Abstract: The invention relates to a computer-implemented system and method for efficiently configuring the security rules for application firewalls in a cloud-based infrastructure, the cloud-based infrastructure containing at least one of a virtual machine comprising an application, a Domain Name System (DNS) Agent, and a firewall. The method may comprise requesting, by the application, network address information via a DNS server for a fully qualified domain name (FQDN); intercepting, by the DNS Agent, data packets containing the DNS Server query response; decoding, by the DNS Agent, the DNS query response, and identifying the network address information; and updating a security rule of the firewall, by the DNS Agent, based on the decoded network address information. The method may be implemented to update the security rules of application firewalls across an organization's cloud-based infrastructure.

Abstract: Embodiments of the present disclosure provide for configuring and managing mesh nodes during occasional failure of mesh nodes or addition of new mesh nodes. The disclosed system first determines whether a mesh node is a mesh portal or a mesh point. If it is a mesh portal, the mesh node will advertise its capacity as a mesh portal to other mesh nodes in the network. If it is a mesh point, the mesh node attempts to automatically recover connection to the wireless mesh network if it identifies a unique wireless network based on its associated network identifier. If more than one network identifiers are discovered, the mesh node delays establishing connection to the wireless mesh network until a selection is received.

Abstract: The invention relates to a computer-implemented system and method for efficiently configuring the security rules for application firewalls in a cloud-based infrastructure, the cloud-based infrastructure containing at least one of a virtual machine comprising an application, a Domain Name System (DNS) Agent, and a firewall. The method may comprise requesting, by the application, network address information via a DNS server for a fully qualified domain name (FQDN); intercepting, by the DNS Agent, data packets containing the DNS Server query response; decoding, by the DNS Agent, the DNS query response, and identifying the network address information; and updating a security rule of the firewall, by the DNS Agent, based on the decoded network address information. The method may be implemented to update the security rules of application firewalls across an organization's cloud-based infrastructure.

Abstract: A network device may detect packets being transmitted on a network to obtain detected packets, identify Internet Protocol (IP) addresses corresponding to the detected packets, and identify candidate IP subnets that do not include any IP address in the IP addresses corresponding to the detected packets. A particular IP subnet may be selected from the set of candidate IP subnets for allocation to a set of target devices. A network device may identify a set of candidate Internet Protocol (IP) subnets, select a particular IP subnet from the set of candidate IP subnets, and transmit, to other network devices, an advertisement including an intent to use the particular IP subnet. Responsive to determining that none of the other network devices are using the particular IP subnet, the network device may select the particular IP subnet for allocating to a set of target devices.

Abstract: Provisioning remote access points for use in a telecommunication network. A remote access point contains identity information established during manufacturing; this identity information may be in the nature of a digital certificate. The identity information is stored in the remote access point, and may be stored in a Trusted Platform Module if present. When the remote access node is powered up in unprovisioned state, outside the manufacturing environment, it attempts to establish an internet connection via a first wired interface, and queries a user for information representing the TCP/IP address of its controller via a second wired interface. Once an internet connection is present, and a TCP/IP address has been provided, the remote access point attempts to connect to the controller at that address. Once a connection is established, controller and access point exchange and verify each other's identities.

Abstract: A network device may detect packets being transmitted on a network to obtain detected packets, identify Internet Protocol (IP) addresses corresponding to the detected packets, and identify candidate IP subnets that do not include any IP address in the IP addresses corresponding to the detected packets. A particular IP subnet may be selected from the set of candidate IP subnets for allocation to a set of target devices. A network device may identify a set of candidate Internet Protocol (IP) subnets, select a particular IP subnet from the set of candidate IP subnets, and transmit, to other network devices, an advertisement including an intent to use the particular IP subnet. Responsive to determining that none of the other network devices are using the particular IP subnet, the network device may select the particular IP subnet for allocating to a set of target devices.

Abstract: A network device may detect packets being transmitted on a network to obtain detected packets, identify Internet Protocol (IP) addresses corresponding to the detected packets, and identify candidate IP subnets that do not include any IP address in the IP addresses corresponding to the detected packets. A particular IP subnet may be selected from the set of candidate IP subnets for allocation to a set of target devices. A network device may identify a set of candidate Internet Protocol (IP) subnets, select a particular IP subnet from the set of candidate IP subnets, and transmit, to other network devices, an advertisement including an intent to use the particular IP subnet. Responsive to determining that none of the other network devices are using the particular IP subnet, the network device may select the particular IP subnet for allocating to a set of target devices.

Abstract: The present disclosure relates to a network device that detects a deauthentication and/or disassociation attack in a wireless local area network (WLAN). In example implementations, the network device selects a random Media Access Control (MAC) address that is unused in the WLAN. The network device then transmits a request using the selected MAC address over a shared wireless communication channel. Next, the network device transmits a response using a MAC address corresponding to the network device over the shared wireless communication channel. Subsequently, the network device receives a disconnection request using the selected MAC address over the shared wireless communication channel. In response to receiving the disconnection request, the network device can detect an attacker device in the WLAN.

Abstract: The present disclosure discloses a system and method for classifying an application session for forwarding or refrain from forwarding to a client. Generally, classifying an application session includes: receiving a first request from a client device at a first network device; transmitting, by the first network device, a second request to obtain classification information corresponding to the first request; forwarding, by the first network device, the first request from the client device prior to receiving the classification information corresponding to the first request; receiving, by the first network device, the classification information corresponding to the first request; receiving, by the first network device, a first response corresponding to the forwarded first request; and based on the classification information, forwarding or refraining from forwarding the first response to the client device.

Abstract: The present disclosure discloses a method and network device for providing VLAN mismatch detection in networks. Specifically, a network device monitors a plurality of packets received by a first device from a second device to identify a first set of VLAN identifiers indicated by at least one of the plurality of packets. The network device receives from a third device at least one packet tagged with a particular VLAN identifier, whereas the at least one packet to be forwarded by the first device to the second device. The network device then determines whether the particular VLAN identifier is included in the first set of VLAN identifiers indicated by at least one of the plurality of packets received by the first device from the second device. If the particular VLAN identifier is not included in the first set of VLAN identifiers, the network device presents a notification.

Abstract: Embodiments of the present disclosure provide for configuring and managing mesh nodes during occasional failure of mesh nodes or addition of new mesh nodes. The disclosed system first determines whether a mesh node is a mesh portal or a mesh point. If it is a mesh portal, the mesh node will advertise its capacity as a mesh portal to other mesh nodes in the network. If it is a mesh point, the mesh node attempts to automatically recover connection to the wireless mesh network if it identifies a unique wireless network based on its associated network identifier. If more than one network identifiers are discovered, the mesh node delays establishing connection to the wireless mesh network until a selection is received.

Abstract: Zero touch configuration support for a universal serial bus (USB) modem is described herein. For example, as described herein, an identifier of a modem connected to an access point may be determined. Location information corresponding to the access point may also be determined. Based on the identifier of the modem and the location information, the access point may select a particular configuration, for the modem, where the particular configuration is suitable for a geographical location associated with the location information.

Abstract: The present disclosure discloses a method and network device for providing VLAN mismatch detection in networks. Specifically, a network device monitors a plurality of packets received by a first device from a second device to identify a first set of VLAN identifiers indicated by at least one of the plurality of packets. The network device receives from a third device at least one packet tagged with a particular VLAN identifier, whereas the at least one packet to be forwarded by the first device to the second device. The network device then determines whether the particular VLAN identifier is included in the first set of VLAN identifiers indicated by at least one of the plurality of packets received by the first device from the second device. If the particular VLAN identifier is not included in the first set of VLAN identifiers, the network device presents a notification.

Abstract: Embodiments of the present disclosure provide for configuring and managing mesh nodes during occasional failure of mesh nodes or addition of new mesh nodes. The disclosed system first determines whether a mesh node is a mesh portal or a mesh point. If it is a mesh portal, the mesh node will advertise its capacity as a mesh portal to other mesh nodes in the network. If it is a mesh point, the mesh node attempts to automatically recover connection to the wireless mesh network if it identifies a unique wireless network based on its associated network identifier. If more than one network identifiers are discovered, the mesh node delays establishing connection to the wireless mesh network until a selection is received.

Abstract: The present disclosure discloses a network device and/or method for centralized configuration with dynamic distributed address management. The disclosed network device receives, at a first network node, a range of sub network addresses and a specified size for a sub network. The disclosed network device then divides the range of sub network addresses into a plurality of sub-ranges of sub network addresses based on the specified size. Further, the network device allocates the plurality of sub-ranges of sub network addresses to a plurality of sub networks, and transmits an allocated sub-range of sub network addresses to a corresponding sub network at a second network node through an established secure communication channel. Moreover, the network device can retrieve a profile template that includes the range of sub network addresses and the specified size of the sub network; and create a profile based on the profile template.

Abstract: The present disclosure discloses a method and system for partitioning WLAN in order to separate network traffic from different WLANs. Specifically, a network device receives a packet from a client connected to a first network device on an access network. The network device then determines that the received packet is associated with a VLAN that is pre-configured on the first network device based on the access network to which the client is connected. Furthermore, the network device transmits the packet to a MAC layer switching device, which is not configured with the VLAN that is pre-configured on the network device. The packet includes one of a DHCP discovery message, an ARP request message, a unicast message, a multicast message, and a broadcast message. The unicast message will be transmitted to the second network device on the pre-configured VLAN prior to being transmitted to another network device outside the pre-configured VLAN.

Abstract: The present disclosure relates to a network device that detects a deauthentication and/or disassociation attack in a wireless local area network (WLAN). In example implementations, the network device selects a random Media Access Control (MAC) address that is unused in the WLAN. The network device then transmits a request using the selected MAC address over a shared wireless communication channel. Next, the network device transmits a response using a MAC address corresponding to the network device over the shared wireless communication channel. Subsequently, the network device receives a disconnection request using the selected MAC address over the shared wireless communication channel. In response to receiving the disconnection request, the network device can detect an attacker device in the WLAN.

Abstract: The present disclosure discloses a method and system for partitioning WLAN in order to separate network traffic from different WLANs. Specifically, a network device receives a packet from a client connected to a first network device on an access network. The network device then determines that the received packet is associated with a VLAN that is pre-configured on the first network device based on the access network to which the client is connected. Furthermore, the network device transmits the packet to a MAC layer switching device, which is not configured with the VLAN that is pre-configured on the network device. The packet includes one of a DHCP discovery message, an ARP request message, a unicast message, a multicast message, and a broadcast message. The unicast message will be transmitted to the second network device on the pre-configured VLAN prior to being transmitted to another network device outside the pre-configured VLAN.

Abstract: According to one embodiment of the disclosure, a non-transitory computer readable medium (CRM) comprising instructions, which when executed by one or more hardware processors, causes performance of operations comprising: listening, by a first digital device in a group of digital devices, for any advertisement for a particular service; responsive to the first digital device not receiving any advertisement for the particular service for a predetermined period of time: transmitting, by the first digital device, a first advertisement for the particular service; and providing, by the first digital device, the particular service.

Abstract: The present disclosure discloses a method and a network device for efficient mobile client device roaming in a wireless local area network with multiple access points. Specifically, a network device determines a first received signal strength value for a first set of signals transmitted between a client device and a first access point during a first time period; and, determines a second received signal strength value for a second set of signals transmitted between a client device and the access point during a second time period. Based on the first and the second signal strength values, the network device computes a change in signal strength value corresponding to wireless communication between the client device and the first access point. Based on the change in signal strength value, the network device selects the access point from a plurality of access points for providing network access to the client device.