In recent years it has become increasingly common for corporations and individuals to run computer programs on virtual machines on servers. Virtual machines are simulated computers that are simulated by other computers. The physical computers on which the virtual machines run are also referred to as “hosts” or “host computers”. To the programs running on the virtual machines, there is little or no discernable difference between running on a virtual machine and running on a whole computer.
Virtual machines have several advantages. When a user wants to run multiple applications that each work best on a different operating system (e.g., Windows 95® or Windows XP®), then the user can implement two virtual machines on a single computer. That is, one virtual machine running the Windows 95 operating system and one virtual machine running the Windows XP® operating system.
Another advantage of using a virtual machine is that the operating system and application or applications running on the virtual machine may require only a fraction of the full resources of the physical computer on which the virtual machine is running. Thus, multiple virtual machines can run on the same physical computer, saving hardware costs.
Still another advantage is that virtual machines can be instantiated as needed, then shut down when no longer needed, freeing the resources of the physical computer to run other virtual machines. Therefore, a system with multiple virtual machines that are needed at different times saves more resources by running each virtual machine only when that virtual machine is needed.
One popular application of virtual machines is running them on a hosting system. A hosting system runs multiple physical computers (also referred to as “servers” or “host nodes”) that each run multiple virtual machines (also referred to as “hosting” the virtual machines). Some hosting systems can move virtual machines among the host nodes. For example, a hosting system may host four virtual machines on one host node while the four virtual machines have low resource requirements. Later, if the resource requirements of one of the virtual machines increase, the hosting system can move one of the virtual machines to another host node.
As virtual machines are intended to accurately simulate individual computers, they often have the same security vulnerabilities as individual computers. For example, virtual machines can be infected with computer worms and can suffer from other unauthorized accesses. The problems of infected machines are magnified as some prior art hosting systems do not protect virtual machines from unauthorized access by other virtual machines on the same host node. In such a hosting system, worm-infected virtual machines can infect other virtual machines on the same host node. When any of the infected virtual machines are moved to other host nodes, they may carry the infection with them. In time, the infection of one virtual machine in such a hosting system can result in an infection spreading to all the virtual machines on the hosting system.
In order to protect virtual machines from unauthorized access and to protect the hosting system itself and individual host nodes from unauthorized access and infection, firewalls are implemented. A firewall is computer software running on a particular machine or stored on a computer readable medium, hardware, or a combination of hardware and software that checks incoming and/or outgoing packets of data against an existing list of characteristics that determine whether the packets should be allowed to continue to their destination or should be blocked.
In systems hosting virtual machines, firewalls can be run on the hosting system itself and on individual virtual machines. The firewalls of prior-art hosting systems were not efficiently coordinated; accordingly there is a need in the art for a coordinated firewall for a hosting system.