Abstract: A replication of a physical network is created in the cloud. The replicated network safely validates configuration changes for any hardware network device of the physical network and the physical network end state resulting from the changes without impacting the physical network steady state. The replicated network creates virtual machines on hardware resources provisioned from the cloud. The virtual machines emulate network device functionality and have the same addressing as the network devices. Nested overlay networks reproduce the direct connectivity that exists between different pairs of the network devices on the virtual machines. A first overlay network formed by a first Virtual Extensible Local Area Network (VXLAN) provides direct logical connections between the cloud machines on which the virtual machines execute.

Abstract: A radio base station (10) of the present invention comprises: a determination unit (101) that determines whether to perform an off-the-air of a cell (11) managed by the local radio base station (10); a communication unit (102) that communicates with the other radio base stations (10) managing peripheral cells and with a communication provider apparatus (20) managing the bearer information of a user terminal (2); and a communication control unit (103). When it is determined that the off-the-air of the cell of the local radio base station (10) is to be performed, the communication control unit (103) transmits, to the other radio base stations (10) managing the peripheral cells, the authentication code of the user terminal (2) existing in the cell of the local radio base station (10).

Abstract: Examples may include techniques to securely provision, configure, and de-provision virtual network functions for a software defined network or a cloud infrastructure elements. A policy for a virtual network function may be received, at a secure execution partition of circuitry, and the virtual network function configured to implement the policy by the secure execution partition of the circuitry. The secure execution partition may connect to the virtual network function through a virtual switch and may cause the virtual network function to implement a network function based on the policy.

Abstract: Two endpoint devices communicate with one another in a secure session by negotiating encrypted communications at initial establishment of the session. Each endpoint device communicates its available security profiles to the other endpoint. A specific security profile is then selected that defines the data encryption and authentication used during the secure session between the two endpoint devices.

Abstract: A method, computer usable program product or system for automatically sharing a set of sensitive data in accordance with a set of predetermined policy requirements including receiving across a network a set of certified policy commitments for a node; authenticating the set of certified policy commitments; utilizing a processor to automatically determine whether the set of certified policy commitments satisfies the set of predetermined policy requirements; and upon a positive determination, transmitting across the network the set of sensitive data to the node.

Abstract: Methods and systems for determining placement of a virtual serving gateway. The method includes obtaining a set of input information. The input information includes network information and configuration information providing one or more parameters for placing the virtual serving gateway, and includes at least one mobility insensitivity criterion. Placement of the virtual serving gateway at one or more physical hosts is determined in accordance with the network information and the configuration information. The virtual serving gateway is distributively placeable across physical hosts. A set of output information is generated. The output information includes information identifying placement of the virtual serving gateway at the physical hosts, and a hosting percentage for each physical host.

Abstract: According to one aspect disclosed herein, a performance monitoring SDN controller can translate an intent specified by a performance monitoring application into a flow rule and an action set to be utilized by a performance monitoring SDN element to process a packet flow received from the target SDN network. The performance monitoring SDN controller can provide the flow rule and the action set to a performance monitoring SDN element, which can receive the packet flow from the target SDN network and can analyze the packet flow in accordance with the flow rule to match the packet flow to an action included within the action set. The performance monitoring SDN element can execute the action to monitor a performance metric of the packet flow and to provide a value for the performance metric to the performance monitoring application agent, which can generate a message that includes the value.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: The present disclosure presents a system, method and apparatus herein enabling secure coupling of a computing device, such as a mobile device with an endpoint, such as an application server. The computing device can include any electronic device such as a computer, a server, an application server, a mobile device or tablet. The endpoint can be any electronic device as well that is located within an enterprise network. In at least one embodiment, the secure coupling of the mobile device with a computing device can include a security gateway server. In one example, the security gateway server can be a tunnel service server. In another embodiment, an application server can include a tunnel service module to provide the secure coupling with the mobile device.

Abstract: There is provided a method and apparatus for detecting an unauthorized access point. The method for detecting an unauthorized access point according to an embodiment of the present disclosure includes making an attempt to deliver, through an access point to a validation server, a message that includes network information regarding a network access of a terminal device and requests a validity verification of the network information; and determining that the access point is unauthorized when a response indicating that the network information is valid is not received from the validation server. According to the embodiment of the present disclosure, it is possible to implement a device for determining an unauthorized access point device in a general manner, independent of a specific device.

Abstract: Methods are disclosed for incorporating a security gateway within a wireless mesh network. In one embodiment, the wireless mesh network is a heterogeneous mesh network. In one embodiment, a gateway node, which is part of the wireless mesh network, requests a connection to the core network through a security gateway. The security gateway responds by creating an IPSec tunnel and a GRE tunnel within the IPSec tunnel from itself to the gateway node. Once the gateway node is communicatively coupled to the security gateway via secure tunneling, the gateway node sends a mesh routing protocol to the security gateway.

Abstract: Techniques are described that allow fast path delivery of content from content data networks directly to metro transport networks so as to bypass Internet service provider (ISP) networks. The metro transport network is positioned between subscriber devices and an Internet service provider network that authenticates the subscriber devices and allocates respective layer three (L3) addresses from an Internet Protocol (IP) network address prefix assigned to the Internet service provider network. Routes within the metro transport network, including an access router, ISP-facing provider edge routers and one or more peering routers, establish an EVPN within the metro transport network. The access router outputs, within the EVPN and to the peering router, an EVPN route advertisement that advertises network address reachability information of the subscriber devices (e.g., the IP network address prefix or MAC/IP address of the subscriber devices) on behalf of the Internet service provider network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for performing multi-factor authentication. In one aspect, a method includes determining that a user has successfully completed an authentication factor, determining whether a mobile device associated with the user is proximate to a computer; and authenticating the user based on determining that the user has successfully completed the authentication factor, and that the mobile device is proximate to the computer.

Abstract: Methods and apparatus are disclosed to provide protection against Unsolicited Communication (UC) in a network, such as, without limitation, an Internet Protocol (IP) Multimedia Subsystem (IMS). A communication may originate from a sending device and may be intended for delivery to a receiving device. A network may determine authentication information associated with the sending device. The network may send the authentication information to a receiving entity to evaluate if the communication is unsolicited using the authentication information. If the communication is determined to be acceptable, a connection associated with the communication may be allowed.

Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is received at a networking subsystem of a firewall. The connection is characterized by a source IP address, a destination IP address and a network service protocol. The network service protocol of the network connection is determined. A matching firewall policy is identified for the connection. When the connection is allowed, it is redirected to a proxy module that is configured to support the network service protocol. A content processing configuration scheme identified by the matching firewall policy is retrieved that includes multiple content processing configuration settings, specifying whether a particular type of content filtering is to be performed, for each of multiple network service protocols.

Abstract: A method for accessing network services from external networks includes receiving at a cloud-based server a bridge setup request from a private communication system, establishing a bridge connection between the cloud-based server and the private communication system, establishing a communication path between the cloud-based server and a cloud-based application, receiving a request from a cloud-based entity that is directed to an enterprise service hosted within the private communication system, transmitting the request to the enterprise service over the bridge connection, receiving a response from the enterprise service over the bridge connection, and transmitting the response to the cloud-based entity. Related computer program products and systems are also disclosed.

Abstract: A communication device may be provided. The communication device may include: a packet generator configured to generate a packet including data for a second communication device and a header including an identifier identifying a communication service for the data and a transmitter configured to transmit the packet via a flow restriction device to the second communication device.

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service to create and configure computer networks that are provided by the configurable network service for use by the users. Secure private access between a computer network provided for a user by the configurable network service and one or more other remote computing systems of the user (e.g., a remote private network) may be enabled in various ways. For example, a user may programmatically invoke an API provided by the configurable network service to obtain assistance in establishing remote access from a remote location to a provided computer network of the configurable network service, such as to establish a VPN connection from the remote location to the provided computer network using hardware and/or software supplied to the remote location in response to the API invocation.

Abstract: Systems and methods that efficiently combine multiple wireless networks or devices resulting in faster, more reliable, and more secure mobile Internet. A Virtual Private Network (VPN) service application is operated to route outgoing and incoming data packets of a mobile device. The mobile device is (i) either coupled to a remote server through the VPN service application for data packets transfer between the remote server and the mobile device or (ii) performs cross-layer translation for data packets transfer between the mobile device and direct target hosts on the Internet. Concurrently using multiple channels secures data packets transfer by sending encrypted data packets over multiple channels and receiving the encrypted data packets by a single apparatus. Data packets are designated to be transferred via a Wi-Fi channel or a cellular channel, and then transferred using both the Wi-Fi channel and the cellular channel.

Abstract: Overhead of sending data from one application to another by doing input and output processing can be costly. The present invention provides a method of transmitting data with a low overhead between applications in a multi-tenant runtime environment. The multi-tenant runtime detects a connection between tenants, and then performs low-overhead data transmission mechanisms by cloning data from one tenant space to another tenant space, while keeping the data isolated for two tenants.

Abstract: Systems and methods for managing networking activities of a multi-tenant cloud computing environment. An example method may include distributing, by a controller node executed by a processing device, a dynamic host configuration protocol (DHCP) agent to each of a plurality of compute nodes of a computing environment; identifying, by the controller node, a first virtual machine hosted on a first compute node of the plurality of compute nodes; determining a first DHCP agent associated with the first virtual machine and the first compute node; and transmitting, by the controller node, networking information relating to the first virtual machine to the first DHCP agent hosted by the first compute node.

Abstract: A communication device includes a communication section and an encrypting section. When the communication section receives from a communication control device alternative address information indicating an address of an alternative device registered as a transfer destination after a communication request for communication with a specified device is transmitted to the communication control device, the communication section determines the alternative device as the communication partner and transmits to-be-transmitted data that is encrypted by the encrypting section to the alternative device. The transfer destination indicates a transfer destination of the data to be transmitted to the specified device.

Abstract: Technologies for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture include various security monitoring components, including a NFV security services controller, a VNF manager, and a security monitoring VNF. The security monitoring VNF is configured to receive provisioning data from the NFV security services controller and perform a mutually authenticated key exchange procedure using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and a VNF manager. The security monitoring VNF is further configured to receive personalization data from the VNF manager via the secure communication path and perform a personalization operation to configure one or more functions of the security monitoring VNF based on the personalization data. Other embodiments are described and claimed.

Abstract: A communication network can be constructed to support software-defined networking (SDN) protocols and network functions virtualization (NFV) protocols. Such a communication network can advantageously be operated at lower costs, increased flexibility and control, and with simplified management to name but a few. In addition to these advantages, various networking security aspects can be enhanced by leveraging the SDN/NFV architecture.

Abstract: Overhead of sending data from one application to another by doing input and output processing can be costly. The present invention provides a method of transmitting data with a low overhead between applications in a multi-tenant runtime environment. The multi-tenant runtime detects a connection between tenants, and then performs low-overhead data transmission mechanisms by cloning data from one tenant space to another tenant space, while keeping the data isolated for two tenants.

Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol.

Abstract: Embodiments are directed to secure communication over a network. If a source node sends a communication to a target node, a source gateway may forward the communication to the target node. The source gateway may provide a gateway identifier (GID) that may be associated with one or more target gateways associated with the target node. Further, the source gateway may embed marker information that includes at least a portion of the GID in the communication. If the GID is associated with more than one target gateway, a TMD selects one target gateway from the more than one target gateways. Also, the TMD provides a gateway key associated with the selected target gateway that is associated with the communication. And, the TMD may provide the communication to the selected target gateway that provides the communication to the target node.

Abstract: Techniques for generating a honey network configuration to emulate a target network environment are disclosed. In some embodiments, techniques for generating a honey network configuration to emulate a target network include receiving a network scan survey of the target network; generating the honey network configuration to emulate the target network using the network scan survey of the target network; and executing a honey network using the honey network configuration.

Abstract: The present disclosure discloses a method and a network device for session aware access point load balancing. Specifically, a network device monitors data corresponding to a plurality of client devices associated with a first access point. Then, the network device determines whether the data matches particular criteria. Responsive to determining that the data matches the particular criteria, the network device select at least a first client device of the plurality of client devices for disassociation and/or de-authentication. Moreover, the network device causes disassociation and/or de-authentication of the first client device from the first access point.

Abstract: A method, implemented by a network node, for establishing an efficient dummy network connection between a mobile device and a first network includes establishing at least one data connection between the mobile device and the first network. The method further includes receiving a request to establish the efficient dummy network connection. The method also includes establishing the efficient dummy network connection after receiving the request, where the efficient dummy network connection that is established uses a minimum number of network resources, said minimum number of network resources being less than the number of network resources used in the at least one data connection.

Abstract: The present invention relates to a method for simulating aspects of a lithographic process. According to certain aspects, the present invention uses transmission cross coefficients to represent the scanner data and models. According to other aspects, the present invention enables sensitive data regarding various scanner subsystems to be hidden from third party view, while providing data and models useful for accurate lithographic simulation.

Abstract: A method for performing policy-based configuration of Internet Protocol Security (IPSec) for a Virtual Private Network (VPN) is provided. According to one embodiment, a network device displays a policy page via a user interface of the network device through which a policy, including multiple VPN settings for establishing the VPN connection, is viewed and configured, the VPN settings including a type of IPSec tunnel to be established between the network device and a peer network device. The network device receives via the user interface, a selection regarding the type of IPSec tunnel to be used for the VPN connection. The network device sends a notification request, including parameter values associated with the VPN settings, to the peer network device.

Abstract: With the advent of virtualization technologies, networks and routing for those networks can now be simulated using commodity hardware. For example, virtualization technologies can be adapted to allow a single physical computing machine to be shared among multiple virtual networks by providing one or more virtual machines simulated in software by the single physical computing machine, with each virtual machine acting as a distinct logical computing system. In addition, as routing can be accomplished through software, additional network setup flexibility can be provided to the virtual network in comparison with hardware-based routing. In some implementations, virtual network setup can be abstracted through the use of resource placement templates, allowing users to create virtual networks compliant with a customer's networking policies without necessarily having knowledge of what those policies are.

Abstract: An egress network device of a point-to-point (P2P) tunnel can receive an LSP Ping message via the P2P tunnel from an ingress network device of the P2P LSP, wherein the LSP Ping message specifies a label that the egress network device associates with a service provided to the egress network device via the P2P tunnel. In response to receiving the LSP Ping message, the egress network device can store an association between the label and the P2P tunnel. The egress network device also uses a fault detection network protocol session over the P2P tunnel to monitor a state of the P2P tunnel. In response to detecting based on the fault detection network protocol session that the state of the P2P tunnel is down, the egress network device determines the service is unavailable from the ingress network device via the P2P tunnel, and selects a new source to provide the service.

Abstract: The present invention relates to a method and device for distributing data content in a private network. Thus, in a first aspect of the present invention, a method is provided for distributing data content in a private network comprising a number of secondary network segments each connected to a main network segment via a virtual private network connection, which private network comprises devices for rendering the data content. The method comprises the step of arranging the devices rendering the data content as peers in a peer-to-peer (P2P) connectivity overlay network within the private network. Further, the method comprises the step of assigning a managing peer in the main network segment responsible to download the data content from a streaming source outside the private network via a gateway and to distribute the data content to at least one further peer in the main network segment.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device receives a current network policy of the dynamic virtualized network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy. In addition, each of the one or more second network policy network elements adds an additional policy on how network traffic is processed in the dynamic virtualized network by a port of one of the plurality of network access devices.

Abstract: Aspects of the subject disclosure may include, for example, a first software defined network element is created in local communication with a gateway of a core network portion of a mobility network. Establishment of first logical network connection facilitated between the first software defined network element and a second network element in local communication with a remotely accessible system, such as a back-end system of an enterprise data center or cloud service provider. A request from a mobile device serviced by the mobility network is received for access to a service of the remotely accessible system. The request and/or a translation of the request is forwarded to the second network element by way of the first logical network connection. The second network element forwards the translated request to the remotely accessible system. Other embodiments are disclosed.

Abstract: A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems.

Abstract: Various embodiments of the present disclosure describe a method, apparatus and system for logging in a Unix-like virtual container. The method include establishing a corresponding relationship between a Unix-like virtual container and a port on a host running the Unix-like virtual container; establishing a transparent pipe between the Unix-like virtual container and the host port based on the corresponding relationship, establishing a first connection between the Unix-like virtual container and the host port based on the transparent pipe; receiving a script command through the host port, and sending the script command to the Unix-like virtual container according to the first connection. Employing embodiments of the present disclosure, the Unix-like virtual container can be logged in through the connection between the host port and the Unix-like virtual container, the information security of the Unix-like virtual container can be ensured, and the access efficiency can be improved through asynchronous access.

Abstract: Disclosed are systems, methods and computer program products for encryption of user data for storage on a remote network server. In one aspect, an example method includes collecting, by a software client, one or more sets of user authentication data from a user device; performing user authentication using one or more sets of user authentication data; when user authentication is successful, calculating a hash of at least one set of the user authentication data; generating an encryption key from the hash of the user authentication data; encrypting the user data using the generated encryption key; and transmitting the encrypted user data to the remote network server for storage.

Abstract: The invention provides an Access Selection Server (ASS) and a method for the same. The invention also provides a User Equipment (UE). The Access Selection Server (ASS) comprises storing means and software and is adapted for location in a communication network comprising at least one User Equipment (UE) and communication nodes. The ASS is also arranged to store information of all accesses for each UE in the communication network and information of overall load status of the communication network in the storing means by means of collecting information through interactions with the communication nodes, the UE and an Access Selection Server subscriber Data Base (ASS DB). The ASS is further arranged to communicate control messages, based on the stored information, from the ASS to the UE, thereby enabling control of multiple UE-accesses from the ASS.

Abstract: A functional device is disclosed that can collect and process data/information/parameter values from one or more sensors and compares the same with one or more predefined/threshold value to suggest one or more actions and/or generate alerts/messages/suggestions to be performed by one or a combination of remote system, wearer, home automation network, healthcare provider, doctor, caretaker, among other stakeholders. Communication between the functional device, home automation server and a computational server that stores the data is also disclosed.

Abstract: The present invention relates to a method and system of fate sharing segment protection. In one embodiment, this can be accomplished by monitoring the infrastructure segments, detecting a fault at the infrastructure segment, provisioning protection group between the source node and the destination node as outer work and outer protect (Outer Protection Group, OPG), and between at least two intermediate nodes as inner work and inner protect (Inner Protection Group IPG) and provisioning at least one supplementary outer protect on the same port of the OPG nodes where the OPG is provisioned, such that the outer supplementary protect diverge in such a way that mirrors the behavior (or shares the fate) of the inner work and inner protect.

Abstract: A security gateway appliance is configured to evaluate network traffic according to security rules that classify traffic flows according to specifically identified application programs responsible for producing and/or consuming the network traffic and to enforce policies in accordance with network traffic classifications. The appliance includes an on-box anti-virus/anti-malware engine, on-box data loss prevention engine and on-box authentication engine. One or more of these engines is informed by an on-box dynamic real tie rating system that allows for determined levels of scrutiny to be paid to the network traffic. Security gateways of this type can be clustered together to provide a set of resources for one or more networks, and in some instances as the backbone of a cloud-based service.

Abstract: A method includes binding, using a plurality of processors, a process to a wildcard address and a port on each of a plurality of nodes. The process receives, on a redirector node, a first request for a first address of a first volume located on the cluster from a first client. The first request is sent to the port and a first address associated with a first virtual local area network (VLAN) that is not the wildcard address. The process determines the first address from the first request and a name of the first VLAN based on the first address. The process determines a first node that contains information regarding the first volume and an address of the first node that is part of the first VLAN. The process determines that a volume identifier associated with the first volume of the first request is present on a volume list.

Abstract: A system and method for facilitating the establishment of a virtual private network between a network and a remote computer, the system having: a mobile device connectable to the remote computer and storing a user profile, virtual private network information, and password information; virtual private network software being located on one of the mobile device and the remote computer; an access point communicating with the network; and communication means for communications between the access point and one of the mobile device and the remote computer, wherein the user profile, virtual private network information, and password information is passed to the virtual private network software upon connection of the mobile device to the remote computer, the virtual private network software using the user profile, virtual private network information, and password information to establish a virtual private network through the communications means and the access point to the network.

Abstract: Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

Abstract: Driver shimming techniques are described. In one or more implementations, an identification is made as to which interfaces and callbacks are utilized by a shim obtained for a driver of a computing device. The identified interfaces and callbacks are wrapped by the shim of the computing device such that calls to the wrapped interfaces and callbacks are intercepted by the shim.

Abstract: An approach for automatically securing a public wireless network is disclosed. A VPN connection platform maintains a list of available trusted wireless access identifiers to connect to a public wireless network from a mobile device. The trusted wireless access identifiers are provided to an application associated with the mobile device that selectively initiates a virtual private connection when the mobile device cannot utilize anyone of the trusted wireless access identifiers.

Abstract: In one implementation, a policy server establishes a smart virtual private network between two client devices. The smart virtual private network includes a secure communication session using a security level or security algorithm that is variable and defined as a function of the two client devices. A first client device may generate a registration request including a first security configuration including the security level. Based on the registration request, the policy server generates a routing message that defines routing for communication from the first client device to a second client device. The routing message may update a routing table to associate the policy server with the second client device.