Apparatus and Method for Applying Network Policy at Virtual Interfaces

1. A network system comprising: a network device being communicatively coupled with a switch, the network device including, a first operating system interface, a first virtualization adapter, and an input output port, the first virtualization adapter being configured to receive a first frame from the first operating system interface and to tag the first frame to indicate an association between the first frame and the first operating system interface, and to configure the first frame to be transmitted, with a second frame associated with a second operating system interface, via the input output port, and the switch being configured to receive the first frame and examine a tag, and to enforce a network policy upon the first frame, based on the tag.

2. The system of claim 1 , wherein the network device further comprises: a first operating system being configured to generate first data, wherein the first operating system interface is configured to receive the first data and to translate the first data into the first frame.

3. The system of claim 1 , wherein the switch includes a second virtualization adapter to append a further tag to the first frame to indicate one or more operating system interfaces permitted to receive the first frame under the network policy, and wherein the first virtualization adapter is to, receive the frame from the switch, inspect the further tag, and based on the further tag, direct the first frame to the one or more operating system interfaces.

4. The system of claim 2 , wherein the network device includes a plurality of virtual machines, each being configured to communicate frames with the switch via separate operating system interfaces, the virtualization adapter and the input output port.

5. A method comprising: receiving, at a network node, a frame including a first operating system indicator identifying an operating system interface from which the frame was sent; examining, at the network node, the first operating system indicator to identify a network policy associated with the operating system interface; and enforcing, using at least one processor, the network policy on the frame.

6. The method of claim 5 , wherein the operating system interface is a virtual interface corresponding to an operating system virtualized on a computer.

7. The method of claim 6 , wherein the operating system is associated with a plurality of operating system interfaces.

8. The method of claim 5 , further comprising: accessing a storage module including a plurality of operating system indicators and a plurality of network policies, each of the plurality of operating system indicators being associated with at least one network policy; and identifying the at least one network policy corresponding to the first operating system indicator.

9. The method of claim 5 , further comprising: accessing a header within the frame identifying a source input/output port from which the frame was received; and enforcing the network policy based on an identity of the source input/output port.

10. The method of claim 5 , wherein the enforcing of the network policy includes at least one of enforcing access rights of a network device communicating with the network node, regulating a scope of privileges of a network device communicating with the network node, preventing a denial of service attack of the network node or enforcing a firewall policy at the network node.

11. The method of claim 8 , wherein the enforcing of the network policy includes allowing or denying transmission of the frame to a destination input output port based on the network policy.

12. The method of claim 8 , wherein the frame includes a direction indicating whether the frame is inbound to the network node or outbound from the network node, and wherein the identifying of the at least one network policy includes referencing a table entry containing a list of operating system interfaces permitted to receive the frame.

13. An apparatus comprising: a first network device to receive a frame from a second network device; a virtualization module to identify an operating system interface from which the frame was received; and a policy enforcement module to enforce a network policy upon the frame based on an identity of the operating system interface.

14. The apparatus of claim 13 wherein the virtualization module is further to access a header within the frame to identify a source input output port from which the frame was received, and the policy enforcement module is to enforce the network policy further based on an identity of the source input output port.

15. The apparatus of claim 13 , wherein the policy enforcement module is to access a storage module to reference the network policy.

16. The apparatus of claim 15 , wherein the policy enforcement module is configured to enforce at least one of access rights, a scope of privileges, a denial of service attack prevention policy or a firewall policy.

17. The apparatus of claim 14 , further comprising: an input output port to transmit the frame to a destination network address if the network policy permits.

18. A method comprising: receiving a first frame from a first operating system interface; appending the first frame with an indicator associating the first frame with the first operating system interface; and configuring the first frame to be transmitted over a physical input output port with a second frame associated with a second operating system interface.

19. The method of claim 18 wherein the associating of the first frame with the first operating system interface includes indicating that the first frame was received from the first operating system interface.

20. The method of claim 18 , further comprising: receiving data expressed in a first communication protocol from an operating system; and translating the data into the first frame expressed in a second communication protocol.

21. An apparatus comprising: a first operating system interface; and a virtualization module to, receive a first frame from the first operating system interface, append an indicator to the first frame to indicate an association between the first frame and the first operating system interface, and configure the first frame to be transmitted over an input output port, with a second frame associated with a second operating system interface.

22. The apparatus of claim 21 , wherein the virtualization module is to append the indicator to indicate that the first frame was received from the first operating system interface.

23. The apparatus of claim 22 , wherein the first operating system interface is configured to receive data expressed in a first communication protocol from an operating system, and is to translate the data into the first frame expressed in a second communication protocol.

24. A non-transitory machine-readable medium containing instructions which, when executed by a processing system, cause the processing system to perform a method, the method comprising: receiving a frame including at least one operating system indicator identifying an operating system interface from which the frame was sent; examining the operating system indicator to identify a network policy associated with the operating system interface; and enforcing the network policy on the frame at a network device.

25. A network system comprising: means for receiving a first frame from a first operating system interface; means for appending the first frame with an operating system indicator associating the first frame with the first operating system interface; means for configuring the first frame to be transmitted over a physical input output port with a second frame associated with a second operating system interface; means for receiving the first frame from the first input output port; means for examining the operating system indicator to identify a network policy associated with the first operating system interface; and means for enforcing the network policy on the first frame.