The embodiments herein describe a firewall for a media production system to provide flexible security between an on-premises production environment and remote media production applications and devices (e.g., cloud-based virtual production environments). As new media devices and applications (referred to generally as media nodes) are added at remote locations, the firewall is updated to permit the media nodes to communicate with the on-premises production environment. The embodiments herein described an automatic (e.g., software driven) process where a network orchestrator can detect a change in the media nodes and update the rule set in the firewall accordingly.

Some embodiments provide a method for defining security groups in a network. In a user interface, the method displays (i) a set of existing security groups and (ii) a set of recommend security groups based on monitored network flows in the network. Each existing security group and recommended security group includes at least one data compute node (DCN). The method provides a user interface tool for (i) accepting recommended security groups to be part of the set of existing security groups and (ii) adding DCNs from the recommended security groups to the existing security groups. Security rules are defined and implemented in the network for DCNs belonging to existing security groups.

A method includes receiving, from an agent executing in a virtual machine, network information associated with the virtual machine, the virtual machine to be migrated to a container. The method further includes generating a container networking configuration based on the network information. The container networking configuration is to provide network access to processes migrated from the virtual machine to the container. The method further includes providing the container networking configuration to a container orchestration system. The container orchestration system is to use the container networking configuration to provide network access to the container.

Embodiments generally relate to a cloud computing infrastructure and method of operating the same including at least: receiving a configuration file from a configuration repository; receiving a request from a first device to configure an application rule set of one or more nodes based on the configuration file; transmitting the request to a receiver node selected from the one or more nodes; generating a notification alerting the one or more nodes that the request is stored on a database; distributing the configuration file to a subset of the one or more nodes based on receipt of an access request from the one or more nodes; and updating the application rule set of the subset of the one or more nodes based on the configuration file.

Disclosed embodiments relate to a security firewall having a security hierarchy including: secure master (SM); secure guest (SG); and non-secure (NS). There is one secure master and n secure guests. The firewall includes one secure region for secure master and one secure region for secure guests. The SM region only allows access from the secure master and the SG region allows accesses from any secure transaction. Finally, the non-secure region can be implemented two ways. In a first option, non-secure regions may be accessed only upon non-secure transactions. In a second option, non-secure regions may be accessed any processing core. In this second option, the access is downgraded to a non-secure access if the security identity is secure master or secure guest. If the two security levels are not needed the secure master can unlock the SM region to allow any secure guest access to the SM region.

A new approach is proposed to support firewall protection of dynamically introduced routes in an internal communication network. Under the proposed approach, all routes dynamically introduced into the internal communication network via a dynamic routing service are dynamically learned and tagged by a route collection engine. A dynamic network object is created, which is a software component configured to store a plurality of single IP addresses and/or IP address ranges of the dynamically learned routes in a dynamic routing network. A firewall engine of the internal communication network is configured to create one or more firewall rules referencing the dynamic network object and apply various security measures/policies to network data packets routed on the dynamically learned routes in the dynamic routing network based on IP address matching with the dynamic network object.

Some embodiments provide a method or tool for automatically configuring a logical router on one or more edge nodes of an edge cluster (e.g., in a hosting system such as a datacenter). The method of some embodiments configures the logical router on the edge nodes based on a configuration policy that dictates the selection method of the edge nodes. In some embodiments, an edge cluster includes several edge nodes (e.g., gateway machines), through which one or more logical networks connect to external networks (e.g., external logical and/or physical networks). In some embodiments, the configured logical router connects a logical network to an external network through the edge nodes.

A filter for performing access control list (ACL) filtering may be used in place of highly-complex and resource-intensive TCAMs for access control. In this regard, the filter may be configured to compare packet header information to action-priority pairs stored in ACL tables. Each action-priority pair indicates at least one action to be performed for implementing a desired rule and a priority for that action. An access control action from an action-priority pair matching the header information may be performed in order to implement a desired access control rule for the received packet. If multiple action-priority pairs from the same table match the header information, then the priorities of the matching action-priority pairs may be compared to resolve the conflict. The circuitry of the filter is arranged such that exact-match searching can be performed on the ACL tables to reduce the complexity and cost of the filter.

Disclosed embodiments relate to a security firewall having a security hierarchy including: secure master (SM); secure guest (SG); and non-secure (NS). There is one secure master and n secure guests. The firewall includes one secure region for secure master and one secure region for secure guests. The SM region only allows access from the secure master and the SG region allows accesses from any secure transaction. Finally, the non-secure region can be implemented two ways. In a first option, non-secure regions may be accessed only upon non-secure transactions. In a second option, non-secure regions may be accessed any processing core. In this second option, the access is downgraded to a non-secure access if the security identity is secure master or secure guest. If the two security levels are not needed the secure master can unlock the SM region to allow any secure guest access to the SM region.

Users of an endpoint remediation system can be assigned to different roles, from which they can request exceptions, approve exceptions, and/or enable remediation on endpoint devices. The compliance scanning and enforcing process can be automated, while allowing entities to request and/or approve certain exceptions. Therefore, security compliance for customers can be actively managed to provide visibility to the endpoint device compliance state at any time.