Abstract: An approach for automatically securing a public wireless network is disclosed. A VPN connection platform maintains a list of available trusted wireless access identifiers to connect to a public wireless network from a mobile device. The trusted wireless access identifiers are provided to an application associated with the mobile device that selectively initiates a virtual private connection when the mobile device cannot utilize anyone of the trusted wireless access identifiers.

Abstract: In one implementation, a policy server establishes a smart virtual private network between two client devices. The smart virtual private network includes a secure communication session using a security level or security algorithm that is variable and defined as a function of the two client devices. A first client device may generate a registration request including a first security configuration including the security level. Based on the registration request, the policy server generates a routing message that defines routing for communication from the first client device to a second client device. The routing message may update a routing table to associate the policy server with the second client device.

Abstract: A system for securely controlling access between two wireless (i.e. Bluetooth-enabled) apparatuses, also comprising a supervisor apparatus. The first apparatus is paired to the second by establishing a secure wireless (i.e. Bluetooth) link. The first apparatus includes a stored partial link key and a link key generator: The first apparatus receives a first secret key from the apparatus user, and may also receive a second secret key from the supervisor apparatus. The link key generator generates either a first link key based upon a stored first partial link key, the first secret key and the second secret key or a second link key based upon the stored first partial link key and the first secret key. An access control module in the second apparatus determines the level of access that the first apparatus is granted based upon the link key used to establish the secure connection—full/restricted access.

Abstract: A method, client, cloud server, and system for realizing complex software services are provided. The method includes: after receiving software service information required by a user to be provided, a client sending a request to a cloud server, wherein, the request carries the software service information required by the user to be provided; and after receiving the request, the cloud server selecting a corresponding cloud-end functional module to interact with the client according to the software service information required by the user to be provided, and providing the software service for the user. The embodiment of the present document solves the contradiction between software user demand and software user purchasing power, and the user can enjoy more abundant, powerful, steady and secure software and hardware resource services.

Abstract: Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein.

Abstract: In this invention we disclose methods for incorporating a security gateway within a wireless mesh network. In one embodiment, the wireless mesh network is a heterogeneous mesh network. In one embodiment, a gateway node, which is part of the wireless mesh network, requests a connection to the core network through a security gateway. The security gateway responds by creating an IPSec tunnel and a GRE tunnel within the IPSec tunnel from itself to the gateway node. Once the gateway node is communicatively coupled to the security gateway via secure tunneling, the gateway node sends a mesh routing protocol to the security gateway.

Abstract: Website security may be managed based on known site attributes and placing limits on communication outside a site. One example may include at least one of identifying a site that is currently operating within a first process, comparing the site to known sensitive sites, and responsive to identifying the site as being a known sensitive site, enabling a data traffic limiting operation to limit data traffic in at least one other process apart from the first process.

Abstract: Some embodiments provide reconfigurable web application firewall (WAF) functionality across a distributed platform. Specifically, the WAF function at each distributed platform server is customizable on a per customer and per inbound message basis. When a server receives an inbound message, the server identities the content or services of which specific customer are implicated by the inbound message. The server screens the inbound message for attacks using a first set of rules and policies defined as part of a production profile from a WAF instance defined by the specific customer while contemporaneously testing the inbound message against a second set of rules and polices defined as part of an audit profile from the same WAF instance. In this manner, the specific customer tests the audit profile rules and policies while still receiving the protections of the production profile rules and policies.

Abstract: A method is provided for managing a secure session for transporting user packets through an address translation device between a client terminal and a first transport session management server. The session uses a first packet transmission address and at least one second packet transmission address different from the first address. The method includes a step of obtaining, by the first sever, the at least one second packet transmission address from the at least one second transport session management server, so that the client terminal can transfer packets to the first server by using at least the two addresses.

Abstract: A terminal communicating via a network including a forwarding device(s) for forwarding a packet and a control device for controlling the forwarding device(s) in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a process of adding, to a packet, quality information related to communication quality with respect to the terminal, from the control device, a memory unit that stores the received processing rule, and a processing unit that in a case of communicating via the network, adds quality information to a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the memory unit.

Abstract: An automated network testing platform may comprise a network testing server. The network testing server may receive a first input that characterizes a customer network for which a network test is to be performed. Further, the network testing server may receive a second input representative of the type of network test to be performed. Responsive to receiving the first and the second input the network testing server may identify a test point that is available to execute the network test. Upon identifying the available test point, the network testing server may reconfigure the available test point into the customer network. Further, the network testing server may instruct the reconfigured test point to execute the network test. Once the network test is completed, the network testing server may receive the test results from the reconfigured test point, analyze and interpret the test results, and present the test results to a user.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

Abstract: A system and method establishes bidirectional contact through firewall devices. A method includes establishing a first connection between a first device and a second device and storing a connection record on the second device. When the second device receives a request to connect with the first device, it identifies and searches for the connection record corresponding to the first device. When the second device finds the connection, the second device sends a request to establish a second connection from the second device to the first device. Upon receiving the request to establish a second connection, the first device verifies the request to establish the second connection and the lifetime of the first connection. Upon verification, the first device establishes the second connection between the first computing device and the second device.

Abstract: A line card for use in a router or packet switch is disclosed. A problem with conventional routers or packet switches is that they can take over a second to fully react to a network state update from another router or packet switch. Such network state packets are used in dynamic routing protocols intended to route packets around a failed or overloaded router. In operating in according with dynamic routing protocols, conventional routers or packet switches react to such network state packets by updating the routing tables used by the line cards to send packets, or data extracted from packets, to the egress port (often on a different line card in the router or network switch) appropriate for the destination address found in the packet. Any packets which arrive between the network state packet's arrival and the completion of the ensuing routing table update on the line cards, can be misrouted—which can cause them to be delayed or dropped by the network.

Abstract: The present application is directed to a distributed system that provides multi-cloud aggregation and that includes a cloud-connector server, cloud-connector nodes, and one or more service-provider nodes that cooperate to provide services that are distributed across multiple clouds. A service-provider node obtains tenant-associated information from a virtual data center in which the service-provider node is installed and provides the tenant-associated information to the cloud-connector server.

Abstract: In one embodiment, a method includes storing a service topology route at a network device interconnecting at least two zones comprising a plurality of hosts, and propagating the service topology route to create a service chain comprising a service node in communication with the network device. The service topology route creates a forwarding state at network devices in the service chain for use in inter-zone routing in a virtual private network. An apparatus and logic are also disclosed herein.

Abstract: A method and apparatus to enable a user to send an action message including secure credential is described. The system comprises a receiving logic to receive the action message from a user, a repository including encrypted user-specific data, and an agent to access a resource through a network, the agent directed as specified by a connector object invoked by the action message. The agent further comprises logic to utilize the encrypted user-specific data from the repository to log into the resource through the network, and in one embodiment, action logic to perform one or more actions as instructed by the connector invoked by the action message. The agent further comprises, in one embodiment, extraction logic for extracting information resulting from of the agent's access to the data resource specified by the connector, and communication logic to communicate a result to the user or to another agent for further use.

Abstract: Disclosed are various embodiments for network site customization using proxy server applications. A first request is obtained from an administrator of a network site to configure a proxy server application to obtain one or more network pages associated with a first portion of the network site from a first application executed in one or more computing devices. The proxy server application is configured in accordance with the first request. A second request is obtained from the administrator to reconfigure the proxy server application to obtain the one or more network pages from a second application executed in one or more computing devices. The network site includes one of several network sites hosted at least in part through the second application. The proxy server application is reconfigured in accordance with the second request.

Abstract: A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity.

Abstract: A system and method for multifactor authentication and login using a smart wrist watch with at least one NFC (Near Field Communication) technology tag, with a computing device such as mobile, pda, tablets, laptop, desktop, or any similar system comprising user Authentication NFC login support and multifactor login support system or website wherein at least one NFC tag id arrayed in Smart Wrist watch is used for said device system or said website already registered at the time of sign up or setting user name and password is treated as second authentication factor.

Abstract: In one embodiment, a method includes receiving static profiles each comprising one or more properties of an operating environment, receiving a dynamic profile for identifying a configuration of an interface based on the static profile associated with said dynamic profile, associating the dynamic profile with one of the static profiles based on the operating environment of the interface, and automatically updating the association upon identifying a change in the operating environment. An apparatus is also disclosed.

Abstract: A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection.

Abstract: A method for operating a remote-controlled network element in a telecommunication network includes: configuring the network element with a new configuration; determining whether a network connection failure between the network element and a network management system of the telecommunication network exists after the configuration; and in response to detecting a network connection failure, setting the network element automatically to a standard configuration and establishing a network connection between the network element and the network management system using the standard configuration. Setting the network element automatically to a standard configuration and establishing the network connection includes: loading a previous IPSec certificate in case that the previous Internet Protocol Security (IPSec) certificate has been at least partly replaced during the configuration; and establishing the network connection between the network element and the network management system using the previous IPSec certificate.

Abstract: A system and method for managing a hybrid firewall solution, employing both hardware and software firewall components, for a cloud computing data center is provided. A virtual application is hosted by a first plurality of application virtual machines and a second plurality of firewall virtual machines provides firewalling services for traffic associated with the virtual application. A cloud management entity determines that the virtual application requires an increased number of application virtual machines. A security profile for the virtual application is verified to determine if an increased number of firewall virtual machines is required by the increased number of application virtual machines. The cloud management entity can instantiate additional application virtual machines and firewall virtual machines as required.

Abstract: Methods and systems for managing cloud zones are described herein. A management server for a cloud of computing resources may add private zones to the cloud. The private zones may contain computers owned and operated by a user of the cloud, such as a cloud customer, rather than the cloud operator. The management server may manage the computing resources in the private zone by sending commands to an agent, which in turn relays the management server's commands to the individual computing resources. The agent may be authenticated using a token.

Abstract: An apparatus, device, methods, computer program product, and system are described that determine a virus associated with a communications network, and distribute an anti-viral agent onto the communications network using a bypass network, the bypass network configured to provide transmission of the anti-viral agent with at least one of a higher transmission speed, a higher transmission reliability, a higher transmission security, and/or a physically-separate transmission path, relative to transmission of the virus on the communications network.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: A series of NAT connection rules are revised in a dynamic manner such that a pool of ports is available to connect a plurality of remote users to local virtual compute resources over one or more public IP addresses. Once a connection is established, an entry is made in a firewall state table, associating IP addresses, ports and protocol types, such that the firewall state table allows uninterrupted use of the established connection. After an entry has been made in the state table, or the routing rule has timed out, the port associated with the original NAT routing rule is removed and the same port can be re-used to establish another connection without disrupting active connections. A connection between a virtual compute resource and a local compute resource can be associated with multiple ports and multiple protocol types.

Abstract: Systems and methods are described for providing non-mobile data channel access to a mobile application on a mobile computing device. A request for data may be received, by a client component on the mobile computing device, from the mobile application. The client component may automatically detect that mobile data is unavailable, and may automatically select a non-mobile data channel for the mobile application to communicate to an application server. The automatic selecting may be based on availability of a non-mobile data channel and bandwidth of the available non-mobile data channel. The client component may translate the request for data into a format of the selected non-mobile data channel and transmit the translated request for data to a back-end server via the selected non-mobile data channel.

Abstract: Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, network devices, including a peer managed device, a management device and a trusted peer managed device are deployed within a network. The network devices are pre-configured to form a web of trust by storing within each network device (i) a digital certificate signed by a manufacturer or a distributor and (ii) a unique identifier. The peer managed device establishes a management tunnel with the management device based on an address received from an external source. Prior to allowing the management device to use the management tunnel to perform management functionality, the peer managed device verifies credentials of the managed device by causing its unique identifier to be confirmed with reference to a pre-configured identifier of an authorized management device stored within the peer managed device.

Abstract: A method of providing anti-replay protection, authentication, and encryption with minimal data overhead is provided. A sender uses an arbitrary-length pseudorandom permutation to encrypt messages that include plaintext and successively increasing sequence numbers, to produce ciphertext messages. The sender transmits the ciphertext messages. A receiver receives the ciphertext messages and, for each received ciphertext message, performs the following operations. The receiver decrypts the given ciphertext message to recover plaintext and a candidate sequence number from the message. The receiver determines if the candidate sequence number is in any one of multiple acceptable sequence number windows having respective sequence number ranges that are based on at least one of a highest sequence number previously accepted and a last sequence number that was previously rejected, as established based on processing of previously received ciphertext messages.

Abstract: A remote access manager in a virtual computing services environment negotiates a time limited NAT routing rule to establish a connection between a remote device and virtual desktop resource providing user computing services. A series of NAT connection rules are revised in a dynamic manner such that a pool of ports is available to connect a plurality of remote users to local virtual compute resources over one or more public IP addresses. Once a connection is established, an entry is made in a firewall state table such that the firewall state table allows uninterrupted use of the established connection. After an entry has been made in the state table, or the routing rule has timed out, the port associated with the original NAT routing rule is removed and the same port can be re-used to establish another connection without disrupting active connections.

Abstract: Systems and methods for a multi-tenant communication platform. At a multi-tenant communication platform, and responsive to authentication of a communication request provided by an external system, a routing address record of the communication platform is determined that matches a communication destination of the communication request. The matching routing address record associates the communication destination with a plurality of external communication providers. At least one communication provider associated with the matching routing address record is selected, and a request to establish communication with the communication destination is provided to each selected communication provider. The communication request specifies the communication destination and account information.

Abstract: Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities.

Abstract: An integrated circuit radio transceiver and associated method comprises a multi-mode device operable to support personal area network communications as well as traditional wireless local area network communications. In one embodiment, IEEE 802.11 protocol IBSS communications are used to transport Bluetooth communication data packets. In another embodiment, a direct link comprising direct packet transfers without beaconing is performed between the multi-mode device and another multi-mode device. Thus, the multi-mode device is operable to establish traditional BSS communications with an Access Point in addition to establishing peer-to-peer communications with another multi-mode device to transport the Bluetooth communications over the 802.11 IBSS communication link or over an IEEE 802.11 direct communication link.

Abstract: A method for providing application service is provided. The method discloses that a user is authenticated according to a received application service acquisition request from a user mobile phone, and when the user authentication is passed, the application service acquisition request is sent to an application server, so that the application server provides an application service to the user mobile phone according to the application service acquisition request. The application server does not need to authenticate the user mobile phone by performing an authentication operation on the user mobile phone through a wireless application protocol gateway, thus being capable of reducing the workload of the application server.

Abstract: A relay server presents, to an operator having made a login request, a list of connecting-target apparatuses to which the operator is able to connect. When, for example, a client terminal is selected from the list, the relay server stores, as address filter information of the relay server, an address of a communication apparatus operated by the operator, and transmits the address filter information to the client terminal. The relay server stores address filter information received from the client terminal. Then, a routing session for a VPN is established between the relay server and the client terminal, and routing of a packet is performed based on the address filter information.

Abstract: A system and method for facilitating the establishment of a virtual private network between a network and a remote computer, the system having: a mobile device connectable to the remote computer and storing a user profile, virtual private network information, and password information; virtual private network software being located on one of the mobile device and the remote computer; an access point communicating with the network; and communication means for communications between the access point and one of the mobile device and the remote computer, wherein the user profile, virtual private network information, and password information is passed to the virtual private network software upon connection of the mobile device to the remote computer, the virtual private network software using the user profile, virtual private network information, and password information to establish a virtual private network through the communications means and the access point to the network.

Abstract: A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention.

Abstract: A method of intelligently sorting packets/datagrams for sending through appropriate branches of a N-way split VPN tunnel according to embodiments of the present invention allow for efficient movement of network traffic to and from a remote network location. Intelligent sorting may be based on a wide range of criteria in order to implement different policies. For example, datagrams may be sorted for sending through the branches of a 3-way split tunnel so that all traffic from a remote network location ultimately destined to servers at a central location may be sent via a secure VPN tunnel, all traffic that matches a “white-list” of trusted external sites may be sent directly to and from these sites to the remote network location, and all other traffic may be redirected through a Web service that scrubs and filters the traffic to/from questionable sites.

Abstract: System, method and program determining a network path by which a workstation can send a message to a target network. The workstation accesses a first part of the network path via a network access server. A plurality of other servers by which the workstation can access a second part of the network path leading to the target network are identified. Respective response times to communicate between the workstation or the network access server and each of the other servers are measured. A determination is made which one of the other servers has a shortest response time. The workstation attempts to connect to the one server, before attempting to connect to other of the other servers, to access the second part of the network. The second part of the network can be a virtual private network, and the other servers are entry point servers for respective virtual private networks.

Abstract: The present invention includes systems and methods for retrieving information via a flexible and consistent targeted search model that employs interactive multi-prefix, multi-tier and dynamic menu information retrieval techniques (including predictive text techniques to facilitate the generation of targeted ads) that provide context-specific functionality tailored to particular information channels, as well as to records within or across such channels, and other known state information. Users are presented with a consistent search interface among multiple tiers across and within a large domain of information sources, and need not learn different or special search syntax. A thin-client server-controlled architecture enables users of resource-constrained mobile communications devices to locate targeted information more quickly by entering fewer keystrokes and performing fewer query iterations and web page refreshes, which in turn reduces required network bandwidth.

Abstract: In one embodiment, a method for electronically analyzing packets using a packet analyzing apparatus includes receiving one or more data packets via a first interface port, wherein the one or more data packets comprises a full packet that may include a payload, determining whether the full packet is part of an existing permitted connection, and if so, determining whether the full packet contains a payload, and if the full packet of the existing permitted connection does not contain a payload, transmitting data indicative of the full packet via the second interface port to an industrial machine control.

Abstract: Systems and methods are provided for controlling access to a network. An access request is received from a client application running on a computing device for accessing a remote network. The access request is received over a secure virtual private network (VPN) connection established by a user-mode VPN client running in non-privileged user space of the computing device. The access request includes contextual information for use in authenticating a user to access a remote network, wherein the contextual information includes contextual information about the client application requesting access to the remote network. An authentication process is performed using the contextual information to authenticate the user, and a secure VPN connection is established between the client application and the remote network, if the user is authenticated.

Abstract: Approaches for resource efficient multicast communications in mobile satellite systems are provided. A wireless gateway is configured to encapsulate multicast signaling messages received from participating remote terminals. The encapsulation is compatible with the core network of the system, whereby the signaling is passed through the core network undetected. The signaling is received by a multicast gateway, and provides necessary IP and port addressing information for the multicast gateway to encapsulate the multicast session data in a manner compatible with the core network. Upon receiving multicast session data from a multicast server, the multicast gateway replicates and encapsulates each data packet with IP and port addressing for each participating remote terminal, which is also passed through the core network undetected.

Abstract: Policy-based management method for remote management of a home device (3), said method comprising: a triggering step wherein the operational state of the home device (3) changes under occurrence of a triggering event belonging to one of the following event categories: a device event, where the event is automatically produced by the home device (3); a scheduled event, where the event is automatically produced by a clock; a user event, where the event is produced by a user; an evaluation step, wherein a home device management (HDM) server (9) evaluates at least one device selection criterion; a policy run cycle, wherein the HDM server (9) runs a policy on the home device (3), said policy being selected among the following policies: an activation policy if the triggering event is of the device type; a management policy if the triggering event is of the scheduled type; a transient policy if the triggering event is of the user type.

Abstract: A network device stores an application program for a secure communications service and has processor configured to execute the application program. The execution causes the processor to send a request to look up an internet protocol (IP) address of a second network device based on an identifier associated with the second network device, to receive, following a determination by a name service that the second network device is available for the secure communications service, the determination by the name service being based on the identifier in the request: (1) an indication that the second network device is available for the secure communications service, (2) the requested IP address of the second network device, and (3) provisioning information for an encrypted communication link. The execution further enables the processor to connect to the second network device and to communicate data with the second network via the encrypted communication link.

Abstract: In response to a location assistance request initiated by a mobile device on a private network and directed to a data access port of a location server in a public mobile communication network, a source network address is extracted from the received request. If the extracted source network address is determined to be associated with a trusted private network domain, location assistance data obtained by the location server is provided to the mobile device on the private network without requiring any proprietary messaging schemes or application-specific authentication credentials.

Abstract: Embodiments of the present invention provide a method and an apparatus for inputting data. The present invention relates to the communications field and aims to improve security of input information. The method includes: acquiring, by a virtual machine manager, input data; performing, by the virtual machine manager, encryption processing on the input data according to an encryption rule of a security connection to obtain encrypted data, where the security connection refers to a connection that is established between an application interface and a server and used for data transmission; and sending, by the virtual machine manager, the encrypted data to the server. The present invention is applicable to a data input scenario.

Abstract: The present invention is directed towards systems and methods for sharing licenses across resources via a multi-core intermediary device. A device intermediary to a plurality of clients and a server may grant a license for a virtual private network (VPN) session established by a first core of a plurality of cores of the device with a client. A second core of the plurality of cores may receive a first request from the client to establish an application connection between an application and a server via the VPN session. The second core may send a second request to the first core to share the license of the VPN session responsive to determining that the first core owns the VPN session. The second core may establish the application connection responsive to receiving from the first core a response accepting the second request to share the license of the VPN session.