Abstract: A system to ensure compliance with data security standards includes a security appliance to perform multiple security functions, with the security appliance including an initial configuration. The system further includes a display unit to provide information of compliance performance of the system on a secure basis. The system also includes a control unit to monitor compliance performance in real-time and to implement additional procedures required based on the monitored compliance to ensure compliance with data security standards.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to configuring a computing appliance and provide a method, system and computer program product for device certificate based virtual appliance configuration. In one embodiment of the invention, a virtual appliance secure configuration method can be provided. The method can include mounting non-volatile storage to the virtual appliance, retrieving a device certificate from the mounted storage and extracting a signature from the device certificate, activating the virtual appliance in a network domain and acquiring an adapter address and unique identifier for the virtual appliance, and authenticating the signature with the adapter address and unique identifier to ensure a unique active instance of the virtual appliance.

Abstract: Methods, devices, and systems that may be used to secure networked devices are provided. One method includes receiving, at a security device, encrypted configuration data from a management server connected to a data network, from packets addressed to a networked device. The method further includes managing, by the security device, packets between the networked device and other devices accessible through a network based upon the configuration data. The method further includes sending, by the security device, a plurality of encrypted heartbeat messages to the management server utilizing an address associated with the networked device as the originating address for packets in which the encrypted heartbeat messages are transmitted.

Abstract: An approach for providing secure communication services is disclosed. A secure data tunnel from a source node to a destination node is established via a plurality of secure segments across a data communications network. A data path is established via the secure data tunnel, where the data path supports a performance enhancing mechanism that improves performance of data communications over the data path. The performance enhancing mechanism multiplexes data packet flows from the source node for transmission over the data path, and performs one or more of connection startup latency reduction, acknowledgment message spoofing, window sizing adjustment, compression and selective retransmission.

Abstract: Systems and methods for connecting a first network device and a second network device over a communication network are disclosed. An exemplary method includes receiving, from the first network device, a request to look up a network address of the second network and evaluating the request to determine whether an identifier associated with the second network device is registered with a name service that facilitates resolving the identifier and further facilitates establishing direct encrypted communication links. It is determined whether the second network device is available to communicate through a direct encrypted communication link facilitated by the name service, the establishment of the direct encrypted communication link between the first network device and the second network device is facilitated. This includes provisioning the first network device or the second network device with one or more resources for the direct encrypted communication link.

Abstract: A system and method for virtual private application networks includes receiving a first packet associated with a first network flow at a network device, determining one or more first characteristics of the first network flow based on information associated with the first packet, determining one or more second characteristics of a first virtual private application network (VPAN) based on information associated with the one or more first characteristics, assigning the first network flow to the first VPAN, selecting one or more first network switching devices to be associated with the first VPAN, and transmitting one or more first flow control messages to the selected one or more first network switching devices. The one or more first flow control messages provide forwarding instructions for network traffic associated with the first network flow to the selected one or more first network switching devices.

Abstract: Techniques to rate-adjust data usage on mobile devices using a virtual private network are described. In one embodiment, an apparatus may include a processor circuit, and an application component operative on the processor circuit to present a link to third party data, receive a control directive to follow the link, and to request to access the third party data. The apparatus may also include a client virtual private network (VPN) component operative on the processor circuit to communicate with a server having a server VPN component, receive the request to access the third party data from the application component, determine whether the accessing is rate-adjusted, and connect to a source of the third party data via the server VPN component. Other embodiments are described and claimed.

Abstract: According to one embodiment, an electronic apparatus is capable of switching a plurality of applications corresponding to a plurality of users in accordance with a selected user. The apparatus includes a communication controller which communicates with an apparatus connected to a network, a first determination controller which determines whether the selected user is a first user, a second determination controller which determines whether a connection is made to a first virtual private network server via the communication controller, and a first controller which controls use of the network by a first application corresponding to the first user and controls use of the network by a second application corresponding to a user in accordance with a determination results of the first and second determination controllers.

Abstract: Described in an example embodiment herein is a Multiple Application Container. Various embodiments of the Multiple Application Container may include, but are not limited to: (1) managed intranet access via a dedicated Virtual Private Network (VPN) tunnel shared amongst applications within the container, (2) managed file/data encryption, (3) native look and feel applications for the base Operating System (OS), (4) isolation from any non-OS based services on the device, and/or (5) Mobile Device Management (MDM) based capabilities, such as policy enforcement.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: A method for connecting to a trust broker system is disclosed. The electronic device stores encrypted identifying information for a plurality of client systems authorized to interact with the server system, wherein the encrypted identifying information is changed per client system per session. The electronic device creates a plurality of virtual domains; each virtual domain representing a set of services and information distinct from the other virtual domains. The electronic device stores permissions associated with each respective client system in the plurality of client system. The electronic device receives a request from a first client system, including encrypted identifying information associated with the first client system, for information associated with a first virtual domain and then retrieves stored permissions of the first client system based on the encrypted identifying information.

Abstract: A method, system and graphical user interface for enabling a user to access enterprise data and interact with enterprise applications generating the enterprise data using a portable electronic device is disclosed. A native application for a portable electronic device enables a user of the portable electronic device to initiate or interact with one or more enterprise applications. Each of the enterprise applications is executed remotely on a system in communication with the portable electronic device, where the portable electronic device may communicate data to the remote system and display data received from the remote system. Processing resources and storage resources of the remote system may be utilized to execute the enterprise application, thereby enabling a user to initiate or interact with a computationally-intensive enterprise application using a portable electronic device.

Abstract: Methods and related systems are presented that relate to automatically avoiding address conflicts when establishing a secure communications link over a public network between a local computer, associated with a local network, and a remote computer, located outside the local network. In order to avoid address conflict, addresses reserved for use by the local network and addresses reserved for use by the remote network are determined. At least one local address is selected from among available local addresses such that the selected local address is an address that does not conflict with the reserved addresses of the local network and the reserved addresses of the remote network. The selected local address is used in connection with establishment of the secure communications link between the local computer and the remote computer.

Abstract: A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established.

Abstract: A computer-implemented method for securing Internet access on restricted mobile platforms may include identifying an attempt by a mobile computing system to establish a virtual private network connection with a security server and, in response to identifying the attempt, (1) assigning an Internet Protocol address to the mobile computing system and (2) identifying a security filter customized to filter communications for an account associated with the mobile computing system. The method may also include (1) receiving, via the virtual private network connection, a request for an Internet resource and (2) providing, via the virtual private network connection, a response to the request to the mobile computing system based at least in part on the security filter. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: The disclosure is related to monitoring data traffic of user equipment through a monitoring node. A monitoring node may receive a data packet from user equipment registered for a monitoring service through a secure channel. The monitoring node may perform a monitoring operation on the received data packet and determine whether the received data packet is a malicious packet or a non-malicious packet. When the received data packet is a non-malicious packet, the monitoring node may transmit the data packet to a destination through a communication network.

Abstract: Method and device for managing one or more secure gateway virtual private network, VPN, devices (104, 105) in a secure VPN for cryptographically separated and tunnelled VPN communication. VPN configuration data provided by a management system (110) is received (401); and the received VPN configuration data and a domain type encapsulating (402,403), wherein said domain type identifying an administrative network domain for cryptographically separated and tunnelled management communication with a hardware separated administrative controller (121) of said one or more secure gateway VPN devices (104, 105), exclusively for management of said one or more secure gateway VPN devices (104, 105).

Abstract: Systems and methods for allowing client computing device to securely interact with private network are provided. Method includes initiating virtual private network connection. Method also includes executing at least portion of virtual private network client code within memory region for unsecure software. Method also includes receiving request within virtual private network client code to access local resource. Local resource is within memory region for secure software. Method also includes determining whether virtual private network client code has permission to access local resource within memory region for secure software. Method also includes, if virtual private network client code has permission to access local resource, providing local resource to virtual private network client code according to request within virtual private network client code. Method also includes, if virtual private network lacks permission to access the local resource, denying local resource to virtual private network client code.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: A remote control method includes: assigning network address for a terminal device when the terminal device connects to a terminal connection device; obtaining an identifier code of the terminal connection device or a client connection device when the terminal connection device or the client connection device connects to a remote control server; obtaining terminal device information including network addresses and names of the terminal devices connected to the terminal connection device; storing the terminal information into the remote control server associated with the identifier code of the terminal connection device; determining a client connection device with the same identifier code as the terminal connection device and producing a terminal device list when the user produces a control request via a control device; and controlling the control device to connect to a selected terminal device in response to an operation to select the terminal device on the terminal device list.

Abstract: The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme.

Abstract: An approach provides a communication network that supports one or more network-based Virtual Private Networks (VPNs) to resist Denial of Service (DoS) attacks. A first boundary router is configured to provide a Virtual Private Network (VPN) that supports quality of service levels, and interfaces an access network via a Customer Premise Equipment (CPE) edge router and a physical access link. A second boundary router is coupled to a public network. The access network connects to the first boundary router, and wherein the first boundary router and the second boundary router are connected by a separate logical connection to prevent denial of service attacks on the physical access link originating from sources outside the VPN.

Abstract: A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Abstract: A system and method to troubleshoot a defect in at least one machine is provided. The system includes a portable device having a tracking system to detect when within a threshold proximity of a machine, and a controller to perform the steps of: authenticating the user to operate the portable device and communicating a first signal including the unique identifier of the portable device in response to detecting when within threshold proximity of the at least one machine. The system can further include an agent located at the machine to receive the first signal from the portable device, and in response to automatically verify authorization of the portable device to access the machine; and automatically trigger transmission of an operational data of the least one machine to the portable device over a secure channel.

Abstract: A system and methods for the migration of complex computer applications and the workloads comprising them between physical, virtual, and cloud servers that span a hybrid cloud environment comprising private local and remote customer data centers and public cloud data centers, without modification to the applications, their operational environments, or user access procedures. A virtual network manager securely extends the subnets and VLANS within the customer's various data center across the distributed, hybrid environment using overlay networks implemented with virtual network appliances at nodes of the overlay network. A server migrater migrates individual workloads of servers used by the complex application from one pool of server resources to another. A migration manager application provides a control interface, and also maps and manages the resources of the complex application, the hybrid environment, and the virtual network spanning the hybrid cloud environment.

Abstract: A VPN gateway device is able to assign, manage, and terminate a large volume of connections from apps executing on devices, enabling a large scale per-app VPN mobile environment. When a mobile device user opens an app on a mobile device, a VPN gateway transmits a unique IP address to the app. The gateway also transmits an app federation cookie to the app. The app shares the app federation cookie with a second app. The VPN gateway then assigns the second app the same unique IP address. The gateway then transmits a range of ports to the first app. The app uses a port in the range of ports for data transmission from the device to the VPN gateway. The gateway receives a data transmission from the first app via a VPN and determines that the data transmission originated from the first app based on the source port.

Abstract: A method and system that modularizes a message by separating the message definition data from the message data. The message definition data and message data are transmitted over a secure channel to a target computing device. The message definition data and message data are recombined to form the original message at the target computer using a process corresponding to the modularization process. A key is used to track the associated definitions and message data and determine the corresponding combination process. Separate transmission of the data definitions and message data provides an added level of security. If message data is intercepted and decrypted by a third party, then the data is not easily utilized, because the definition data is absent. Similarly, interception of the message definition is not useful without the message data.

Abstract: The present invention provides a new network topology. More specifically, a peer-to-peer network is defined on a virtual private network. The peer-to-peer network comprises a set of specified users within a virtual private network that are allowed to communicate according to predetermined rules enforced by the peer-to-peer network itself. This affords secure communication between the specified users of the peer-to-peer network independent of the virtual private network.

Abstract: Embodiments of the present invention provide a network label allocation method, a device, and a system, which enable a local PE to distinguish packets from different remote PEs. The method includes: generating, by a local provider edge PE, a VPN label route for each remote PE, where VPN labels in VPN label routes of different remote PEs are different, and the remote PE and the local PE at least belong to a same VPN; and sending the VPN label route to the remote PE, so that the remote PE separately matches an IP address of the remote PE with a target device IP address in the VPN label route, and matches an import route target RT of each VRF of the remote PE with a route target RT in the VPN label route, a packet related to a successfully matched VRF.

Abstract: An Internet-enabled device, such as a smartphone, tablet, PC, wearable sensor, or household appliance, executes an application (or “app”) has its own VPN connection with a VPN gateway device. The app does not use the device-level or system VPN to connect with the gateway. The app, which may be security wrapped, is made more secure by having its own VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. The conventional (or device-level) VPN connection is not used by the app(s). The app has its own IP stack, an HTTP proxy layer, an IPsec module, and a virtual data link layer which it uses to build IP packets, encapsulate them, and transmit them to a transport module in the device operating system, for example, a UDP module.

Abstract: A virtual network (VN) realization method and system are provided. The method includes setting a VN-AP in a data center network and/or a broadband network. A service deployment and management function entity receives a VN service request from a user to generate feature information of the VN; a PC/VM automatically discovers the VN-AP, the automatically discovered VN-AP generates the VN forwarding table entry of the PC/VM after the PC/VM passes the identity authentication of the VN, and performs tunnel encapsulation according to the VN forwarding table entry to forward a packet from the PC/VM. By discovering a VN-AP for processing a VN automatically, the disclosure realizes the automatic and rapid deployment of the VN.

Abstract: A process is disclosed in which all network traffic between a mobile device and an untrusted network arriving before the establishment of a VPN tunnel are dropped in response to rules imposed by the mobile device's operating system. Once a VPN tunnel is established all communication from the mobile device is secured, without an intervention on the part of the user of the device. A device supporting such a process is also disclosed.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: An input content data managing system, includes a first electronic storing apparatus that stores encoded content data generated by encoding content data with a cryptographic key; a electronic second storing apparatus that stores the cryptographic key with corresponding digest-value data of the encoded content data capable of identifying sameness of the encoded content data; a matching unit that determines a matched cryptographic key stored in the second storing apparatus for the encoded content data stored in the first storing apparatus, the matching using, as a matching key, at a predetermined time, digest-value data of the encoded content data obtained from the encoded content data stored in the first storing apparatus to match with the digest-value data of the encoded content data stored in the second storing apparatus, in order to obtain the content data by decoding the encoded content data using the matched cryptographic key.

Abstract: Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.

Abstract: Techniques for secure access management to virtual environments are provided. A user authenticates to a portal for purposes of establishing a virtual machine (VM). The portal interacts with a cloud server and an identity server to authenticate the user, to acquire an Internet Protocol (IP) address and port number for the VM, and to obtain a secure token. The user then interacts with a secure socket layer virtual private network (SSL VPN) server to establish a SSL VPN session with the VM. The SSL VPN server also authenticates the token through the identity server and acquires dynamic policies to enforce during the SSL VPN session between the user and the VM (the VM managed by the cloud server).

Abstract: A method of accessing a network securely using a personal device which can only access the network via one or more authorized access points, the method including establishing a connection between the network and the personal device via an access point; checking in the network whether the access point is on a white list of authorized access points for use with the network; if the access point is on the white list, allowing the personal device to access the network securely via the access point; and if the access point is not on the white list, not allowing the personal device to access the network securely.

Abstract: Disclosed is a system for accessing data of a cloud database via transparent technology, and the system includes at least one channel server and at least one cloud database end. When a connection notice is outputted from an application end, the user channel unit detects a first server address and a first database address in a HTTP data format, and connects to a corresponding channel server via the HTTP tunnel to send a database request, so that the channel server can convert the first database address in the HTTP data format into a TCP/IP data format and then connect to a corresponding database end. Therefore, the application end can access data from the database behind the firewall via the Internet without modifying any program code.

Abstract: Techniques for placing a virtual edge gateway appliance on at least one host computing system are described. In one embodiment, a virtual switch assigned to a tenant for creating virtual networks is identified. Further, at least one host computing system having access to the virtual switch is identified. Furthermore, placing a virtual edge gateway appliance on the at least one identified host computing system is recommended to allow connectivity to networks created using the virtual switch assigned to the tenant.

Abstract: An approach for providing secure communication services is disclosed. A secure (e.g., a Virtual Private Network (VPN)) tunnel from a source node over an access network, such as a satellite network, to a destination node, wherein the nodes are external to the network. A connection that supports a mechanism for enhancing performance of the network is established for a portion of the secure tunnel that traverses the network.

Abstract: Techniques for identity and policy based routing are presented. A resource is initiated on a device with a resource identity and role assignments along with policies are obtained for the resource. A customized network is created for the resource using a device address for the device, the resource identity, the role assignments, and the policies.

Abstract: Methods and systems are disclosed for providing indirect and temporary access to a company's IT infrastructure and business applications. The methods/systems involve establishing an access control center (ACC) to control the access that technical support personnel may have to the company's IT infrastructure and business applications. Thin client terminals with limited functionality may then be set up in the ACC for use by the technical support personnel. The thin client terminals connect the technical support personnel to workstations outside the ACC that operate as virtual desktops. The virtual desktops in turn connect the technical support personnel to the IT infrastructure and business applications. An ACC application may be used to control the connection between the thin client terminals and the virtual desktops and the virtual desktops and the IT infrastructure and business applications.

Abstract: Secure communications are provided over a network in a distributed workload environment having target hosts which are accessed through a distribution processor by a common network address. Secure communications are provided by routing both inbound and outbound communications with target hosts which are associated with a secure network communication through the distribution processor. Both inbound and outbound secure network communications are processed at the distribution processor so as to provide network security processing of communications from the target host and network security processing of communications to the target host.

Abstract: Virtual desktops are hosted on one or more remote desktop hosts at one or more private locations of an enterprise, remote from a service provider location, and behind a firewall on a private computer network. The desktops are remotely managed through resources at a service provider data center, optionally along with other virtual desktops hosted on desktop hosts at the service provider data center. The remote desktop hosts can be pre-configured with known storage, compute and connectivity resources. The remote desktop hosts can be remotely managed through a resource management appliance, i.e., a management system running resource management software, which can be located at either the service provider data center or the tenant data center.

Abstract: A method of managing a network. The method includes receiving an activation key transmitted from a device connected to the network, automatically transmitting a configuration to the device, automatically maintaining the configuration of the device, and receiving log information from the device.

Abstract: A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP. In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a Personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol.

Abstract: An apparatus and method for providing a virtual private network (VPN) service based on mutual authentication are provided, the apparatus including a storage unit configured to store a first public key and a second public key; an authentication unit configured to authenticate a VPN server with the first public key and to authenticate a user device with the second public key; and a tunnel management unit configured to generate a first VPN tunnel and a second VPN tunnel to relay data between the user device and the VPN server based on the authentication of the VPN server and the user device by the authentication unit.

Abstract: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

Abstract: Provided herein are systems and methods for providing isolated virtual image communication in a virtual computing environment. Initially, a guest virtual machine that is activated in a virtual computing environment may be isolated into a private network. A service request may then be formulated at the guest virtual machine and addressed to a predetermined non-existent address. The request is then ostensibly sent to the predetermined address, whereupon the service request is actually transmitted to a shared resource with a security appliance machine in the virtual computing environment. The request is then forwarded to the security appliance machine and a reply formulated. The reply is sent back to the guest virtual machine via the shared resource.