Abstract: Facilitation of processing a chain of network applications by a network controller is provided herein. In some examples, a network controller comprising a fast path module receives a service request data packet from a client side session between a client and the network controller and determines that the service request data packet matches a network application chain order, the network application chain order indicating a configuration to apply a plurality of network applications. The fast path module processes the service request data packet according to the configuration indicated in the network application chain order.

Abstract: Applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway, determining by the security gateway a user identity of the application session using information about the application session, obtaining by the security gateway the security policy comprising network parameters mapped to the user identity, and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: Facilitation of secure network traffic by an application delivery controller is provided herein. In some examples, a method includes: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) embedding in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection; and (c) forwarding the embedded data packet to a server.

Abstract: Methods and systems for synchronization of configuration files of a plurality of blades in a virtual application distribution chassis are disclosed. In an exemplary method, a master blade processes a configuration command, updates a first configuration file with the configuration command and generates an updated tag, and sends a configuration message to at least one slave blade of the virtual application distribution chassis informing of the updated configuration file. The configuration message is received by a given slave blade of the one or more slave blades and compared with a second configuration file stored at the given slave blade; and in response to determining that the updated tag in the configuration message is more recent than the tag in the second configuration file stored at the given slave blade, the slave blade sends a request for the updated configuration file to the master blade.

Abstract: Policy-driven management of application traffic is provided for services to cloud-based applications. A steering policy refers to a set of rules is generated for a deployment from a current code environment to one or more replicated code environment differing in some key respect. The steering policy can guide steering decisions between the current and updated code environments. A steering server uses the steering policy to make decisions about whether to send service requests to the current code environment or the updated code environment. Feedback concerning actual steering decisions made by the steering server is received (e.g., performance metrics). The steering policy is automatically adjusted in response to the feedback.

Abstract: Provided are methods and systems for load balancing client requests between sites associated with a domain name. A method comprises determining a first active response delay time between a Domain Name System server and a first site. The method further comprises determining a first application response delay time between the first site and one or more first servers associated with the first site. According to the method, the first active response delay time and the first application response delay time are compounded to produce a first compounded response delay time. The method further comprises determining a second active response delay time and a second application response delay for a second site to produce a second compounded response delay time. The first compounded response delay time and the second compounded response delay time are compared to perform load balancing between the first site and the second site.

Abstract: A method and system for measuring application response delay is described. The method may commence with receiving a Domain Name System (DNS) request from a client DNS server. The method may include measuring round trip time between the client DNS server and a first Global Server Load Balancing (GSLB) controller, between the first GSLB controller and a server load balancer (SLB) collocated with the first GSLB controller, and between the SLB and an application server. The method may further include receiving measurements of round trip time between the client DNS server and a second GSLB controller, between the second GSLB controller and an SLB collocated with the second GSLB controller, and between the second GSLB controller and a further application server. A cumulative response time associated with the application servers may be calculated based on the measurements to select an application server having a lowest cumulative response time.

Abstract: Provided are methods and systems for adjusting of subscriber policies. A method for adjusting of subscriber policies may include applying traffic enforcement rules to a data traffic associated with a subscriber. The method can further include determining network conditions associated with the data traffic. The method can include modifying, based on the determination of the network conditions, attributes according to attribute adjustment rules to obtain modified attributes. The method can further include modifying the traffic enforcement rules based on the modified attributes to obtain modified traffic enforcement rules.

Abstract: A system and method for providing a network proxy layer are disclosed. The network proxy layer may receive a connection establishment event for a client connection of an application session and send the client connection event to an application proxy for the application session, the application proxy being associated with an application of a server. Upon establishment of the client connection, the network proxy layer may receive one or more data packets from the client connection. The network proxy layer may further receive a connection establishment event for a server connection of the application session of the server, and receive one or more data packets from the server connection.

Abstract: Provided are methods and systems for caching network generated security certificates. An example system may include a security gateway node and a storage module. The security gateway node may be operable to receive, from a client, a session request to establish a secure connection with a server. Based on the session request, the security gateway node may establish a first secure session between the client and the security gateway node and a second secure session between the security gateway node and the server. The security gateway node may receive a server certificate from the server. The security gateway node may match the server certificate against a gateway certificate table. Based on the matching, the security gateway node may receive a gateway certificate associated with the gateway certificate entry that matches the server certificate. The gateway certificate may be used for performing the first secure session.

Abstract: Provided are methods and systems for mitigating a DDoS event. The method may comprise receiving an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. In response to the received indication of the collapse, the collapse may be attributed to the DDoS event. Furthermore, the method may comprise redirecting the network data traffic to one or more DDoS mitigation services. The method may further comprise mitigating the DDoS event by the one or more DDoS mitigation services.

Abstract: Provided are methods and systems for distributing application traffic. A method for distributing application traffic may commence with receiving, from a host, a first service request for a first service session. The first service request may be associated with a service request time. The method may continue with relaying the first service request from a service gateway to a server. The method may further include receiving, from the server, a service response. The service response may be associated with a service response time. The method may continue with calculating a service processing time for the first service request based on the service request time and the service response time. The method may further include receiving, from the host, a second service request for a second service session. The method may continue with selectively relaying the second server request to the server based on the service processing time.

Abstract: User authentication techniques based on geographical locations associated with a client device are provided. An example method for authentication of the client device includes receiving an authentication request from the client device. The method may include establishing current geographical location of the client device based on metadata received from the client device. The method may further include establishing a trusted tolerance geographical area based on historical location area associated with the client device. After establishing the trusted tolerance geographical area, the method may proceed with determining whether the current geographical location of the client device is within the trusted tolerance geographical area. The method may further include authenticating the client device based on the determination that the current geographical location of the client device is within the trusted tolerance geographical area.

Abstract: Provided are methods and systems for mitigating a denial of service attack. A system for mitigating a denial of service attack may include a network module, a storage module, and a processor module. The network module may be operable to receive a request from a network device to establish a data connection between the network device and a server based on a determination that the network device is trusted. The storage module may be operable to store a whitelist associated with a plurality of trusted network devices. The processor module may be operable to determine that the network device is trusted. Based on the determination, the processor module may associate the network device with the whitelist for a predetermined period of time.

Abstract: Systems and methods are provided herein. An exemplary servicing node may include: an interface to a data network, the interface coupled to an object machine; and the object machine, the object machine: receiving a data packet from the data network using the network interface, the data packet comprising at least one of a destination address, a destination port number, and an application protocol; determining a condition associated with the at least one of the destination address, the destination port number, and the application protocol; identifying a program name using the condition; executing a program using a name table, the name table linking each of a plurality of program names to a respective program, the executing comprising getting an instruction of the program, the instruction including object information.

Abstract: A method for intercepting, by a security gateway, a secure data session comprises the steps of establishing a first secure data session between a client device and a server device, intercepting the first secure data session by the security gateway, establishing a second secure data session between the server device and the security gateway, receiving a first secure session request from the client device, generating a second secure session request based on the first secure session request, receiving a server certificate from the server device, sending the second secure session request to the server device, receiving first secure content from the client device over the first secure data session, creating first encrypted secure content using the first secure content and the server certificate, and sending the first encrypted secure content to the server device over the second secure data session.

Abstract: Applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway, determining by the security gateway a user identity of the application session using information about the application session, obtaining by the security gateway the security policy comprising network parameters mapped to the user identity, and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: Methods and systems for dynamic threat protection are disclosed. An example method for dynamic threat protection may commence with receiving real-time contextual data from at least one data source associated with a client. The method may further include analyzing the real-time contextual data to determine a security threat score associated with the client. The method may continue with assigning, based on the analysis, the security threat score to the client. The method may further include automatically applying a security policy to the client. The security policy may be applied based on the security threat score assigned to the client.

Abstract: A service gateway processes a service request received from a host by: relaying the service request from the service gateway to a server over a service session between the service gateway and the server; determining a service request time for the service session; receiving by the service gateway a service response from the server; determining by the service gateway a service response time; calculating by the service gateway a service processing time for the service request from the service request time and the service response time; comparing the service processing time with an expected service processing time; and updating a server busy indicator for the server in response to the comparing. If the service processing time exceeds the expected service processing time, the server busy indicator is updated to indicate that the server is busy. Otherwise, the server busy indicator is updated to indicate that the server is not busy.

Abstract: Allocation of buffers for a TCP proxy session between a client and a server by a service gateway includes monitoring dynamic network behaviors for server and client side sessions of the TCP proxy session; and allocating capacity for a server side buffer and capacity for a client side buffer in a memory buffer based on the dynamic server side network behaviors, the dynamic client side network behaviors, and a weighted average of a capacity of the memory buffer. In one approach to the allocation, the gateway determines whether an available capacity of the server or client side buffer is sufficient to store a data packet. If not sufficient, the allocated capacity of the server or client side buffer is increased based on measurements of the dynamic network behaviors and the weighted average, and the available capacity of the server or client side buffer is adjusted accordingly.