Abstract: An access point in a wireless communication system can be configured to include multiple virtual LANS (VLANs) based on security levels, thereby allowing secure traffic to be isolated from insecure traffic. Configuring the access point can include assigning a security level to each VLAN and setting a security association for each station associated with the access point. Based on this security association, each station can be assigned to an appropriate VLAN.

Abstract: A three-tier employment model provides flexibility when modeling even moderately complex relationships, such as where an employee has multiple job tasks or assignments for an employer. In such an example, a top level can store information for each employee defining the type of relationship that exists between the employee and the employer, such as where the employee works for multiple entities of the employer. A middle level can capture employment terms and conditions that are associated with the relationship(s), as well as one or many work assignments, such as salary information for each assignment. A bottom level can store the actual details of the work to be performed. A three-tier approach thus provides significant flexibility in modeling the employment of a person for an enterprise, and allows companies and enterprises to easily record the reality of their complex work relationships.

Abstract: A method and system for the assignment of security group information using a proxy is disclosed. The method includes receiving an address of a network device at a first network device, receiving a security group of the network device at the first network device and associating the address information and the security group information with one another at the first network device. The first network device is coupled to a second network device. The address is represented by address information, which is received from the second network device. The security group is identified using the security group information, which indicates the network device is a member of the security group. The address information and the security group information are associated with one another by storing the address information and the security group information at the first network device.

Abstract: A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries.

Abstract: The invention uses a layer 2 switch (L2 switch), or bridge, to separate user's message traffic by use of Virtual Local Area Networks (VLANs) defined within the switch. Three new types of ports are defined, “promiscuous” ports “isolated” ports, and “community” ports. Three types of VLANs internal to the switch are defined, “primary” VLANs, “isolated” VLANs and “community” VLANs. The promiscuous ports are connected to layer 3 or layer 4 devices. Isolated ports and community ports are connected to individual user's servers, etc., and maintain traffic for each user separate from other users. The primary VLAN connects to all promiscuous ports, to all isolated ports, and to all community ports. The primary VLAN is a one way connection from promiscuous ports to isolated or community ports. An isolated VLAN connects to all promiscuous ports and to all isolated ports. The isolated VLAN is a one way connection from an isolated port to the promiscuous ports.

Abstract: A method of securely extending a protected network through secure relay of AAA information, when an isolated device lacks Layer 3 connectivity to an AAA infrastructure of the protected network, comprises receiving a first authentication message, from an isolated first network device, wherein the first authentication message is encapsulated in a first Layer 2 message, wherein the first authentication message seeks to authenticate a second network device using an authentication server, and wherein the second network device and the authentication server are within a protected network; extracting the first authentication message from the first Layer 2 message; forming a packet that includes the first authentication message; sending the packet with the extracted authentication message over a Layer 3 link to the authentication server, without modifying the extracted authentication message.

Abstract: A method and an apparatus are disclosed for securing authentication, authorization and accounting (AAA) protocol messages. An encryption key, a device identifier value, and verification data are received and stored at a network device. The verification data comprises in part a copy the encryption key and the device identifier value, and has been encrypted using a private key of a server. A shared secret is generated by applying a computational function to the encryption key and the device identifier value. Based on the shared secret, a first message integrity check value for a message is generated. The message, the first integrity check value, and the verification data are sent to the server. The server decrypts the verification data using the private key, extracts the encryption key and the device identifier value, and generates the same shared secret by applying the same computational function to the extracted encryption key and device identifier value.

Abstract: Various systems and method are disclosed for disseminating security server contact information in a network. For example, one method (e.g., performed by a security server) involves determining that a network device is a secure network device, in response to participating in a security exchange with the network device; and then sending a server list to the network device. The server list includes the network address of at least one security server. Another method (e.g., performed by a network device) involves initiating an authentication exchange; receiving a server list, which includes the network address of a security server, as part of the authentication exchange; and communicating with the security server by sending a packet to the network address included in the server list.

Abstract: A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

Abstract: A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

Abstract: A method and apparatus for implementing Quality of Service (QoS) policy in a data communications network. A content addressable memory (CAM) contains flow information for each active flow of packets passing through a given node of a data communications network. The CAM has associated with each entry a packet counter, a byte counter, a token bucket, and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. An access control list CAM (ACLCAM) contains masked flow information. The ACLCAM provides an index to internal token bucket counters and preconfigured contract values of an aggregate flow table which becomes affected by the packet statistics. In this way, flows are aggregated for assignment of output queues and thresholds, possible dropping, and possible modification of packets.

Abstract: A method and apparatus for implementing Quality of Service (QoS) policy in a data communications network. An active flow content addressable memory (CAM) contains entries of flow information for each active flow of packets passing through a given node of the data communications network. The CAM has associated with each entry a packet counter, a byte counter, a token bucket, and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. A token bucket algorithm is employed on each flow to determine whether packets from that flow exceed the contract value. Such packets may be dropped or optimally modified to reflect an alternate output queue and/or alternate threshold before being sent to the selected output queue for transmission from the node.

Abstract: A shared spanning tree protocol (SSTP) creates a plurality of spanning trees (i.e., loop-free paths) which are shared among one or more virtual local area network (VLAN) designations for data transmission within a computer network. Each shared spanning tree includes and is defined by a primary VLAN and may be associated with one or more secondary VLANs. In order to associate VLAN designation(s) with a single shared spanning tree, network devices exchange novel shared spanning tree protocol data units (SST-PDUs). Each SST-PDU corresponds to a given primary VLAN and preferably includes one or more fields which list the secondary VLAN designations associated with the given primary VLAN. The association of VLAN designations to shared spanning trees, moreover, preferably depends on which path traffic is to follow as well as the anticipated load characteristics of the various VLANs. The association of VLAN designations to shared spanning trees thus provides a degree of load balancing within the network.

Abstract: A content addressable memory (CAM or L3 Table) contains flow information for each active flow of packets passing through a given node of a data communications network. The CAM has associated with each entry (corresponding to each active flow) a packet counter, a byte counter, a token bucket and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. A token bucket algorithm is employed on each flow to determine whether packets from that flow exceed the contract value. Such packets may be dropped or optimally modified to reflect an alternate output queue and/or alternate threshold before being sent to the selected output queue for transmission from the node. In another aspect an access control list CAM (ACLCAM) contains masked flow information. The ACLCAM provides an index to internal token bucket counters and preconfigured contract values of an aggregate flow table which becomes affected by the packet statistics.

Abstract: The invention uses a layer 2 switch (L2 switch), or bridge, to separate user's message traffic by use of Virtual Local Area Networks (VLANs) defined within the switch. Three new types of ports are defined, “promiscuous” ports “isolated” ports, and “community” ports. Three types of VLANs internal to the switch are defined, “primary” VLANs, “isolated” VLANs and “community” VLANs. The promiscuous ports are connected to layer 3 or layer 4 devices. Isolated ports and community ports are connected to individual user's servers, etc., and maintain traffic for each user separate from other users. The primary VLAN connects to all promiscuous ports, to all isolated ports, and to all community ports. The primary VLAN is a one way connection from promiscuous ports to isolated or community ports. An isolated VLAN connects to all promiscuous ports and to all isolated ports.

Abstract: A content addressable memory (CAM or L3 Table) contains flow information for each active flow of packets passing through a given node of a data communications network. The CAM has associated with each entry (corresponding to each active flow) a packet counter, a byte counter, a token bucket and a contract value. Each flow is assigned one of a plurality of output queues and optionally at least one output threshold value. A token bucket algorithm is employed on each flow to determine whether packets from that flow exceed the contract value. Such packets may be dropped or optimally modified to reflect an alternate output queue and/or alternate threshold before being sent to the selected output queue for transmission from the node. In another aspect an access control list CAM (ACLCAM) contains masked flow information. The ACLCAM provides an index to internal token bucket counters and preconfigured contract values of an aggregate flow table which becomes affected by the packet statistics.

Abstract: There is disclosed a bit sync search and frame sync search system operative with a digital data signal as transmitted by a digital radio transmitter. The bit search is implemented by detecting a predetermined phasing signal which is incorporated in the digital signal and which has a repetitive bit pattern of ones and zeroes. The phasing signal is first detected by providing an in-phase and quadrature component signal and correlating those signals to provide an output signal indicative of the bit pattern in the phasing signal. After the phasing signal has been provided and an oscillator associated with a receiving apparatus is compensated according to the detected phasing signal, a tracking mode is entered, whereby a frame signal is captured and the system generates histograms of data bit transitions for producing an error signal indicative of the difference of the transmitted clock rate and the sampling portion of a received bit.

Abstract: Apparatus, systems and methods are provided for the warming of materials. In an embodiment, the heat for warming the materials is provided by an activatable heating substance, such as a supercooled salt solution. In an embodiment, an apparatus maintains fluid at a preselected temperature for prolonged durations. In an embodiment, an apparatus may be sterilized for deployment in a sterile surgical field. In an embodiment, an apparatus may be reused. In an embodiment, an apparatus is adapted for easy pouring of contents.

Abstract: A port aggregation protocol (PAGP) dynamically aggregates redundant links between two neighboring devices in a computer network through the exchange of aggregation protocol data unit (AGPDU) frames between the two devices. Each AGPDU frame contains a unique identifier corresponding to the device sourcing the frame and a port number corresponding to the port through which the frame is forwarded. The exchange of AGPDU frames and the information contained therein allows the neighboring devices to identify those ports corresponding to the redundant links. Each device then dynamically aggregates its ports corresponding to the redundant links into a logical aggregation port (agport) which appears as a single, high-bandwidth port or interface to other processes executing on the device.

Abstract: In order to boot a portable computer, a smart key is required to be inserted into a PCMCIA card of the portable computer. Firmware in the PCMCIA card verifies that a smart key has been inserted. The portable computer will boot only when two conditions are met. The first condition is that the smart key, the PCMCIA card, and the portable computer all contemporaneously have the matching codes stored therein. The second condition is that the first condition is met and that a new random generated and encrypted code is successfully stored in each of the smart key, the PCMCIA card, and the portable computer. Until these two conditions are met, the portable computer will not boot. Once booted, access to certain coded files on the portable computer is denied if respective matching codes in the coded files are not also contained in the smart key. Also, the portable computer will not exit an idle, sleep, or power conservation mode until the two conditions are met.