Abstract: Systems and methods for ensuring multi-tenant isolation in a data center are provided. A switch, or virtualized switch, can be used to de-multiplex incoming traffic between a number of data centers tenants and to direct traffic to the appropriate virtual slice for an identified tenant. The switch can store tenant identifying information received from a master controller and packet forwarding rules received from at least one tenant controller. The packet handling rules are associated with a specific tenant and can be used to forward traffic to its destination.

Abstract: This disclosure provides example details for apparatuses and methods that manage virtual firewalls in a wireless communication network that includes a Core Network, CN, and an associated Radio Access Network, RAN. The virtual firewalls process traffic for respective wireless devices supported by the network. For example, the virtual firewall associated with a given wireless device is maintained in the RAN at the RAN node supporting the device, and is migrated from that RAN node in response to detecting a handover event involving the device. Advantageously, migration may be “horizontal,” where the associated virtual firewall is moved between nodes in the RAN, or may be “vertical,” where the associated virtual firewall is moved from the RAN to the CN.

Abstract: A load balancer in a communication network tracks active network flows using a Bloom filter and takes a snapshot of the Bloom filter at the time of a scaling event. The load balancer uses the Bloom filter snapshot to differentiate packets belonging to pre-existing network flows from packets belonging to new network flows. Packets belonging to pre-existing network flows continue to be distributed according to a mapping function in use prior to the scaling event. Packets belonging to new network flows are distributed according to a new mapping function.

Abstract: A method for preserving privacy during authorization in pervasive environments is described. The method includes an authorization phase in which the user is provided with a reusable credential associated with verifiable constraints, and an operation phase where the service provider verifies the reusable credential before authorizing the user. Third parties cannot link plural uses of the credential to each other, and the service provider cannot link plural uses of said credential to each other.

Abstract: A system and method for managing a hybrid firewall solution, employing both hardware and software firewall components, for a cloud computing data center is provided. A virtual application is hosted by a first plurality of application virtual machines and a second plurality of firewall virtual machines provides firewalling services for traffic associated with the virtual application. A cloud management entity determines that the virtual application requires an increased number of application virtual machines. A security profile for the virtual application is verified to determine if an increased number of firewall virtual machines is required by the increased number of application virtual machines. The cloud management entity can instantiate additional application virtual machines and firewall virtual machines as required.

Abstract: A cloud management device determines that a virtual machine should be migrated from a first host to a second host, the virtual machine being associated with a virtual service, such as a virtual firewall, in the first host. The cloud management device verifies if functionality corresponding to the virtual service is available in the second host. If the required functionality is not available, a new virtual service is instructed to be instantiated in the second host. State synchronization can be performed between the virtual services in the first and second hosts. The cloud management device instructs the virtual machine to be instantiated in the second host.

Abstract: A method and communication node for providing secure communications and services in a High Availability (HA) cluster. The communication node comprises an Operating System (OS) that detects an unavailability of a first service application process and switches a second service application process from the first state to the second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster. The OS generates a private key for the second service application process based on its second state. The set of rights associated to the second state allows the OS to replace the first service application process with the second service application process for providing secure communications between the second service application and other service application processes in the HA cluster.

Abstract: An efficient elastic enforcement layer (EEL) for realizing security policies is deployed in a cloud computing environment based on a split architecture framework. The split architecture network includes a controller coupled to switches. When the controller receives a packet originating from a source VM, it extracts an application identifier from the received packet that identifies an application running on the source VM. Based on the application identifier, the controller determines a chain of middlebox types. The controller further determines middlebox instances based on current availability of resources. The controller then adds a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the middlebox instances.

Abstract: A method of controlling access to content comprises receiving, at a domain gateway (3) of a domain (4), a request from a device (5) in the domain for access to the content. It is determined at the domain gateway whether the number of devices in the domain currently accessing the content is equal to a specified maximum number of devices that may simultaneously access the content. The maximum number of devices that may simultaneously access the content is independent of the number of devices in the domain. If the determination is that the number of devices in the domain currently accessing the content is less than the specified maximum number the request is allowed, otherwise it is refused.

Abstract: A load balancer in a communication network tracks active network flows using a Bloom filter and takes a snapshot of the Bloom filter at the time of a scaling event. The load balancer uses the Bloom filter snapshot to differentiate packets belonging to pre-existing network flows from packets belonging to new network flows. Packets belonging to pre-existing network flows continue to be distributed according to a mapping function in use prior to the scaling event. Packets belonging to new network flows are distributed according to a new mapping function.

Abstract: A method of key management in a communication network that includes a plurality of groups with each group including one or several members authorized to have access to key-protected services is provided by an apparatus. The method includes determining when a member starts a switching action from one service to another. A time dependent quantity starting from the switching action is determined. The method includes determining that the member is a member of a switching group when the quantity is less than a threshold value is made, and when the quantity is larger than the threshold, determining that the member has decided to join a new group, and changing the appropriate access key(s).

Abstract: A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.

Abstract: A method for preserving privacy during authorisation in pervasive environments is described. The method includes an authorisation phase in which the user is provided with a reusable credential associated with verifiable constraints, and an operation phase where the service provider verifies the reusable credential before authorising the user. Third parties cannot link plural uses of the credential to each other, and the service provider cannot link plural uses of said credential to each other.

Abstract: A virtual machine (VM) system is provided. The system includes a target physical server (PS) that has a resource configuration. The system includes a source PS that runs a virtual machine (VM). The source PS is in communication with the target PS. The source PS includes a memory that stores a migration policy file. The migration policy file includes at least one trust criteria in which the at least one trust criteria indicates a minimum resource configuration. The source PS includes a receiver that receives target PS resource configuration and a processor in communication with the memory and receiver. The processor determines whether the target PS resource configuration meets the at least one trust criteria. The processor initiates VM migration to the target PS based at least in part on whether the target PS resource configuration meets the at least one trust criteria.

Abstract: A system and method for managing trusted platform module (TPM) keys utilized in a cluster of computing nodes. A cluster-level management unit communicates with a local TPM agent in each node in the cluster. The cluster-level management unit has access to a database of protection groups, wherein each protection group comprises one active node which creates a TPM key and at least one standby node which stores a backup copy of the TPM key for the active node. The local TPM agent in the active node automatically initiates a migration process for automatically migrating the backup copy of the TPM key to the at least one standby node. The system maintains coherency of the TPM keys by also deleting the backup copy of the TPM key in the standby node when the key is deleted by the active node.

Abstract: Methods of managing network traffic in a distributed computing environment include segmenting a plurality of virtual hosts into sub-groups. A first security agent monitors first communications of virtual hosts within a first sub-group of virtual hosts, and a second security agent monitors second communications of virtual hosts within a second sub-group of virtual hosts. Information regarding the first communications and the second communications is collected from the security agents and analyzed to detect a denial of service attack. A defense mechanism is initiated in response to detecting the denial of service attack.

Abstract: Methods and devices performing management of traffic on a single network device using plural congestion avoidance algorithms are provided. A traffic management method includes (i) separating an incoming traffic in sub-streams of traffic based on at least one characteristic, (ii) managing virtual queues corresponding to the sub-streams of traffic, using congestion avoidance algorithms configured to each operate on one sub-stream of traffic to avoid congestion within a capacity allocated to the one of the at least two sub-streams of traffic, and (iii) dynamically reallocating a total capacity of traffic through the single network device to the virtual queues, a capacity reallocated to a virtual queue depending on a proportion of the incoming traffic, historical or current, in a sub-streams of traffic to which the virtual queue corresponds.

Abstract: A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.

Abstract: The present invention relates to a method of key management and to an apparatus (200) of communication network (100) comprising a plurality of groups (141, 142, 143), each group (141) including one or several members (132A, 132B, 132C) authorized to have access to key-protected services provided by the apparatus. According to the method, it is determined when a member (132A) starts a switching action from one service to another and it is determined a time dependent quantity starting from the switching action. The method further comprises, determining that the member (132A) is a member of a switching group (150) when the quantity is less than a threshold value, and when the quantity is larger than the threshold, determining that the member (132A) has decided to join a new group (142), and changing the appropriate access key(s).

Abstract: A method of controlling access to content comprises receiving, at a domain gateway (3) of a domain (4), a request from a device (5) in the domain for access to the content. It is determined at the domain gateway whether the number of devices in the domain currently accessing the content is equal to a specified maximum number of devices that may simultaneously access the content. The maximum number of devices that may simultaneously access the content is independent of the number of devices in the domain. If the determination is that the number of devices in the domain currently accessing the content is less than the specified maximum number the request is allowed, otherwise it is refused.