公开(公告)号：US11700236B2

公开(公告)日：2023-07-11

申请号：US16652643

申请日：2020-02-27

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Aniket G. Daptari ,  Fei Chen ,  Pranavadatta D N ,  Kiran K N ,  Jeffrey S. Marshall ,  Prakash T. Seshadri

IPC: G06F21/53 ,  H04L9/40 ,  H04L45/76 ,  H04L41/0894 ,  G06F9/455 ,  H04L12/46

CPC classification number: H04L63/0263 ,  G06F9/45558 ,  H04L12/4679 ,  H04L41/0894 ,  H04L45/76 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: Techniques are disclosed for redirecting network traffic of virtualized application workload to a host-based firewall. For example, a system comprises a software defined networking (SDN) controller of a multi-tenant virtualized data center configured to: receive a security policy expressed as one or more tags to redirect traffic of a virtualized application workload to a host-based firewall (HBF) of the multi-tenant virtualized data center; configure network connectivity to the HBF in accordance with the security policy; a security controller that manages the HBF configured to: obtain the one or more tags from the SDN controller; receive one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF; and configure the function of the HBF in accordance with the one or more firewall policies.

公开(公告)号：US20220385570A1

公开(公告)日：2022-12-01

申请号：US17305117

申请日：2021-06-30

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Wen Lin ,  Suresh Palguna Krishnan ,  SelvaKumar Sivaraj ,  Kumuthini Ratnasingham

IPC: H04L12/721 ,  H04L12/713 ,  H04L12/741 ,  H04L12/46

Abstract: A plurality of switches may be arranged according to a spine and leaf topology in which each spine switch is connected to all leaf switches. A leaf switch includes a memory configured to store a plurality of policies, each of the plurality of policies being associated with a respective source identifier value and a respective destination address; a network interface communicatively coupled to one of the spine switches; and a processor implemented in circuitry and configured to: receive a packet from the spine switch via the network interface, the packet being encapsulated with a Virtual Extensible Local Area Network (VXLAN) header; extract a source identifier value from the VXLAN header; determine a destination address for the packet; determine a policy of the plurality of policies to apply to the packet according to the source identifier value and the destination address; and apply the policy to the packet.

公开(公告)号：US20220124077A1

公开(公告)日：2022-04-21

申请号：US17646632

申请日：2021-12-30

Applicant: Juniper Networks, Inc.

Inventor： Sanju C. Abraham ,  Kiran N. Kasim ,  Prasad Miriyala

IPC: H04L45/50 ,  H04L12/46 ,  H04L45/586 ,  H04L45/64 ,  H04L45/745 ,  H04L49/15

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a plurality of servers interconnected by a switch fabric comprising a plurality of switches interconnected to form a physical network. Each of the servers comprises an operating environment executing one or more virtual machines in communication via one or more virtual networks. The servers comprise a set of virtual routers configured to extend the virtual networks to the operating environments of the virtual machines. A virtual router of the set of virtual routers is configured to prepare tunnel packets by forwarding packets received from virtual machines to an IPSec kernel executing in a host operating network stack, receiving the ESP packets back from the IPSec kernel and forwarding the ESP packets across the virtual networks.

公开(公告)号：US20210243163A1

公开(公告)日：2021-08-05

申请号：US17301279

申请日：2021-03-30

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Sundaresan Rajangam ,  Miraj Subhashbhai Kheni ,  Suresh B. Akula

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/859

Abstract: Techniques are disclosed for generating intent-based policies and applying the policies to traffic of a computer network. In one example, a policy controller for the computer network receives traffic statistics for traffic flows among a plurality of application workloads executed by a first set of computing devices. The policy controller correlates the traffic statistics into session records for the plurality of application workloads. The policy controller generates, based on the session records for the application workloads, application firewall policies for the application workloads. Each of the application firewall policies define whether traffic flows between application workloads are to be allowed or denied. The policy controller distributes the application firewall policies to a second set of one or more computing devices for application to traffic flows between instances of the application workloads.

公开(公告)号：US10778724B1

公开(公告)日：2020-09-15

申请号：US16023978

申请日：2018-06-29

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Aniket G. Daptari

IPC: H04L29/06

Abstract: Techniques are disclosed for implementing scalable port range policies across a plurality of categories that support application workloads. In one example, a policy agent receives, from a centralized controller for a computer network, a plurality of policies. Each policy of the plurality of policies includes one or more policy rules, and each of the one or more policy rules specifies one or more tags specifying one or more dimensions for application workloads executed by the one or more computing devices and a corresponding port range. The policy agent assigns, based on a policy rule, a port range specified by the policy rule to objects of the one or more computing devices that belong to categories described by the one or more dimensions of the one or more tags of the policy rule. The categories support the application workloads and are assigned to the tags by a centralized controller.

公开(公告)号：US20190158541A1

公开(公告)日：2019-05-23

申请号：US15819522

申请日：2017-11-21

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Anish Mehta

IPC: H04L29/06

CPC classification number: H04L63/205 ,  H04L63/0263 ,  H04L67/10

Abstract: Techniques are disclosed for implementing scalable policies across a plurality of categories that support application workloads. In one example, a policy controller assigns to the plurality of categories tags specifying one or more of a plurality of dimensions. The policy controller distributes a plurality of policies to policy agents for the plurality of categories. Each policy includes one or more policy rules, and each policy rule includes one or more tags specifying one or more of the plurality of dimensions. For each policy rule, the policy agents allow or deny a traffic flow between objects that belong to categories of the plurality of categories described by the one or more dimensions of a respective tag of the policy rule.

公开(公告)号：US20190158537A1

公开(公告)日：2019-05-23

申请号：US16024412

申请日：2018-06-29

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala

IPC: H04L29/06 ,  G06F21/60

CPC classification number: H04L63/20 ,  G06F9/5077 ,  G06F9/54 ,  G06F21/602 ,  G06F21/606 ,  H04L67/10

Abstract: Techniques are disclosed for implementing scalable policies across a plurality of categories that support application workloads. In one example, the policy is a security policy that indicates which types of virtualized application workloads are required to communicate with encryption and groups computing devices into zones that communicate via respective tunnels configured to carry encrypted communication. An orchestration engine selects a computing device based on the zones fined in the security policy to ensure that the virtualized application workloads requiring encrypted communication communicate via tunnels configured to carry encrypted communication.

公开(公告)号：US20250023787A1

公开(公告)日：2025-01-16

申请号：US18893090

申请日：2024-09-23

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  FNU Nadeem ,  Sayali Mane ,  Ankur Tandon ,  Sajeesh Mathew ,  Pranav Cherukupalli ,  Khushi Vaidya

IPC: H04L41/0894 ,  H04L41/0681

Abstract: In an example, a validation system comprises processing circuitry having access to a storage device and is configured to obtain flow records indicative of packet flows among workloads deployed to a cluster of one or more computing devices configured with a network policy, wherein each flow record of the flow records indicates a corresponding packet flow was allowed or denied by the cluster; receive an updated network policy; determine whether a corresponding packet flow for a flow record of the flow records has a discrepancy with the updated network policy; and in response to determining the corresponding packet flow for the flow record of the flow records has a discrepancy with the updated network policy, output an indication of an error.

公开(公告)号：US12177069B2

公开(公告)日：2024-12-24

申请号：US18341186

申请日：2023-06-26

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Rosh Perumpully Ramadass ,  FNU Nadeem

IPC: H04L12/00 ,  G06F9/38 ,  G06F9/50 ,  G06F9/54 ,  H04L9/40 ,  H04L41/0803 ,  H04L41/0813 ,  H04L41/0866 ,  H04L41/40 ,  H04L45/42 ,  H04L69/00

Abstract: In an example, a method comprises obtaining, by a policy controller from a first SDN architecture system, flow metadata for packet flows exchanged among workloads of a distributed application deployed to the first SDN architecture system; identifying, using flow metadata for a packet flow of the packet flows, a source endpoint workload and a destination endpoint workload of the packet flow; generating a network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload of the packet flow; and adding the network policy rule to a configuration repository as configuration data for a second SDN architecture system to cause a deployment system to configure the second SDN architecture system with the network policy rule to allow packet flows from the source endpoint workload to the destination endpoint workload when the distributed application is deployed to the second SDN architecture system.

公开(公告)号：US20240422167A1

公开(公告)日：2024-12-19

申请号：US18815417

申请日：2024-08-26

Applicant: Juniper Networks, Inc.

Inventor： Prasad Miriyala ,  Sajeesh Mathew ,  Akhilesh Pathodia ,  Tashi Garg

IPC: H04L9/40 ,  G06F9/54

Abstract: A network controller for a software-defined networking (SDN) architecture system may receive a request to generate an access control policy for a role in a container orchestration system, where the request specifies a plurality of functions. The network controller may execute the plurality of functions and may log execution of the plurality of functions in an audit log. The network controller may parse the audit log to determine a plurality of resources of the container orchestration system accessed from executing the plurality of functions and, for each resource of the plurality of resources, a respective one or more types of operations performed on the respective resource. The network controller may create, based at least in part on the parsed audit log, the access control policy for the role that permits a role to perform, on each of the plurality of resources, the respective one or more types of operations.