Abstract: A device may receive, from a first device, a port control protocol (PCP) request that includes a customer side translator (CLAT) prefix and one or more private internet protocol version X (IPvX) addresses. The PCP request may be received via an internet protocol version Y (IPvY) network. The device may store the CLAT prefix and the one or more private IPvX addresses using a data structure. The device may receive a packet that includes a private IPvX of the one or more private IPvX addresses and a private IPvY address that includes the CLAT prefix and a second instance of the private IPvX address. The device may use an application layer gateway (ALG). The device may translate the private IPvX address to a public IPvX address using the CLAT prefix. The device may provide the packet that includes the public IPvX address to a second device that supports IPvX.

Abstract: The present disclosure envisages enforcing micro-segmentation policies on a user computer that intermittently migrates between a secured enterprise network and an unsecured network, for instance, a public network. The present disclosure envisages switching between appropriate micro-segmentation policies, in-line with the change in the current location of the user device, the change triggered by the user device migrating from the enterprise network to an unsecured network or vice-versa.

Abstract: A device may receive, from a first device, a port control protocol (PCP) request that includes a customer side translator (CLAT) prefix and one or more private internet protocol version X (IPvX) addresses. The PCP request may be received via an internet protocol version Y (IPvY) network. The device may store the CLAT prefix and the one or more private IPvX addresses using a data structure. The device may receive a packet that includes a private IPvX of the one or more private IPvX addresses and a private IPvY address that includes the CLAT prefix and a second instance of the private IPvX address. The device may use an application layer gateway (ALG). The device may translate the private IPvX address to a public IPvX address using the CLAT prefix. The device may provide the packet that includes the public IPvX address to a second device that supports IPvX.

Abstract: A computer-implemented method and a system provide a complete traceability of changes incurred in a security policy corresponding to a resource. A policy tracing engine (PTE) monitors and determines events of interest occurring at the resource. The PTE determines administrator-initiated intent-based changes and dynamic event-based changes incurred in the security policy and assigns a unique policy identifier (UPI) to the security policy. The UPI is a combination of unique identifiers assigned to the intent-based change and the event-based change. The PTE recomputes and stores the security policy and the UP in a policy database. The PTE receives network access information including the UPI from the corresponding resource deployed with the security policy. The PTE generates a traceability report that provides a complete traceability of each policy action performed in a networked environment to a source of each change incurred in the security policy as identified by the UPI.

Abstract: A method and a system for automatically managing security policies at multiple resources are provided. A policy management engine receives and deploys a security policy configured for each resource with one or more configuration parameters on a security component of each resource. The policy management engine determines modifications made to the security policy at a corresponding resource and automatically corrects the security policy at the corresponding resource. The policy management engine generates and renders a notification including the security policy, the modifications, and detailed information of the modifications and the automatic correction of the security policy to an administrator device. The detailed information includes a description, a type, a timestamp, number of instances, etc.

Abstract: A hostname based access configuration system (HNACS) is provided for configuring a host-based firewall to implement firewall policies referencing hostnames. The HNACS defines a hostname based firewall policy (HNFP) referencing a host server using a corresponding hostname instead of an internet protocol (IP) address. The HNACS incorporates the HNFP onto the host-based firewall but renders the HNFP non-implementable on the computing device until a domain name system (DNS) query is generated. If the DNS query includes the hostname in the HNFP, the HNACS determines a mapping between the hostname specified in the DNS query and an IP address corresponding to the hostname (obtained via a DNS response corresponding to the DNS query). Based on the mapping, the HNFP is transformed via an implicit replacement of the hostname in the HNFP with the IP address of the host server, thereby rendering the HNFP executable on the host-based firewall.

Abstract: A computer-implemented method and a system provide a complete traceability of changes incurred in a security policy corresponding to a resource. A policy tracing engine (PTE) monitors and determines events of interest occurring at the resource. The PTE determines administrator-initiated intent-based changes and dynamic event-based changes incurred in the security policy and assigns a unique policy identifier (UPI) to the security policy. The UPI is a combination of unique identifiers assigned to the intent-based change and the event-based change. The PTE recomputes and stores the security policy and the UP in a policy database. The PTE receives network access information including the UPI from the corresponding resource deployed with the security policy. The PTE generates a traceability report that provides a complete traceability of each policy action performed in a networked environment to a source of each change incurred in the security policy as identified by the UPI.

Abstract: A method and a system for automatically managing security policies at multiple resources are provided. A policy management engine receives and deploys a security policy configured for each resource with one or more configuration parameters on a security component of each resource. The policy management engine determines modifications made to the security policy at a corresponding resource and automatically corrects the security policy at the corresponding resource. The policy management engine generates and renders a notification including the security policy, the modifications, and detailed information of the modifications and the automatic correction of the security policy to an administrator device. The detailed information includes a description, a type, a timestamp, number of instances, etc.

Abstract: The present disclosure envisages enforcing micro-segmentation policies on a user computer that intermittently migrates between a secured enterprise network and an unsecured network, for instance, a public network. The present disclosure envisages switching between appropriate micro-segmentation policies, in-line with the change in the current location of the user device, the change triggered by the user device migrating from the enterprise network to an unsecured network or vice-versa.

Abstract: A hostname based access configuration system (HNACS) is provided for configuring a host-based firewall to implement firewall policies referencing hostnames. The HNACS defines a hostname based firewall policy (HNFP) referencing a host server using a corresponding hostname instead of an internet protocol (IP) address. The HNACS incorporates the HNFP onto the host-based firewall but renders the HNFP non-implementable on the computing device until a domain name system (DNS) query is generated. If the DNS query includes the hostname in the HNFP, the HNACS determines a mapping between the hostname specified in the DNS query and an IP address corresponding to the hostname (obtained via a DNS response corresponding to the DNS query). Based on the mapping, the HNFP is transformed via an implicit replacement of the hostname in the HNFP with the IP address of the host server, thereby rendering the HNFP executable on the host-based firewall.

Abstract: A device may receive, from a first device, a port control protocol (PCP) request that includes a customer side translator (CLAT) prefix and one or more private internet protocol version X (IPvX) addresses. The PCP request may be received via an internet protocol version Y (IPvY) network. The device may store the CLAT prefix and the one or more private IPvX addresses using a data structure. The device may receive a packet that includes a private IPvX of the one or more private IPvX addresses and a private IPvY address that includes the CLAT prefix and a second instance of the private IPvX address. The device may use an application layer gateway (ALG). The device may translate the private IPvX address to a public IPvX address using the CLAT prefix. The device may provide the packet that includes the public IPvX address to a second device that supports IPvX.

Abstract: A device may receive, from a first device, a port control protocol (PCP) request that includes a customer side translator (CLAT) prefix and one or more private internet protocol version X (IPvX) addresses. The PCP request may be received via an internet protocol version Y (IPvY) network. The device may store the CLAT prefix and the one or more private IPvX addresses using a data structure. The device may receive a packet that includes a private IPvX of the one or more private IPvX addresses and a private IPvY address that includes the CLAT prefix and a second instance of the private IPvX address. The device may use an application layer gateway (ALG). The device may translate the private IPvX address to a public IPvX address using the CLAT prefix. The device may provide the packet that includes the public IPvX address to a second device that supports IPvX.

Abstract: A device may receive, from a first device, a port control protocol (PCP) request that includes a customer side translator (CLAT) prefix and one or more private internet protocol version X (IPvX) addresses. The PCP request may be received via an internet protocol version Y (IPvY) network. The device may store the CLAT prefix and the one or more private IPvX addresses using a data structure. The device may receive a packet that includes a private IPvX of the one or more private IPvX addresses and a private IPvY address that includes the CLAT prefix and a second instance of the private IPvX address. The device may use an application layer gateway (ALG). The device may translate the private IPvX address to a public IPvX address using the CLAT prefix. The device may provide the packet that includes the public IPvX address to a second device that supports IPvX.