Abstract: Software for managing access control functions in a network. The software includes a host that receives access control commands or information and calls one or more methods. The methods perform access control functions and communicate access control results or messages to be transmitted. The host may be installed in a network peer seeking access to the network or in a server controlling access to the network. When installed in a peer, the host receives commands and exchanges information with a supplicant. When installed in an access control server, the host receives commands and exchanges information with an authenticator. The host has a flexible architecture that enables multiple features, such as allowing the same methods to be used for authentication by multiple supplicants, providing ready integration of third party access control software, simplifying network maintenance by facilitating upgrades of authenticator software and enabling access control functions other than peer authentication.

Abstract: Software for managing access control functions in a network. The software includes a host that receives access control commands or information and calls one or more methods. The methods perform access control functions and communicate access control results or messages to be transmitted. The host may be installed in a network peer seeking access to the network or in a server controlling access to the network. When installed in a peer, the host receives commands and exchanges information with a supplicant. When installed in an access control server, the host receives commands and exchanges information with an authenticator. The host has a flexible architecture that enables multiple features, such as allowing the same methods to be used for authentication by multiple supplicants, providing ready integration of third party access control software, simplifying network maintenance by facilitating upgrades of authenticator software and enabling access control functions other than peer authentication.

Abstract: Software for managing access control functions in a network. The software includes a host that receives access control commands or information and calls one or more methods. The methods perform access control functions and communicate access control results or messages to be transmitted. The host may be installed in a network peer seeking access to the network or in a server controlling access to the network. When installed in a peer, the host receives commands and exchanges information with a supplicant. When installed in an access control server, the host receives commands and exchanges information with an authenticator. The host has a flexible architecture that enables multiple features, such as allowing the same methods to be used for authentication by multiple supplicants, providing ready integration of third party access control software, simplifying network maintenance by facilitating upgrades of authenticator software and enabling access control functions other than peer authentication.

Abstract: A library operating system is employed in conjunction with an application in a virtual environment to facilitate dynamic application migration. An application executing in a virtual environment with a library operating system on a first machine can be suspended, and application state can be captured. Subsequently, the state can be restored and execution resumed on the first machine or a second machine.

Abstract: A method and system are provided for adding, removing, and managing a plurality of network policy filters in a network device. Filters are installed in a framework and designated as active or disabled. Each filter has a priority. When a new filter is to be installed into the framework, it is compared to installed filters to determine if a conflict exists. If no conflict exists, the new filter is added as an active filter. If a conflict exists, a higher priority conflicting filter is added as active and a lower priority filter is added as inactive.

Abstract: Software for managing access control functions in a network. The software includes a host that receives access control commands or information and calls one or more methods. The methods perform access control functions and communicate access control results or messages to be transmitted. The host may be installed in a network peer seeking access to the network or in a server controlling access to the network. When installed in a peer, the host receives commands and exchanges information with a supplicant. When installed in an access control server, the host receives commands and exchanges information with an authenticator. The host has a flexible architecture that enables multiple features, such as allowing the same methods to be used for authentication by multiple supplicants, providing ready integration of third party access control software, simplifying network maintenance by facilitating upgrades of authenticator software and enabling access control functions other than peer authentication.

Abstract: Software for managing access control functions in a network. The software includes a host that receives access control commands or information and calls one or more methods. The methods perform access control functions and communicate access control results or messages to be transmitted. The host may be installed in a network peer seeking access to the network or in a server controlling access to the network. When installed in a peer, the host receives commands and exchanges information with a supplicant. When installed in an access control server, the host receives commands and exchanges information with an authenticator. The host has a flexible architecture that enables multiple features, such as allowing the same methods to be used for authentication by multiple supplicants, providing ready integration of third party access control software, simplifying network maintenance by facilitating upgrades of authenticator software and enabling access control functions other than peer authentication.

Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

Abstract: A library operating system is employed in conjunction with an application in a virtual environment to facilitate dynamic application migration. An application executing in a virtual environment with a library operating system on a first machine can be suspended, and application state can be captured. Subsequently, the state can be restored and execution resumed on the first machine or a second machine.

Abstract: Consumer computers that are not properly configured for safe access to a web service are protected from damage by controlling access to web services based on the health of the client computer. A client health web service receives health information from the client computer, determines the health status of the consumer computer, and issues a token to the consumer computer indicating its health status. The consumer computer can provide this token to other web services, which in turn may provide access to the consumer computer based on the health status indicated in the token. The client health web service may be operated as a web service specifically to determine the health of consumer computers or may have other functions, including providing access to the Internet. Also, the health information may be proxied to another device, such as a gateway device, that manages interactions with the client health web service.

Abstract: A unified architecture for enabling remote access to a network is provided. The network may comprise, as examples, a virtual private network (VPN) and/or a peer-to-peer network. In one embodiment, the architecture includes components installed on a client device/node and a gateway/supernode. Components implemented on the client device may facilitate access in a manner similar to that of a traditional VPN, while components on the gateway may facilitate access in a manner similar to an application proxy. Communication between the client device and gateway may occur, as an example, via a Secure Sockets Layer (SSL) communication protocol.

Abstract: A network state platform for managing a network having a number of network nodes is disclosed. A user provides a policy layer a high level instruction indicative of the desired network performance. The policy layer parses the high level instruction to generate a number of configuration instructions for the network nodes. The network nodes provide data logs of their activity to a data layer that collates the logs into a single entry that is stored, and can be accessed by an observation layer. External applications interface with the observation layer to access the stored data and use this information to generate requests to change portions of the network configuration. These requests are provided to a control layer that converts the requests from the applications to a high level instruction that is then provided to the policy layer to implement.

Abstract: A method is provided for use in a computer system including a client and a health registration authority. The health registration authority is configured to accept requests for assertions, and the client has a health state described by at least one health claim. The method may include an act of including an indication of the at least one health claim of the client in a request for an assertion. A second method is provided for use in a computer system comprising a client, an assertion authority, and a plurality of health policies. The method can include an act of including an indication of at least one health policy that the health claim of the client satisfies in an assertion.

Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

Abstract: A network state platform for managing a network having a number of network nodes is disclosed. A user provides a policy layer a high level instruction indicative of the desired network performance. The policy layer parses the high level instruction to generate a number of configuration instructions for the network nodes. The network nodes provide data logs of their activity to a data layer that collates the logs into a single entry that is stored, and can be accessed by an observation layer. External applications interface with the observation layer to access the stored data and use this information to generate requests to change portions of the network configuration. These requests are provided to a control layer that converts the requests from the applications to a high level instruction that is then provided to the policy layer to implement.

Abstract: A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

Abstract: A method and system are provided for implementing a firewall architecture in a network device. The firewall architecture includes a plurality of network layers, a first firewall engine, and one or more callout modules. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet. The callouts provide additional functionality such as intrusion detection, logging, and parental control features.

Abstract: A method and system are provided for adding, removing, and managing a plurality of network policy filters in a network device. Filters are installed in a framework and designated as active or disabled. Each filter has a priority. When a new filter is to be installed into the framework, it is compared to installed filters to determine if a conflict exists. If no conflict exists, the new filter is added as an active filter. If a conflict exists, a higher priority conflicting filter is added as active and a lower priority filter is added as inactive.

Abstract: Consumer computers that are not properly configured for safe access to a web service are protected from damage by controlling access to web services based on the health of the client computer. A client health web service receives health information from the client computer, determines the health status of the consumer computer, and issues a token to the consumer computer indicating its health status. The consumer computer can provide this token to other web services, which in turn may provide access to the consumer computer based on the health status indicated in the token. The client health web service may be operated as a web service specifically to determine the health of consumer computers or may have other functions, including providing access to the Internet. Also, the health information may be proxied to another device, such as a gateway device, that manages interactions with the client health web service.

Abstract: A method and system are provided for adding, removing, and managing a plurality of network policy filters in a network device. Filters are installed in a framework and designated as active or disabled. Each filter has a priority. When a new filter is to be installed into the framework, it is compared to installed filters to determine if a conflict exists. If no conflict exists, the new filter is added as an active filter. If a conflict exists, a higher priority conflicting filter is added as active and a lower priority filter is added as inactive.