Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

Abstract: Certain embodiments disclose systems and methods for creating a user private network (UPN) based on 11ay technology. Methods of the present disclosure include creating a personal basic service set (PBSS) having a service device and one or more 11ay devices, the service device configured to wirelessly communicate with the one or more 11ay devices in the PBSS, creating a UPN having an access point located in communicative proximity with the service device, and associating at least one 11ay device of the one or more 11ay devices with the UPN, wherein the at least one 11ay device is configured to establish a wireless connection with the one or more 11ay devices using the service device when within a coverage area of the PBSS, and to establish a wireless connection with the one or more 11ay devices using the access point when outside the coverage area of the PBSS.

Abstract: Systems, methods, and computer-readable media for an integrated Wi-Fi Access Point and cellular network Radio Unit (RU) include a communication system interfacing with a wired network for communicating Wi-Fi traffic and cellular network traffic, the communication system integrating a Wi-Fi Access Point (AP) with a cellular network Radio Unit (RU). The Wi-Fi traffic and cellular network traffic can be processed in the communication system. The communication system can interface with at least one programmable Radio Frequency (RF) front end configured for wireless communication over one or more frequency bands for Wi-Fi traffic and one or more frequency bands for cellular network traffic (e.g., 5G, LTE, Wi-Fi).

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: Techniques for providing consistent monitoring and analytics for security insights for network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing consistent monitoring and analytics for security insights for network and security functions for a security service includes receiving a flow at a software-defined wide area network (SD-WAN) device; inspecting the flow to determine whether the flow is associated with a split tunnel; and monitoring the flow at the SD-WAN device to collect security information associated with the flow for reporting to a security service.

Abstract: Systems, methods, and computer-readable media for an integrated Wi-Fi Access Point and cellular network Radio Unit (RU) include a communication system interfacing with a wired network for communicating Wi-Fi traffic and cellular network traffic, the communication system integrating a Wi-Fi Access Point (AP) with a cellular network Radio Unit (RU). The Wi-Fi traffic and cellular network traffic can be processed in the communication system. The communication system can interface with at least one programmable Radio Frequency (RF) front end configured for wireless communication over one or more frequency bands for Wi-Fi traffic and one or more frequency bands for cellular network traffic (e.g., 5G, LTE, Wi-Fi).

Abstract: Techniques are described to provide open access in a neutral host environment. In one example, a method includes obtaining, by a mobility management node of a neutral host network, a network connectivity request from a user equipment, wherein the network connectivity request comprises an indication of a preferred service provider to which the user equipment is to be connected; determining, by the mobility management node, that the preferred service provider provides non-subscription-based network connectivity for the neutral host network; based on determining that the preferred service provider provides non-subscription-based network connectivity for the neutral host network, establishing secure communications for the user equipment, wherein the secure communications are established for the user equipment without authenticating an identity of user equipment; and providing network connectivity between the user equipment and the preferred service provider upon establishing the secure communications.

Abstract: Techniques for providing flow meta data exchanges between network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing flow meta data exchanges between network and security functions for a security service includes receiving a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device; inspecting the flow to determine meta information associated with the flow; and communicating the meta information associated with the flow to the SD-WAN device.

Abstract: Systems, methods, and computer-readable media for interconnecting SDWANs through segment routing. A first SDWAN and a second SDWAN of a SDWAN fabric can be identified. A segment routing domain that interconnects the first SDWAN and the second SDWAN can be formed across a WAN underlay of the SDWAN fabric. Data transmission between the first SDWAN and the second SDWAN can be controlled by performing segment routing through the segment routing domain formed between the first SDWAN and the second SDWAN.

Abstract: Systems and methods are provided for providing, by a user equipment, a short message service (SMS) message to initiate Wi-Fi onboarding to a mobile network, receiving, by the user equipment, a binary SMS message including a request for a certificate signing request by a server, generating, by the user equipment, the certificate signing request based on the request for the certificate signing request of the binary SMS message, providing, by the user equipment, the certificate signing request to the mobile network, and receiving, by the user equipment, a binary SMS message including Wi-Fi login data based on the certificate signing request provided to the mobile network.

Abstract: Technologies for systems, methods and computer-readable storage media for reducing the time to complete authentication during inter-technology handovers by reusing security context between 5G and Wi-Fi. Assuming, that the administrative domain for Wi-Fi and 5G match (and belongs to an enterprise for instance), using an already established security context in one technology to do fast authentication in the other technology during handover. Specifically, if UE is on Wi-Fi and handing over to 5G, use its Wi-Fi security context to do fast security setup in 5G, which includes a corresponding method for use when the UE goes from 5G to Wi-Fi.

Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

Abstract: Cloud delivered access may be provided. A network device may provide a client device with a pre-authentication virtual network and a pre-authentication address. Next, a policy may be received in response to the client device authenticating. The client device may then be moved to a post-authentication virtual network based on the policy. A post-authentication address may then be obtained for the client device in response to moving the client device to a post-authentication virtual network. Traffic for the client device may then be translated to the post-authentication address.

Abstract: A mapping system, under administrative control of a Wide Area Network (WAN) controller, can track each host, authorized to access a plurality of Local Area Networks (LANs), in one or more mapping databases including a first network address representing an identifier and a second network addressing representing a locator for each host. The mapping system can receive a request for resolution of a first identifier of a host not presently connected to the network. The mapping system can determine the mapping databases exclude a mapping for the first identifier. The mapping system can update the mapping databases with a first mapping including the first identifier and a first locator corresponding to a honeypot network device. The mapping system can transmit, to one or more LANs of the plurality of LANs, routing information to route traffic destined for the first identifier to the honeypot network device.

Abstract: Systems and methods are provided for receiving, at an enterprise network, first authentication data of a citizens broadband radio service (CBRS)-enabled device, receiving, at the enterprise network, second authentication data of the CBRS-enabled device, the first authentication data of the CBRS-enabled device being a different type of authentication data than the second authentication data of the CBRS-enabled device, determining a class of the CBRS-enabled device based on the first authentication data and the second authentication data of the CBRS-enabled device, determining a network segment for the CBRS-enabled device based on the class of the CBRS-enabled device, and providing access to the CBRS-enabled device based on the determining of the network segment for the CBRS-enabled device.

Abstract: Techniques for providing network traffic security in a virtualized environment are described. A threat aware controller uses a threat feed provided by a threat intelligence service to establish a threat detection engine on virtual switches. The threat aware controller and threat detection engine work together to detect any anomalous or malicious behavior of network traffic on the virtual switch and established virtual network functions to quickly detect, verify, and isolate network threats.