| CPC H04L 63/0263 (2013.01) [H04L 63/0236 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
|
1. A non-transitory computer-readable medium storing computer program instructions that, when executed by a computer system, effectuate operations comprising:
obtaining, with a computing system, a first set of firewall rules of a first firewall for a first instance of a distributed application, the first set of firewall rules specifying whether respective pairs of network sockets of a first set of network sockets are authorized to communicate with one another via network traffic, the first instance of the distributed application comprising a first set of instances of a plurality of processes executing on a first plurality of computers, and wherein each network socket of the first set of network sockets comprises an IP address and a port number of a port specifying one of the first set of instances associated with the network traffic;
obtaining, with the computer system, a second set of firewall rules of a second firewall for a second instance of the distributed application, the second set of firewall rules specifying whether respective pairs of network sockets of a second set of network sockets are authorized to communicate with one another via network traffic, the second instance of the distributed application comprising a second set of instances of the plurality of processes executing on a second plurality of computers, and wherein each network socket of the second set of network sockets comprises an IP address and a port number of a port number of a port specifying one of the second set of instances associated with the network traffic;
obtaining, with the computer system, a mapping of a plurality of network sockets from amongst the first set of network sockets and the second set of network sockets to identifiers of processes among the plurality of processes, the mapping indicating which processes of the plurality of processes have respective instances from amongst the first set of instances and the second set of instances bound to which network sockets of the plurality of network sockets;
determining, with the computer system, based on the mapping, whether the first set of firewall rules prohibit different processes from the plurality of processes from communicating with one another than the second set of firewall rules, the determination comprising:
translating network sockets included within the first set of firewall rules and the second set of firewall rules into identifiers of processes from the plurality of processes to obtain a translated first set of rules and a translated second set of rules; and
comparing the translated first set of rules and the translated second set of rules; and
using the translated first set of firewall rules or the translated second set of firewall rules to determine whether the first set of firewall rules prohibit different programs from communicating with one another than the second set of firewall rules; and
storing, with the computer system, a result of the determination in memory.
|