Abstract: Techniques are described for mitigating adverse effects of port scanning within a network device. For example, an apparatus, such as a router, responds to all network connection request packets received from a client for all ports on an attached server as if all of the server's ports are open. Once a network connection is established between the router and the client, a network connection request is transmitted to the server for a requested port. Using the router to establish a full network connection with the client eliminates a unscrupulous client from sending numerous decoy network connection request messages in an effort to hide the identity of the client. By responding to all network connection requests by establishing a TCP full connection before a network connection request is forwarded to a server, a client receives no useful information regarding the state of a port on the server before providing a valid and detectable IP address. Stealth port scanning is rendered ineffective.

Abstract: A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: An architecture for controlling a multiprocessing system to provide at least one network service to subscriber data packets transmitted in the system using a plurality of compute elements, comprising a management compute element including service set-up information for at least one service and at least one processing compute element applying said at least one network service to said data packets and communicating service set-up information with the management compute element in order to perform service specific operations on data packets. In a further embodiment, a method of controlling a processing system including a plurality of processors is disclosed.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: Methods and a device for changing the message size broadcast over a network and furthermore preventing fragmentation in networks are provided. The device intercepts a message transported across a network, wherein the message is sent from a data source to a data receiver and changes the message size. In addition, the device may use the methods to change the message size of data transmitted over a network thus reducing fragmentation. As a result, network devices such as classifiers preferably avoid re-assembling fragments. More specifically by reducing re-assembling, network devices like a classifier can react more quickly to applications requiring information found in both of an IP and TCP/UDP header.

Abstract: A method for enabling secure communication between a client on an open network and a server apparatus on a secure network. The method is generally performed on a intermediary apparatus coupled to the secure network and the open network. The method includes the steps of negotiating a secure communications session with the client apparatus via the open network; negotiating an open communications session with the server via the secure network; receiving encrypted packet application data having a length greater than a packet length via multiple data packets; decrypting the encrypted packet application data in each data packet; forwarding decrypted, unauthenticated application data to the server via the secure network; and authenticating the decrypted packet data on receipt of a final packet of the segment.

Abstract: A tapered-head bolt for use in attaching axle shafts to hub assemblies in heavy-duty, powered, non-steering (full-floating) axles. Use of the tapered-head bolt eliminates the deficiencies and complexity associated with the current use of studs, cone-nuts, cone-washers, and/or lock nuts.

Abstract: A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers. In one aspect, the method comprises: establishing an open communications session between the intermediary device and the client via an open network; negotiating a secure communications session with the client; establishing an open communications session with said one of said plurality of servers via a secure network; receiving encrypted data from the client via the secure communications session; decrypting encrypted application data; forwarding decrypted application data to the server via the secure network; receiving application data from the server via the secure network; encrypting the application data; and sending encrypted application data to the client.

Abstract: A system and methods are shown for traffic shaping and congestion avoidance in a computer network such as a data-over-cable network. A headend of the data-over-cable system includes a traffic shaper configured to calculate a packet arrival rate from a cable modem and a traffic conditioner configured to calculate an average queue size on an output interface to an external network. For example, the traffic shaper compares the packet arrival rate to three packet arrival thresholds including a committed rate threshold, a control rate threshold and a peak rate threshold. If the calculated packet arrival rate falls between the committed threshold and control rate threshold, the traffic shaper applies a link layer mechanism, such as a MAP bandwidth allocation mechanism, to lower the transmission rate from the cable modem.

Abstract: A system and methods for providing distributed and dynamic network services to remote access users. One of the methods includes providing a first certificate for requesting dynamic network services by a user network entity, and at least one second certificate for requesting static network services by the user network entity. According to one method, a user of the user network entity may generate a first message to request dynamic network services from a network service provider entity. For example, the first message may include the first certificate, a digital signature generated with a private encryption key associated with the first certificate and list of network service that the user wishes to set up dynamically.

Abstract: A system and method for transmitting information between a source host and a destination host. A source host generates a message and forwards the message via a label switched path to the destination host so that when a central routing module receives the message, the message includes a label. A central routing module establishes a local master mapping table including a plurality of physical addresses, and each of the plurality of physical addresses is associated with a unique identifier such as a label. When a switch egress module receives the message with the label, the switch egress module determines a physical address associated with the label, maps the physical address to the message, and forwards the message to the destination host associated with the label.

Abstract: A method for determining the validity of an n-dimensional policy table in a router. The router may include a processor, a memory (e.g. ROM, flash memory, non-volatile memory, hard disk, etc.), and two or more policy rules stored in the memory. Each policy rule may have one or more dimensions (or parameters), designated generally by the symbol n. In accord with the method, the processor may make a determination whether any particular policy rule in the table intersects any subsequent policy rule in the table in every dimension n. If no rules in the table intersect in every dimension n, then the policy table is valid, and the router may operate normally.

Abstract: A mounting system for securing brake hoses and electrical cables located to the rearward of a mobile vehicle cab. The mobile vehicle's cab is engaged to a chassis. The chassis has exhaust stanchions rearward of the cab relative to vehicle forward movement. The exhaust stanchions are supported by braces. Attached to these braces, or integrated into them, are mounting points for interchangeable brackets. One carries a “glad hand” and electrical connector hanger, and the other carries a hose tender.

Abstract: A method and apparatus for avoiding network congestion. An exemplary packet forwarding device may apply policy rules to incoming packets to assign relative drop probabilities to the packets based on the priority of the packets. In times of network congestion, packets may be selectively dropped according to their associated drop probability.

Abstract: A method and system for network security includes a first network device having a first set of key material with a base key and a key extension, and a second network device also having the first set of key material and a second set of key material with a second base key. The second network device is capable of communicating with the first network device using security determined by the first set of key material. The method and system for network security may further include a third network device having the second set of key material. The third network device is capable of communicating with the second network device using security determined by the second set of key material. For the present method and system, security determined by the first set of key material is stronger than security determined by the second set of key material.

Abstract: A packet-forwarding device for providing policy-based services has at least a first interface, a second interface, and a packet forwarder for forwarding external packets between the first and second interfaces. The packet-forwarding device also runs internal applications that may be remotely accessed. The first and second interfaces transmit and receive internal and external packets, the internal packets being those packets generated or received by the internal applications during remote access, and the external packets being those packets destined for devices other than the packet-forwarding device. The packet forwarder forwards external packets between the first and second interfaces. An internal interface forwards internal packets between the internal applications and the first and second interfaces, and a policy engine logically connected to the internal interface applies a policy to the internal packets.

Abstract: A network content service apparatus includes a set of compute elements adapted to perform a set of network services; and a switching fabric coupling compute elements in said set of compute elements. The set of network services includes firewall protection, Network Address Translation, Internet Protocol forwarding, bandwidth management, Secure Sockets Layer operations, Web caching, Web switching, and virtual private networking. Code operable on the compute elements enables the network services, and the compute elements are provided on blades which further include at least one input/output port.

Abstract: An architecture for controlling a multiprocessing system to provide at least one network service to subscriber data packets transmitted in the system using a plurality of compute elements, comprising a management compute element including service set-up information for at least one service and at least one processing compute element applying said at least one network service to said data packets and communicating service set-up information with the management compute element in order to perform service specific operations on data packets. In a further embodiment, a method of controlling a processing system including a plurality of processors is disclosed.

Abstract: A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers. In one aspect, the method comprises: establishing an open communications session between the intermediary device and the client via an open network; negotiating a secure communications session with the client; establishing an open communications session with said one of said plurality of servers via a secure network; receiving encrypted data from the client via the secure communications session; decrypting encrypted application data; forwarding decrypted application data to the server via the secure network; receiving application data from the server via the secure network; encrypting the application data; and sending encrypted application data to the client.