Abstract: An approach is provided whereby multiple broadband connections operate together to provide a highly available secure private networking solution. Data packets of a communications flow are received by a networking device, for transmission to a remote destination node, over a wide area data communications network. A service classification is determined for the data flow. A sequence number is generated for each data packet, where the sequence numbers indicate an order by which the data packets are received. An indication of the service classification and the sequence number is added to each data packet. For each data packet, a transport policy is determined that indicates one or more VPN tunnels through which the data packet is to be transmitted, where the determination of the VPN tunnels is based on the service classification, and wherein each VPN tunnel is carried over a respective WAN transport of the wide area data network.

Abstract: A system architecture and methods for data traffic flow classification are provided. An initial traffic class is assigned to a data flow as a current traffic classification, where the initial traffic class is based static traffic classification method(s) applied with respect to an initial packet of the data flow. A predetermined number of further packets of the data flow, subsequent to the initial packet, are analyzed based on predetermined factor(s), and a traffic class based on the analysis of the further packets is determined. The traffic class based on the analysis of the further packets is assigned as the current traffic classification of the data flow. Data indicating a traffic class for the data flow (based on a dynamic traffic classification method) is received, and the traffic class based on the dynamic traffic classification method is assigned as the current traffic classification of the data flow.

Abstract: An approach for multi-stream data compression comprises receiving packets of a data stream, wherein the packets comprise respective packets of source data streams compressed on an aggregate basis and in a successive order. A one of the packets is decompressed, and a determination is made whether the packet has been received in a proper order of succession compared to the successive order of compression. When it is determined that the packet has been received in the proper order, the packet is stored at a next location in a decompressor cache. When it is determined that the packet has not been received in the proper order, the packet is stored at a location in the decompressor cache, allowing for subsequent storage of one or more further packets in the proper order of succession, wherein the further packets were processed via the compression process before, but were received after, the one packet.

Abstract: An approach for multi-stream data compression comprises receiving packets of a data stream, wherein the packets comprise respective packets of source data streams compressed on an aggregate basis and in a successive order. A one of the packets is decompressed, and a determination is made whether the packet has been received in a proper order of succession compared to the successive order of compression. When it is determined that the packet has been received in the proper order, the packet is stored at a next location in a decompressor cache. When it is determined that the packet has not been received in the proper order, the packet is stored at a location in the decompressor cache, allowing for subsequent storage of one or more further packets in the proper order of succession, wherein the further packets were processed via the compression process before, but were received after, the one packet.

Abstract: Approaches for managing characteristics for inbound data communications between a first network site and a remote network site of a WAN are provided. The inbound communications are received by the first network site via a series of links of the WAN. Protocol overhead factors are determined based on overhead associated with network protocols applied to the data communications over the links. Link throughput limits are determined for the inbound data communications, wherein the throughput limits are determined based on the protocol overhead factors. The throughput limits are transmitted to the second network site for transmission of the inbound data communications from the second network site. The inbound data communications are received by a first device of the first network site via the first link, wherein the first link is between the first device and a second device serving as an exit point from a public portion of the WAN.

Abstract: An approach for providing secure communication services is disclosed. A secure data tunnel from a source node to a destination node is established via a plurality of secure segments across a data communications network. A data path is established via the secure data tunnel, where the data path supports a performance enhancing mechanism that improves performance of data communications over the data path. The performance enhancing mechanism multiplexes data packet flows from the source node for transmission over the data path, and performs one or more of connection startup latency reduction, acknowledgment message spoofing, window sizing adjustment, compression and selective retransmission.

Abstract: An approach for providing secure communication services is disclosed. A secure (e.g., a Virtual Private Network (VPN)) tunnel from a source node over an access network, such as a satellite network, to a destination node, wherein the nodes are external to the network. A connection that supports a mechanism for enhancing performance of the network is established for a portion of the secure tunnel that traverses the network.

Abstract: The present invention provides a system and method to identify unique browsers (Agents) communicating to the client. Every new browser communicating through the client is assigned a unique Agent ID that is stored in the browser's cookie cache. When the browser sends a request, the cookie may have the Agent ID to identify the browser to the client. If the cookie with the Agent ID is not present, then the client will return a re-direction response to a common URL with the domain having the cookie with the Agent ID to identify the unique browser. Another re-direction takes place back to the browser to make the request with the original URL, but this time has the cookie with the Agent ID to identify the unique browser.

Abstract: An approach for multi-stream data compression comprises receiving packets of a data stream, wherein the packets comprise respective packets of source data streams compressed on an aggregate basis and in a successive order. A one of the packets is decompressed, and a determination is made whether the packet has been received in a proper order of succession compared to the successive order of compression. When it is determined that the packet has been received in the proper order, the packet is stored at a next location in a decompressor cache. When it is determined that the packet has not been received in the proper order, the packet is stored at a location in the decompressor cache, allowing for subsequent storage of one or more further packets in the proper order of succession, wherein the further packets were processed via the compression process before, but were received after, the one packet.

Abstract: A system architecture and methods for data traffic flow classification are provided. An initial traffic class is assigned to a data flow as a current traffic classification, where the initial traffic class is based static traffic classification method(s) applied with respect to an initial packet of the data flow. A predetermined number of further packets of the data flow, subsequent to the initial packet, are analyzed based on predetermined factor(s), and a traffic class based on the analysis of the further packets is determined. The traffic class based on the analysis of the further packets is assigned as the current traffic classification of the data flow. Data indicating a traffic class for the data flow (based on a dynamic traffic classification method) is received, and the traffic class based on the dynamic traffic classification method is assigned as the current traffic classification of the data flow.

Abstract: The present invention provides a system and method to identify unique browsers (Agents) communicating to the client. Every new browser communicating through the client is assigned a unique Agent ID that is stored in the browser's cookie cache. When the browser sends a request, the cookie may have the Agent ID to identify the browser to the client. If the cookie with the Agent ID is not present, then the client will return a re-direction response to a common URL with the domain having the cookie with the Agent ID to identify the unique browser. Another re-direction takes place back to the browser to make the request with the original URL, but this time has the cookie with the Agent ID to identify the unique browser.

Abstract: Systems and methods are provided for quality of service over broadband networks. A network device performs a probe transaction over a tunnel of a broadband network. Based on the probe transaction, parameters are determined reflecting tunnel performance, and, based on the parameters, target transmit and receive rates are determined for data communications over the tunnel. Based on the target transmit and receive rates, data communications to and from a first node of the network are regulated. When the tunnel comprises a peered tunnel, the regulation of received data communications comprises performing a set rate transaction with a peer second node of the network (the set rate transaction establishes a rate for data transmitted over the tunnel by the peer second node to the first node). When the tunnel comprises a peerless tunnel, the regulation of received data communications comprises shaping data traffic received by the first node over the tunnel.

Abstract: An approach is provided for graceful shutdown and startup of spoofing when a handover procedure is performed. A handover of a performance enhancing proxy (PEP) session associated with a transport connection is detected. A shutdown procedure is initiated to stop spoofing of the transport connection in response to the detected handover. The shutdown procedure avoids teardown of the transport connection during the handover from a first link to a second link of a communication system.

Abstract: A communication system for retrieving content stored in a content server (e.g., web server) is disclosed. The system includes a client that is configured to transmit a message requesting content specifying an object from a content server. The system also includes a plurality of proxy servers that include a downstream proxy server and an upstream proxy server. The downstream proxy server is configured to communicate with the client. The upstream proxy server is configured to retrieve the content from the content server and to forward information associated with the object over a data network to the downstream proxy server prior to the client transmitting another message requesting the object. The above arrangement has particular application to a wide area network, such as a satellite network.

Abstract: An approach is provided for shaping traffic of a communication system. Resource usage of a network element of the communication system is determined. The usage is compared with thresholds that are established according to loading of the communication system; these thresholds correspond to various transmission states that limit usage of the resources of the communication system (e.g., bandwidth). Further, based on the comparison, the resource usage of the network element is controlled according to a particular transmission state, thereby ensuring fair access. This approach as particular applicability to shared capacity systems, such as a satellite communication system.

Abstract: An approach is provided for graceful shutdown and startup of spoofing when a handover procedure is performed. A handover of a performance enhancing proxy (PEP) session associated with a transport connection is detected. A shutdown procedure is initiated to stop spoofing of the transport connection in response to the detected handover. The shutdown procedure avoids teardown of the transport connection during the handover from a first link to a second link of a communication system.

Abstract: An approach for adaptively providing network performance enhancing functions in a secure environment, such as a virtual private network, is disclosed. Traffic, for example, Internet Protocol (IP) packets, is received for transport over an access network (e.g., satellite network). Next, characteristics (e.g., latency) of the access network are determined. A connection (which supports the performance enhancing functions) is selectively established based on the determined characteristics for transport the received packets over the access network. An encrypted tunnel is provided over the established connection to transmit the received packets.

Abstract: A communication system having a proxy architecture is disclosed. The system includes a platform that provides performance enhancing functions. The platform includes a spoofing apparatus that routes the information within the communication system. The spoofing apparatus receives spoofing selection and spoofing parameters from the platform and maintains the current parameters in one or more spoofing profiles. The spoofing apparatus routes packets of information throughout the communication system based on the spoofing selection and/or spoofing profile. The spoofing apparatus may also compensate for maximum segment size mismatches during the routing of information. This compensation may include dynamically resizing data segments or disabling three-way handshake spoofing. The above arrangement has particular applicability to a bandwidth constrained communication system, such as a satellite network.

Abstract: An approach for supporting security in a communications network is disclosed. A network device includes a security peer that establishes a secure tunnel over a data network (e.g., satellite network) for transport of encrypted traffic. The device also includes a performance peer for establishing a connection supported by the secure tunnel. The performance peer includes a plurality of modules for providing respective performance enhancing functions to minimize performance impact of latency of the network.

Abstract: An approach for adaptively providing network performance enhancing functions in a secure environment, such as a virtual private network, is disclosed. Traffic, for example, Internet Protocol (IP) packets, is received for transport over an access network (e.g., satellite network). Next, characteristics (e.g., latency) of the access network are determined. A connection (which supports the performance enhancing functions) is selectively established based on the determined characteristics for transport the received packets over the access network. An encrypted tunnel is provided over the established connection to transmit the received packets.