Abstract: A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each, of the at least one potential hijack AS.

Abstract: A method for generating e-mail messages with increased security includes receiving an e-mail message at a control system. The e-mail message has recipients, a security level, control attributes, and e-mail message contents. Moreover, the method includes verifying the recipients at the control system, and storing the recipients, security level, control attributes, and e-mail message contents in the control system when each of the recipients is verified. Furthermore, the method includes generating modified e-mail messages from the e-mail message, transmitting each of the modified e-mail messages to a respective recipient, and capturing authentication data from one of the recipients when the one recipient indicates a desire to view the e-mail message contents with a communications device operated by the one recipient. When the one recipient is successfully authenticated, the method includes permitting the one recipient to view the e-mail message contents in accordance with the control attributes.

Abstract: A method provides subscriber-specific activation of network-based mobility management using an authentication server. According to the method, network-based mobility management is enforced, even if the mobile terminal supports terminal-based mobility management. This gives a network provider complete control over mobility management in his network, preventing configuration problems during the configuration of mobile terminals. In the method, after the successful authentication of a subscriber, the authentication server transmits an authentication confirmation message to an authentication client in an access network. The received authentication confirmation message contains an activation attribute for activating network-based mobility management, if the authentication server does not provide a common mobile key for terminal-based mobility management.

Abstract: A method and apparatus for network access control includes an apparatus for granting a computing device access to a network, the apparatus having a plurality of substantially similar access devices, wherein each access device comprises a status-determination module to determine an access status based at least in part on whether the computing device is compliant with an access policy, an access-grant module configured for receiving an access status corresponding to the computing device from one or more of the access devices, and granting the computing device access to the network according to at least one of the access status determined by the status-determination module or the received access status.

Abstract: Devices, systems and methods that route a communication link to a proper destination are disclosed. The method may include connecting the communication link to a first destination; requesting a response from the first destination; validating the response from the first destination; and disconnecting the communication link to the first destination if the response from the first destination is not valid. The method may also include connecting the communication link to a second destination; requesting a response from the second destination; and disconnecting the communication link to the second destination if the response from the second destination is not valid. The devices, systems and methods may provide hunt group, call center and conference call features as discussed later herein.

Abstract: Systems, methods and apparatus are provided through which in some aspects a method to provide secure communications between a plurality of computers over a public network includes establishing a connection over the public network between the plurality of computers by mimicking hypertext transport protocol (HTTP) enterprise tunnel (HET) server protocol and changing the connection to a multiplexing protocol.

Abstract: Apparatus, methods and software that implement cross-connected, server-based, IP-connected, point-to-point connectivity between remotely located firewall-protected devices. The apparatus, methods, and software allow user computers to communicate with remotely located firewall-protected devices that without the necessity to configure the firewalls. The apparatus methods, and software are implemented using a relay server that runs software that implements communication between an arbitrary number of firewall-protected devices and an arbitrary number of firewall-protected user computers that are remotely-located from the devices.

Abstract: A system and method whereby an unregistered, anonymous user at an organization's website makes a submission/inquiry and is able to access a secure response containing private information without pre-registering or establishing an account with the organization. A response to the user is made via an unsecured e-mail notification that provides the user with an HTTPS link to an authentication page. The user then enters his/her user identification, for example, the user email address and password which was associated with the original submission/inquiry. Once the email address and password is authenticated, the secure response message is displayed on the user's web browser in SSL. Each response is provided on a per-submission basis.

Abstract: A data security manager in a multi-nodal environment enforces processing constraints stored as security relationships that control how different pieces of a multi-nodal application (called execution units) are allowed to execute to insure data security. The security manager preferably checks the security relationships for security violations when new execution units start execution, when data moves to or from an execution unit, and when an execution unit requests external services. Where the security manager determines there is a security violation based on the security relationships, the security manager may move, delay or kill an execution unit to maintain data security.

Abstract: At an extended function server side, user information is received, and a user authentication process is executed. When the authenticity is established, an extended function table is read out, and an extended function list is generated in correspondence with users, based on the extended function table. Then, determination is made as to whether there is an extended function list set in correspondence with a user. When there is an extended function list set in correspondence with a user, the extended function list is transmitted. At the MFP side, the extended function list transmitted from the extended function server is received. Then, the received extended function list is registered.

Abstract: Approaches for combining different information to be transmitted into different slices of a data packet and/or encrypting the slices using different cryptographic schemes for secure transmission of the information are disclosed. In some implementations, first information and second information may be received. A first data slice representing a portion of the first information may be generated based on a first cryptographic scheme. A second data slice representing a portion of the second information may be generated based on a second cryptographic scheme different than the first cryptographic scheme. A first header may be generated such that the first header may specify the first cryptographic scheme for the first data slice and the second cryptographic scheme for the second data slice. A first data packet may be generated such that the first data packet may include the first header, the first data slice, and the second data slice.

Abstract: According to some embodiments of the invention, a method for network protection is provided. The method includes receiving with a network security software a request from an entity to stop at least a portion of unauthorized network traffic from being transmitted through a firewall. The entity lacks control over the firewall and the network security software is operable to control the firewall. The method also includes using the network security software to automatically determine that the entity is an authorized entity authorized to make the request. The method also includes initiating a block of the unauthorized network traffic at the firewall in response to the automatic determination.

Abstract: Disclosed herein are systems, methods, and computer-readable storage media for a honeypot addressing cyber threats enabled by convergence of data and communication services in an enterprise network. Suspicious incoming VoIP calls from the Internet to the enterprise network are intercepted and directed to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls. Suspicious outgoing VoIP calls from the enterprise network to the Internet are also intercepted and directed to the VoIP honeypot. Moreover, an unsolicited VoIP call is redirected to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited.

Abstract: Systems and methods for stateless system management are described. Examples include a method wherein a user sends the management system a request to act upon a managed system. The management system determines whether the user is authorized for the requested action. Upon authorization, the management system looks up an automation principal, which is a security principal native to the managed system. The management system retrieves connecting credentials for the automation principal, and connects to the managed system using the retrieved credentials. Once the managed system is connected, the management system performs the requested action on the managed system, and sends the result back to the user.

Abstract: Techniques presented herein provide approaches for managing rack servers. In one embodiment, a message is received from a management controller of a rack server and via a switch port, where the message requests a lease for a network address under a first protocol. Upon determining that the management controller is a supported device, the switch port is configured to allow network traffic under at least a second protocol.

Abstract: In one embodiment, the methods and apparatuses to assign a routing address to a wireless computer that is in a different logical network from the routing addresses of other wireless computers within the same physical wireless network; and to prevent a wireless computer from learning the routing address of another wireless computer within the same physical wireless network.

Abstract: Methods, systems, and computer readable media for accelerating stateless IPsec traffic generation by performing ESP rehashing of ESP packets are disclosed. A first ESP packet is generated by encrypting a portion of the packet and adding ESP headers and trailers to the encrypted portion, hashing the encrypted portion and the ESP header to compute a first ESP integrity check value (ICV), and adding the ESP ICV as a trailer to the ESP packet. At least one second ESP packet is generated by modifying parameters in the first ESP packet. The first and second ESP packets are transmitted to a device under test.

Abstract: The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device.

Abstract: Various embodiments of systems and methods for providing a secure communication are described herein. A client application generates a Distributed Ruby (DRb) request based on a request received from a user. The obtained DRb request is wrapped to obtain an HTTPS request, which includes the DRb request and one or more authentication information. The generated HTTPS request is forwarded to an HTTPS server, which verifies the HTTPS request based on the authentication information. The HTTPS request is then unwrapped to obtain the DRb request, which is executed by a DRb server to obtain a result of execution of the DRb request.

Abstract: An electronic device, system and method for automatically managing wireless connections with a plurality of other devices are provided. The electronic device may be a security token access device and may be adapted to wirelessly pair and optionally securely pair with other devices. Connection information, which may comprise security information, is maintained at the electronic device for each connected device. When a connected device becomes stale, the electronic device implements one or more steps to manage the stale device's connection.

Abstract: Information useful for authenticating an entity is sent over a back channel during the authentication of an entity to a RESTful service. The delivery of the entity-related information is triggered by the validation of a service ticket received by the authentication component of the RESTful service.

Abstract: A device within the network receives a domain name service (DNS) request for an address of a first resource outside the network, the first resource associated with a security policy of the network. An address of a second resource within the network is returned to the device within the network in response the DNS request, the second resource address having previously been associated with the first resource address. A first encrypted connection is established between the device and the second resource, and a second encrypted connection is established between the second resource and the first resource, to facilitate encrypted communication traffic between the device and the first resource. The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource.

Abstract: Systems, methods, and other embodiments associated with flexible supplicant access control are described. One example method includes collecting a network information associated with a network to which an endpoint is to be communicatively coupled. The network information comprises a network identification and information to facilitate the evaluation of network threats. The example method may also include classifying the network based, at least in part, on the network information, to assign a variable level access parameter (VLAP) to the network based on the policy locally configured on the endpoint or centrally managed by the administrator. The VLAP may establish three or more access levels for the network at the endpoint. The example method may also include communicating the network identification and the network VLAP to a second endpoint, a security agent, a security application, and so on.

Abstract: A method is described in example embodiments below that include receiving a content tag associated with transferring a file over a network connection. A session descriptor may also be received. The session descriptor and the content tag may be correlated with a network policy, which may be applied to the network connection. In some embodiments, the content tag may be received with the session descriptor. The file may be tainted by another file in some embodiments, and the content tag may be associated with other file.

Abstract: A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. Firewall security devices are arranged in multiple clusters. A switching device is configured with the firewall security devices by communicating control messages and heartbeat signals. Information regarding the configured firewall security devices is then included in a load balancing table. A load balancing function is configured for enabling the distribution of data traffic received by the switching device. A received data packet by the switching device is forwarded to one of the firewall security devices in a cluster based on the load balancing function, the load balancing table and the address contained in the data packet.

Abstract: The invention provides methods, devices (102, 110, 124, 136) and communication systems (100) for establishing end-to-end secure connections and for securely communicating data packets. Such a communication system (100) comprises a first device (124, 136), an intermediate device (110) and a second device (102). The first device (124, 136) communications via a first network (120), which is based on a first transport protocol and a first transport security protocol with the intermediate device (110). The second device (102) communications via a second network, which is based on a second transport protocol and a second transport security protocol with the intermediate device (110). The intermediate device (110) modifies packets received via first network to packets suitable for communication via the second network, and vice versa. The first device (124, 136) is able to reconstruct a header of a received packet as if the packet was sent via the second network (108) and its transport and security protocols.

Abstract: To isolate a terminal from a network immediately after a quarantine agent is uninstalled therefrom, a policy readout unit reads out a policy from a policy database and a policy check unit determines whether or not a terminal satisfies the policy that was read out. If it is determined that the terminal satisfies the read out policy, a quarantine server control unit instructs a bridge to destroy a packet with no VLAN tag among the packets sent from the terminal while controlling a quarantine agent to send a packet with a VLAN tag when sending the packet from the terminal.

Abstract: A data control system allows non-point of sale devices (135, 155) on the LAN to receive data from an external network (160) when established conditions are met. The data control system may allow the data to be sent to a non-point of sale device (135, 155) only if the data has not been received via a secure connection reserved for point of sale devices (125, 145). The secure connection is, for example, a virtual private network connection. The data control system may also allow the data to be sent to a non-point of sale device (135, 155) only if the data is associated with a communication session initiated by the non-point of sale device (135, 155). The data control system may also allow the data to be sent to the non-point of sale device (135, 155) only if it is not received from a restricted source. The restricted source may be, for example, a payment host (170), a secure host (180) or any unidentified source.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: End-to-end authentication capability based on public-key certificates is combined with the Session Initiation Protocol (SIP) to allow a SIP node that receives a SIP request message to authenticate the sender of request. The SIP request message is sent with a digital signature generated with a private key of the sender and may include a certificate of the sender. The SIP request message my also be encrypted with a public key of the recipient. After receiving the SIP request, the receiving SIP node obtains a certificate of the sender and authenticates the sender based on the digital signature. The digital signature may be included in an Authorization header of the SIP request, or in a multipart message body constructed according to the S/MIME standard.

Abstract: As provided herein, when using an untrusted network connection, a secure online environment can be created for a remote machine by connecting to a trusted computer with a trusted network connection. A proxy server is installed on a first computing device and shared encryption keys are generated for the first device and a portable storage device. A connection is initiated between a second computing device (e.g., remote device), connected to an untrusted network, and the first computing device, comprising initiating a proxy server protocol from the portable storage device (e.g., attached to the second device), using the second computing device. A secure connection between the first and second devices is created using the encryption keys.

Abstract: A data generating is device capable of preventing unauthorized extraction of plaintext content between decryption processing and digital watermark embedment processing. A content reproducing device obtains restoration information and, in accordance with the restoration information, selectively performs predetermined restoration processing and processing of embedding device unique information, on content data at a position shown by the restoration information.

Abstract: Methods for tracking attacking nodes are described and include extracting, from a database, an instance of each unique packet header associated with IP-to-IP packets transmitted over a time period. The method includes determining from extracted headers, which nodes have attempted to establish a connection with an excessive number of other nodes over a period, identifying these as potential attacking nodes, determining from the headers, which other nodes responded with a TCP SYN/ACK packet indicating a willingness to establish connections, and a potential for compromise. Nodes scanned by potential attacking nodes are disqualified from the identified nodes based on at least one of: data in the headers relating to at least one of an amount of data transferred, and scanning activities conducted by the nodes that responded to a potential attacking node with a TCP SYN/ACK packet. Any remaining potential attacking nodes and scanned nodes are presented to a user.

Abstract: With migration of network technology and more and more requirements of user equipment for accessing to Internet, the network security faces more and more severe situation. There is provided a method for distributed security control in communication network system and the device thereof in order to improve security and operatability of network operator. In the method, firstly the network controller establishes a network security control mechanism, which is used for a second network device to check the validity of the data package from the user equipment; secondly, the network controller sends the network security control mechanism to the second network devices; lastly, the second network device checks the validity of the data package from the user equipment according to the network security control mechanism, and discards the data package if the data package is invalid.

Abstract: A network device may be configured to filter network traffic using multiple different filters bound to different interfaces of the network device. The network device may include logic to identify a relationship map that describes a topology of bind-points associated with the network device. Additionally, the network device may include logic to generate a merge graph based on the relationship map, the merge graph including one or more nodes, where each node represents a walk through the relationship map and includes one or more merge-points, where each merge-point is defined as a filter associated with a bind-point. The network device may also include a ternary content-addressable memory (TCAM) programmed to include entries based on the nodes of the merge graph.

Abstract: Systems and methods are disclosed for preventing tampering of a programmable integrated circuit device. Generally, programmable devices, such as FPGAs, have two stages of operation; a configuration stage and a user mode stage. To prevent tampering and/or reverse engineering of a programmable device, various anti-tampering techniques may be employed during either stage of operation to disable the device and/or erase sensitive information stored on the device once tampering is suspected. One type of tampering involves bombarding the device with a number of false configuration attempts in order to decipher encrypted data. By utilizing a dirty bit and a sticky error counter, the device can keep track of the number of failed configuration attempts that have occurred and initiate anti-tampering operations when tampering is suspected while the device is still in the configuration stage of operation.

Abstract: A method at a computing client located behind a NAT and restrictive-access firewall, including establishing a control connection with a TCP TURN server utilizing a port capable of traversing the restrictive-access firewall; requesting an allocation of an client service identity from the TCP TURN server; and receiving, from the TCP TURN server, a response containing the client service identity, the client service identity being independent of any port used to communicate with the TCP TURN server. Further a method at a TCP TURN server, including listening on a first port for communications from a computing client, the computing client being behind a restrictive access firewall and the first port capable of traversing the restrictive-access firewall; establishing a control connection with the client on the first port; receiving a request for an allocation of an client service identity from the computing client; and sending a response containing the client service identity.

Abstract: A switch sends an authentication request message to a client at intervals of a preset duration. A response message sent by the client is received. The response message carries authentication information of a user carried on the client. An authentication message is sent to a server according to the response message. An authentication reply message sent by the server is received. The authentication reply message carries information about an authentication domain authorized by the server to the user. It is determined, according to the authentication reply message, whether the authentication domain of the user is changed. If the authentication domain of the user is changed, an authentication domain change message is sent to the client according to the authentication reply message, so that the client obtains an IP address again.

Abstract: A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.

Abstract: A voice-over-Internet-Protocol (VoIP) client codes audio data as printable ASCII characters, then embeds the ASCII audio data inside a cookie that is sent over the Internet within an HTTP GET message. The GET message is sent to a server acting as a call proxy or external manager that forwards the audio data to a remote client. Return audio data is sent back to the client in the normal data field of an HTTP response message from the server. When the client receives the HTTP response, it sends another GET message without audio data, allowing the server to send another response. This empty GET allows VoIP to pass through strict firewalls that pair each HTTP response with a GET. For secure-sockets layer (SSL), client and server exchange pseudo-keys in hello and finished messages that establish the SSL session. Audio data is streamed in SSL messages instead of encrypted data.

Abstract: Systems and/or methods of secure communication of information between multi-domain virtual private networks (VPNs) are presented. A dynamic group VPN (DGVPN) can reside in one domain and a disparate DGVPN can reside in a disparate domain. An administrative security authority (ASA) can be employed in each domain. Each ASA can generate and exchange respective keying material and crypto-policy information to be used for inter-domain communications when routing data from a member in one DGVPN to a member(s) in the disparate DGVPN, such that an ASA in one domain can facilitate encryption of data in accordance with the policy of the other domain before the data is sent to the other domain. Each ASA can establish a key server to generate the keying material and crypto-policy information associated with its local DGVPN, and such material and information can be propagated to intra-domain members.

Abstract: Systems, methods, and apparatus are provided for policy protected cryptographic Application Programming Interfaces (APIs) that are deployed in secure memory. One embodiment is a method of software execution. The method includes executing an application in a first secure memory partition; formatting a request to comply with a pre-defined secure communication protocol; transmitting the request from the application to a cryptographic application programming interface (API) of the application, the API being in a second secure memory partition that is separate and secure from the first secure memory partition; and verifying, in the second secure memory partition, that the request complies with a security policy before executing the request.

Abstract: A method and system for controlling a firewall for a user computer system. One or more processors of the user computer system receive a control request to control a program of the user computer system by the firewall. The control request includes a condition pertaining to at least one process of a remote computer system. The at least one process is configured to be executed on the remote computer system. The firewall protects the user computer system from external threats. The processors store a remote system condition associated with the program of the user computer system. The remote system condition includes the condition pertaining to the at least one process. The processors ascertain whether the remote system condition is satisfied. The processors direct the firewall to block or allow the transmission of data if it is ascertained that the remote system condition is not satisfied or satisfied, respectively.

Abstract: A cookie attribute for use during secure HTTP transport sessions. This attribute points to a server-supplied certificate and, in particular, a digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. During a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations.

Abstract: A cookie attribute for use during secure HTTP transport sessions. This attribute points to a server-supplied certificate and, in particular, a digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. During a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations.

Abstract: Trusted e-mail communication may be provided. A message source organization may be validated. When a message is received from the validated message source organization for a recipient organization, a determination may be made as to whether the recipient organization supports an attribution data extension. If so, the message may be transmitted to the recipient organization with an attribution element associated with the message source organization.

Abstract: In an embodiment, a method is provided for communicating a protocol request at a network zone. In this method, the protocol request is received from a computing device and this protocol request is encapsulated in a different protocol. The protocol request is then transmitted to a different network zone by way of the different protocol. A message is then accessed from the different network zone by way of the different protocol, and this message includes a protocol response to the protocol request. The protocol response is extracted from the message and transmitted to the computing device.

Abstract: A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.

Abstract: A computer-implemented method for enhancing domain-name-server responses may include: 1) receiving a domain-name-system request, 2) identifying a domain of the domain-name-system request, 3) retrieving classification information relating to the domain from a third-party system, and 4) including the classification information in a response to the domain-name-system request. Various other methods, systems, and computer-readable media are also disclosed.