Abstract: A computer program product, system, and computer implemented method for application-level redirect trapping and creation of NAT mapping to work with routing infrastructure for private connectivity in cloud and customer networks. The approach disclosed herein generally comprises a method of leveraging a reverse connection endpoint and IP address mapping controller to capture redirection messages from a private cloud or network (e.g., a service consumer network or a service consumer hybrid cloud). This allows at least the IP address mapping controller to manage a cloud networking infrastructure to provide for a service provider network (e.g., a public cloud) to support applications that overcome the isolation requirements of a private cloud or network to perform useful work. For example, without saddling the private cloud or network user with a heavy pre-configuration burden, the approach disclosed herein supports redirection to dynamically determined IP addresses at the private cloud or network.

Abstract: A computer program product, system, and computer implemented method for application-level redirect trapping and creation of NAT mapping to work with routing infrastructure for private connectivity in cloud and customer networks. The approach disclosed herein generally comprises a method of leveraging a reverse connection endpoint and IP address mapping controller to capture redirection messages from a private cloud or network (e.g., a service consumer network or a service consumer hybrid cloud). This allows at least the IP address mapping controller to manage a cloud networking infrastructure to provide for a service provider network (e.g., a public cloud) to support applications that overcome the isolation requirements of a private cloud or network to perform useful work. For example, without saddling the private cloud or network user with a heavy pre-configuration burden, the approach disclosed herein supports redirection to dynamically determined IP addresses at the private cloud or network.

Abstract: Embodiments establish a pool of tunnel connections using a secure protocol. A pool of tunnels can be initiated from endpoint connection managers to cloud connection managers, where a request is received from the endpoint connection managers by the cloud connection managers. A request from a cloud client to communicate with a secure computing device using a first of the endpoint connection managers is received at a first of the cloud connection managers. One of the pool of tunnels that is connected to the first endpoint connection manager is identified. The identified tunnel is configured to connect the cloud client and the first endpoint connection manager.

Abstract: Embodiments establish a pool of tunnel connections using a secure protocol. A pool of tunnels can be initiated from endpoint connection managers to cloud connection managers, where a request is received from the endpoint connection managers by the cloud connection managers. A request from a cloud client to communicate with a secure computing device using a first of the endpoint connection managers is received at a first of the cloud connection managers. One of the pool of tunnels that is connected to the first endpoint connection manager is identified. The identified tunnel is configured to connect the cloud client and the first endpoint connection manager.

Abstract: Described is an improved approach to ensure high availability for established sessions (e.g., application layer sessions) over network connections that negotiates and renegotiates encryption keys (e.g., TLS/SSL) at clean boundaries to ensure in-transit data are properly handled during migration of an application (e.g., a reverse proxy server instance). Connected TCP sessions may be handed off to another application (e.g., from existing proxy server to new/upgraded proxy server) and after establishing a new TLS session with a new encryption key, data transfer may be resumed between a client and a server using the new/upgraded application in a client-server architecture.

Abstract: A process or thread is implemented to issue a command which executes without use of a processor that issues the command, retain control of the processor to check whether the issued command has completed, and when the issued command has not completed repeat the checking without relinquishing the processor, until a limiting condition is satisfied. The limiting condition may be determined specifically for a current execution of the command, based on one or more factors, such as durations of executions of the command after start of the process or thread and/or an indicator of delay in a current execution of the command. When the limiting condition is satisfied, the processor is relinquished by the process or thread issuing a sleep command, after setting an interrupt. After the command completes, the limiting condition is determined anew based on the duration of the current execution, for use in a next execution.

Abstract: Described is an improved approach to ensure high availability for established sessions (e.g., application layer sessions) over network connections that negotiates and renegotiates encryption keys (e.g., TLS/SSL) at clean boundaries to ensure in-transit data are properly handled during migration of an application (e.g., a reverse proxy server instance). Connected TCP sessions may be handed off to another application (e.g., from existing proxy server to new/upgraded proxy server) and after establishing a new TLS session with a new encryption key, data transfer may be resumed between a client and a server using the new/upgraded application in a client-server architecture.

Abstract: A process or thread is implemented to issue a command which executes without use of a processor that issues the command, retain control of the processor to check whether the issued command has completed, and when the issued command has not completed repeat the checking without relinquishing the processor, until a limiting condition is satisfied. The limiting condition may be determined specifically for a current execution of the command, based on one or more factors, such as durations of executions of the command after start of the process or thread and/or an indicator of delay in a current execution of the command. When the limiting condition is satisfied, the processor is relinquished by the process or thread issuing a sleep command, after setting an interrupt. After the command completes, the limiting condition is determined anew based on the duration of the current execution, for use in a next execution.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: Systems, methods, and other embodiments are disclosed that are configured to generate a hierarchy of access rules in a protocol stack. Access rules corresponding to a first layer in a protocol stack are analyzed. The access rules determine, at the first layer, whether network sources are permitted access to a computing device. Dependent access rules are generated based at least in part on a combination of the access rules from the first layer. The dependent access rules are pushed down to a second layer in the protocol stack by implementing the dependent access rules at the second layer to determine, at the second layer, whether the network sources are permitted access to the computing device.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: A security solution provides secure communication in a multi-tenant environment which includes a connection-based fabric, storage cells holding data associated with different tenants, database servers which provide a plurality of database services using said data, application servers hosting database service consumers. The fabric is configured into partitions isolating the storage cells from the database service consumers. The application servers securely associate unique database service consumer identities with each database service consumer and all communications with the database servers. The database servers reject all communications from the application servers which do not include an identity and use an access control list to control access from the database service consumers to the database services using address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: Techniques and systems that allow receiving a data stream and a location value. The location value, in one embodiment, is indicative of a location in the data stream at which the data stream has been aborted. This value may be determined by a sending entity and sent to a receiving entity. In various embodiments, the receiving entity may compute the remaining amount of data to be received in the data stream, and then receive that amount of data. In some embodiments, a checkpoint value may be used in conjunction with the location value to indicate an abort location for a data stream. A checkpoint value may correspond to an amount of data between successive checkpoints in the data stream. In some embodiments, upon aborting a data stream, a receiving entity receives data until a next checkpoint in the data stream.

Abstract: Systems, methods, and other embodiments are disclosed that are configured to generate a hierarchy of access rules in a protocol stack. Access rules corresponding to a first layer in a protocol stack are analyzed. The access rules determine, at the first layer, whether network sources are permitted access to a computing device. Dependent access rules are generated based at least in part on a combination of the access rules from the first layer. The dependent access rules are pushed down to a second layer in the protocol stack by implementing the dependent access rules at the second layer to determine, at the second layer, whether the network sources are permitted access to the computing device.

Abstract: A security solution provides secure communication in a multi-tenant environment which includes a connection-based fabric, storage cells holding data associated with different tenants, database servers which provide a plurality of database services using said data, application servers hosting database service consumers. The fabric is configured into partitions isolating the storage cells from the database service consumers. The application servers securely associate unique database service consumer identities with each database service consumer and all communications with the database servers. The database servers reject all communications from the application servers which do not include an identity and use an access control list to control access from the database service consumers to the database services using address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: An integrated firewall provides security in a multi-tenant environment having a connection-based switched fabric directly connecting database servers which provide a plurality of database services with application servers hosting database service consumers each having a different database service consumer identity. The firewall functionality integrated into each database server provides access control by discarding communication packets which do not include a database service consumer identity and using the database service consumer identity in combination with an access control list to control access from the database service consumers to the database services. The access control includes address resolution access control, connection establishment access control, and data exchange access control based on said access control list.

Abstract: Systems and methods are described herein that include flow control mechanisms that provide a receiving device with the ability to reclaim buffers that have been previously advertised to a sending device. Data structures and communication methods are described that facilitate the communication of flow control messages between sending and receiving devices that allow an advertised window to be reduced, and buffers to be released, by a sending device in response to a flow control message from the receiving device.

Abstract: Systems and methods are described herein that include flow control mechanisms that provide a receiving device with the ability to reclaim buffers that have been previously advertised to a sending device. Data structures and communication methods are described that facilitate the communication of flow control messages between sending and receiving devices that allow an advertised window to be reduced, and buffers to be released, by a sending device in response to a flow control message from the receiving device.

Abstract: The techniques are provided automatically detecting when performing pre-transmission compression on data to be sent over a network connection will be preferable to sending the data uncompressed, and for automatically performing pre-transmission compression only when doing so is determined to be beneficial. The techniques involve performing compression on sample data. The time it takes to perform the compression on the sample data, along with the reduction in size achieved by the compression, are factors used to automatically determine whether compressing data before sending the data over a network connection will achieve better results that sending the data uncompressed. In some embodiments, multiple compression algorithm/compression level combinations are tested at different points in the transmission. At each point, the sending device may switch to the algorithm/level combination that is producing the best results on the current sample.