wide area network (WAN) on a public network for enterprises, and are susceptible to threats such as snooping, man in the middle attack (MITM), and forging.

The privacy guarantee of private datacenters is no longer assumed, and threats similar to those in the Internet prevail.

However, current approaches to encrypt network data fall short in terms of contextual information, isolation, granularity, or ease of management.

However, IPSec tunneling by the edge devices is oblivious to the application context and the user generating t

Images