Abstract: A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.

Abstract: An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: A device creates a pool of available licenses for secure network resources, and receives an unused license from a network device. The device also provides the unused license in the pool of available licenses, and receives a request for a license from another network device. The device further provides, to the other network device, the unused license from the pool of available licenses.

Abstract: An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. Once installed on the cellular mobile device, the multi-service client integrates with an operating system of the device to provide a single entry point for user authentication for secure enterprise connectivity, endpoint security services including endpoint compliance with respect to anti-virus and spyware software, and comprehensive integrity checks.

Abstract: A system to ensure compliance with data security standards. The system including a security appliance to perform multiple security functions, the security appliance in communication with a plurality of network devices, the security appliance identifying each network device from the plurality of network devices as being included in one of a first zone containing confidential data and a second zone not containing confidential data. The system including a display unit to provide information of compliance performance of the system on a secure basis. The system further including a control unit to monitor compliance performance in real-time to ensure that each network device included in the first zone containing the confidential data is compliant with data security standards regardless of the compliance of each network device included in the second zone with the data security standards.

Abstract: Methods and devices provide a secure virtual environment within a mobile device for processing documents and conducting secure activities. The methods and devices create a secure application environment in which secure data and documents may be segregated from unsecured data using document encryption, allowing the application of security policies to only the secure application environment. The creation of a secure application environment allows users to access and manipulate secure data on any mobile device, not just specifically designated secure devices, without having to secure all data on the mobile device, while providing the corporate entity with necessary document security. The methods and devices provide for securing data on a mobile device at the data level using encryption.

Abstract: One embodiment of the present invention provides a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.

Abstract: Systems, methods and apparatuses of establishing an IPsec (Internet Protocol Security) VPN (Virtual Private Network) tunnel are disclosed. One method includes receiving, by a wireless mesh network access point, a user configuration, wherein the user configuration includes a type of traffic, determining an internal interface of the wireless mesh network access node based on the type of traffic, dynamically determining a local endpoint address for the IPsec VPN tunnel based on the selected internal interface, establishing the IPsec VPN tunnel through the selected internal interface of the wireless mesh network access node, and encapsulating non-IP packets of non-IP traffic within IP packets.

Abstract: An improved emulator for analyzing software code, and associated method. The emulator includes a virtual execution environment in which a series of virtual processing states are represented during emulation of a first portion of the software code, and a hardware accelerator that performs an initialization of the computing hardware to directly execute a second portion of the software code under investigation without emulation thereof in the virtual execution environment. An efficiency assessment module determines a measure of efficiency of performing the executing of the second portion of the software code under investigation without emulation thereof, and an acceleration decision module performs selection of the second portion of the software code under investigation to be directly executed by the hardware accelerator module based on the determined measure of efficiency.

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract: Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of a service provider. Multiple virtual routers (VRs) are provided within each of multiple service processing switches of a service provider. Each VR is supported by an object group and each object of the object group supports a network service. One or more VRs are assigned to a subscriber of multiple subscribers of the service provider. Customized network services are provided to the subscriber by the one or more VRs assigned to the subscriber.

Abstract: The present disclosure provides systems and methods for establishing a connection between an appliance and a home energy management device. Upon being prompted by a user, the home energy management device can create a private network for a limited period of time. Then, upon also being prompted by the user, an appliance can request to join the private network. If the appliance satisfies any required security criteria, the home energy management device can securely provide local area network access data to the appliance over the private network. After receiving such access data, the appliance can connect to the wireless local area network and establish a secure connection with the home energy management device via a router of the local area network. In one implementation, both the home energy management device and the appliance can be prompted by the user by simply pressing a button or other user-operable selector.

Abstract: A security system for a computer network that has a plurality of devices connected thereto comprises a security subsystem, a master system and a secure link. The security subsystem is implemented on a first computer and is connected to at least some of the devices in the network. The security subsystem is configured to monitor activities of the at least some devices on the network and detect attacks on the at least some devices. The master system is implemented on a second computer which is different from the first computer. The master system monitors the integrity of the security subsystem and registers information pertaining to attacks detected by the security subsystem. The secure link is connected between the security subsystem and the master system. The master system monitors the integrity of the security subsystem and receives the information pertaining to the attacks through the secure link.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A motion-based authentication method is operative in a mobile computing device having a display interface and that includes an accelerometer. Normally, the device software includes a locking mechanism that automatically locks the display interface after a configurable timeout. The authentication method operates to un-lock the display interface (and thus allow the user access to the device) by movement of the device in a predetermined series of physical movements and without display-based entry of a password or other access code on the display itself. In this manner, the user can un-lock the device without display-based entry of a password (on the display itself) by simply holding the device and performing the necessary movement(s) to generate the unique code.

Abstract: A security assurance system includes a back-end application and a computing resource. The back-end application receives a selection of a network security product that is associated with a protected network, and receives a selection of a threat from a plurality of threats stored on the security assurance system. The computing resource launches an evaluation of the security product based upon the threat, and reports to a user of the security assurance system a result of the evaluation.

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service to create and configure computer networks that are provided by the configurable network service for use by the users. Secure private access between a computer network provided for a user by the configurable network service and one or more other remote computing systems of the user (e.g., a remote private network) may be enabled in various ways. For example, a user may programmatically invoke an API provided by the configurable network service to obtain assistance in establishing remote access from a remote location to a provided computer network of the configurable network service, such as to establish a VPN connection from the remote location to the provided computer network using hardware and/or software supplied to the remote location in response to the API invocation.

Abstract: A VPN connection is established between two networks (1, 6), with two communication devices (2, 7) assigned to the given networks (1, 6), a transmission device (11), and an identifying means. An initial VPN data package is transmitted from the first communication device (2) to the transmission device (11). The second communication device is identified (7) to the transmission device (11) through use of the identifying means. A second VPN data package is transmitted from the second communicating device (7) to the transmission device (11). The transmission device (11) provides an initial VPN configuration parameter (12) for establishing the VPN connection between the communication devices (2, 7) for the first communication device (2), and the transmission device (11) provides a second VPN configuration parameter (13) for establishing the VPN connection between the communication devices (2, 7) for the second communication device (7).

Abstract: A computer-implemented method for establishing secure mobile communications is described. A virtual private network (VPN) between a mobile device and a server is established. A transmission of at least a portion of data between a first application and the server is blocked. It is determined whether the first application on the mobile device is a trusted application. Upon determining the first application is an untrusted application, a transmission of at least a portion of data between the untrusted application and the server continues to be blocked.

Abstract: A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

Abstract: Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

Abstract: A method for providing virtual private storage array (VPSA) service for cloud users over a computer network includes receiving parameters for the VPSA over the network and creating the VPSA from resources of server computers. Creating the VPSA includes allocating and exposing drives that meets or exceeds specified drive characteristics, drive quantity, and array redundancy criteria to virtual controllers (VCs) in the VPSA, and dedicating parts of processor/memory complexes that each meets or exceeds a specified virtual controller hardware model to the VCs. The VCs run on virtual machines on the dedicated parts of processor/memory complexes on independent server computers. The VCs discover the exposed drives, create a virtual pool from the exposed virtual drives, implement data protection on the virtual pool, create volumes from the virtual pool, expose the volumes over the network to a customer computer, and handle access requests to the volumes from the customer computer.

Abstract: Described herein are systems and methods utilizing application-specific access to a virtual private network (“VPN”). A method may comprise receiving, from an application executing on a device, a request for a network data flow to a private network, comparing identification information associated with the application against a set of rules stored on a memory of the device, wherein the set of rules identifies conditions for the application to be authorized to access the private network, and establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the private network.

Abstract: A method and system provide a user device with secure access to an enterprise application in an enterprise network through VPN. The enterprise application is accessed from a user device such that it sends and receives data packets through the VPN client. For this, a request to send packets, originating from the user application, is intercepted by a VPN agent associated with the user application. In turn, the VPN agent associates an address of a loop-back interface with the user application. Thereafter, packets sent by the user application, are re-directed to the VPN client through the loop-back interface. Similarly, packets received by the VPN client from the enterprise network are routed through the loop-back interface to the user application.

Abstract: Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.

Abstract: What is provided are a system and method which enables an organization or user to manage computational services in a cloud computing network for security, compliance and governance. The management including creating a trusted virtual network including encrypted data storage, encrypted data transport, and trusted instances of servers all communicatively coupled together forming a trusted cloud computing environment that is associated with the organization. A web portal running on a web server provides a point of access to the cloud computing environment. A workflow is accessed to implement one or more policies in trusted computing environment to manage the trusted cloud computing environment, the workflow customized to the organization. The access control; and to the trusted cloud computing environment is used to ensure access by users authorized by the organization to ensure compliance with adopted standards.

Abstract: Systems and methods for setting up VPN connection are provided. Method includes facilitating creating gateway connection between client side and server side. Client side comprises multiple client side virtual NICs and server side comprises multiple server side virtual NICs. Method includes facilitating creating data paths for VPN connection between each of at least portion of client side virtual NICs and each of at least portion of server side virtual NICs. Data path of each pair of corresponding client side virtual NICs and corresponding server side virtual NIC is associated with gateway connection and port forward. Method includes facilitating transmitting data, via first data path for VPN connection, between first client computing device communicatively coupled with corresponding client side virtual NIC of first data path and first server computing device communicatively coupled with corresponding server side virtual NIC of first data path.

Abstract: A computer communication system, comprising a client computer (1) with an installed virtual private network (VPN) client (41) and located in a public network (3), at least one server computer (9a, 9b, 9c) located in a corporate network (8), a web server (10) remote from said client computer (1), a gateway computer (20) located in said corporate network, and a VPN server computer (30) located in said corporate network (8).

Abstract: A system for connecting a first network device and a second network device includes one or more servers. The servers are configured to: (a) receive, from the first network device, a request to look up a network address of the second network device based on an identifier associated with the second network device; (b) determine, in response to the request, whether the second network device is available for a secure communications service; and (c) initiate a virtual private network communication link between the first network device and the second network device based on a determination that the second network device is available for the secure communications service, wherein the secure communications service uses the virtual private network communication link.

Abstract: Described are a secure geo-location obscurity network and ingress nodes, transit nodes and egress nodes used in such a network. In particular, a novel device is provided and comprises: a node for a network, the node comprising: a private portion for allowing high bandwidth secure private traffic to be received and transmitted by the node on a private pathway through the node; and a public portion for allowing low bandwidth secure public traffic to be received and transmitted by the node on a plurality of public pathways through the node.

Abstract: Techniques are disclosed for improving security in virtual private network. In one embodiment, key information is generated for a virtual private network (VPN) connection between a first device and a second device. A plurality of shares is then generated based on the key information. A first set of one or more shares is stored on a dongle that is paired to the first device. A second set of one or more shares is stored on the first device. In response to a request to resume the VPN connection, the first set of shares is retrieved from the dongle. The key information is reconstructed based on the first set of shares and the second set of shares. The reconstructed key information may then be used to resume the VPN connection.

Abstract: An approach is provided for enabling limited secure access to sensitive data by an authorized requestor. A request is received for access to data maintained at a primary data center of a secure private network from an authorized requestor. A subset of the data is then determined to be transmitted to a secure data store associated with the requestor through a private firewall of the primary data center based on the request type and the authorization of the requestor. Transmission of a subset of the data is then initiated from the secure data store to the requestor in encrypted form.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing a managed browser are presented. In various embodiments, a computing device may load a managed browser. The managed browser may, for instance, be configured to provide a managed mode in which one or more policies are applied to the managed browser, and an unmanaged mode in which such policies might not be applied and/or in which the browser might not be managed by at least one device manager agent running on the computing device. Based on device state information and/or one or more policies, the managed browser may switch between the managed mode and the unmanaged mode, and the managed browser may provide various functionalities, which may include selectively providing access to enterprise resources, based on such state information and/or the one or more policies.

Abstract: In an example embodiment, a method of dynamically tunneling specific, or per application, services on demand without having to build complex split tunneling policies on Virtual Private Network (VPN) terminators. In particular embodiments, the method can allow for tunneling to multiple data centers on devices with limited, e.g., single, concentrator capabilities.

Abstract: One embodiment of the present invention provides a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.

Abstract: Systems, methods and apparatuses of establishing an IPsec (Internet Protocol Security) VPN (Virtual Private Network) tunnel are disclosed. One method includes receiving, by a wireless mesh network access point, a user configuration, wherein the user configuration includes a type of traffic, determining an internal interface of the wireless mesh network access node based on the type of traffic, dynamically determining a local endpoint address for the IPsec VPN tunnel based on the selected internal interface, and establishing the IPsec VPN tunnel through the selected internal interface of the wireless mesh network access node.

Abstract: The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server.

Abstract: A method and system provide a user device with secure access to an enterprise application in an enterprise network through VPN. The enterprise application is accessed from a user device such that it sends and receives data packets through the VPN client. For this, a request to send packets, originating from the user application, is intercepted by a VPN agent associated with the user application. In turn, the VPN agent associates an address of a loop-back interface with the user application. Thereafter, packets sent by the user application, are re-directed to the VPN client through the loop-back interface. Similarly, packets received by the VPN client from the enterprise network are routed through the loop-back interface to the user application.

Abstract: The invention instantiates a Personal VLAN bridge, using IEEE Std. 802.11 elements. The result is a bridge, referred to as a public access point, that is better suited for implementing public wireless data networks than the IEEE Std. 802.11 architecture. The invention also provides a location-update protocol for updating the forwarding tables of bridges that connect public access points together. The invention further provides a method for more controlled bridging, which is referred to as fine bridging.

Abstract: A data transmission method is applied in a virtual private network (VPN) and includes: querying, by an initiating client, a VPN server for external network Internet Protocol (IP) addresses of the initiating client and a responding client; performing, by the initiating client, key negotiation with the responding client through the VPN server; after the key negotiation is completed, writing, by the initiating client, the external network IP address of the initiating client into a source address field of a to-be-sent User Datagram Protocol (UDP) packet, writing the external network IP address of the responding client into a destination address field of the to-be-sent UDP packet, and encrypting the to-be-sent UDP packet according to a key obtained through the negotiation; and sending, by the initiating client, an encrypted UDP packet to the responding client, and performing packet interaction with the responding client directly.

Abstract: A method for secure external access to a collaborative design system is provided that includes establishing a virtual private network (VPN) tunnel between an engagement virtual machine and an external computer system, wherein the external user provides a user id and password for authorization to establish the VPN tunnel, receiving the user id and password in a web interface of the collaborative design system and identifying the engagement virtual machine the external user is allowed to access based on the user id and password, prompting the external user to log into the engagement virtual machine, wherein the user id and password are again received from the external user, issuing a security ticket to the external user when the user logs into the engagement virtual machine, and using the security ticket to authenticate accesses initiated by the external user to engagement files stored in a file system in an intranet.

Abstract: This method of establishing a cryptographic session key comprises: a subscription phase (104) during which an identifier of a local loop to the end of which a receiver must be connected is acquired, and an authentication step comprising: a) an operation (142) of automatically obtaining an identifier of the local loop to the end of which the receiver is actually connected, and b) an operation (146) of verifying that the identifier obtained during the operation a) corresponds to the identifier acquired during the subscription phase so as to authenticate the receiver.

Abstract: A medical device customization system and method comprising medical device that receives signals from a biological probe having an operational parameter and that stores data based on the signals in a memory. The medical device receives a custom application and establishes a virtual machine to run the custom application.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: A method for securely transmitting medical data to and from a remote location includes configuring a first electronic computing device with provisioning information to access a firewall-protected electronic data network. Medical data is received at the first electronic computing device from a second electronic computing device. The medical data is transmitted to the firewall-protected electronic data network using the first electronic computing device. The provisioning information permits a secure connection between the second electronic computing device and a third electronic computing device on the firewall-protected electronic data network.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing a managed browser are presented. In various embodiments, a computing device may load a managed browser. The managed browser may, for instance, be configured to provide a managed mode in which one or more policies are applied to the managed browser, and an unmanaged mode in which such policies might not be applied and/or in which the browser might not be managed by at least one device manager agent running on the computing device. Based on device state information and/or one or more policies, the managed browser may switch between the managed mode and the unmanaged mode, and the managed browser may provide various functionalities, which may include selectively providing access to enterprise resources, based on such state information and/or the one or more policies.

Abstract: Communication applications may include lists of users with which a user of the application communicates. If two users of a communications application each include the other user on their user lists, an implicit trust may be established between the users. For example, if user A includes user B in her list and user B includes user A in his list, then it may be determined that each user knows and/or trusts the other user. As a result, a connection or communications pathway may be automatically created between the client devices of the users to facilitate communications between the users based on the implicit trust.