Abstract: A security network system may include a security gateway operable to establish a client session between the security gateway and a client device. The security gateway is operable to receive client session information from the client session. The client session information includes an identification of a server with which the client device needs to exchange data. The security network system may also include a Hardware Security Module (HSM) in communication with the security gateway. The HSM is operable to establish, in concert with the security gateway, a secure session between the security gateway and the server based on the client session data, a public key, a secret key, and context attributed to the secure session.

Abstract: Data traffic splitting between computing clouds may include a first application delivery controller (ADC) and a second ADC. The first ADC can be configured to control data traffic split within a first computing cloud. The second ADC can be configured to control data traffic split within a second computing cloud. The system may include a third ADC configured to control traffic split between at least the first ADC and the second ADC. The first ADC can be associated with a first version of an application configured to run on the first computing cloud. The second ADC can be associated with a second version of the application configured to run on the second computing cloud. The third ADC is further configured to control data traffic split based on at least one blue/green policy.

Abstract: Facilitation of processing a chain of network applications by a network controller is provided herein. In some examples, a network controller comprising a fast path module receives a service request data packet from a client side session between a client and the network controller and determines that the service request data packet matches a network application chain order, the network application chain order indicating a configuration to apply a plurality of network applications. The fast path module processes the service request data packet according to the configuration indicated in the network application chain order.

Abstract: A packet network device such as a network switch includes a number of functional cards or chassis modules at least some of which are connected to both an electrical backplane and a wireless backplane. The electrical backplane provides data plane signal paths and the wireless backplane provides control plane signal paths.

Abstract: Applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway, determining by the security gateway a user identity of the application session using information about the application session, obtaining by the security gateway the security policy comprising network parameters mapped to the user identity, and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: Facilitation of secure network traffic by an application delivery controller is provided herein. In some examples, a method includes: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) embedding in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection; and (c) forwarding the embedded data packet to a server.

Abstract: Methods and systems for synchronization of configuration files of a plurality of blades in a virtual application distribution chassis are disclosed. In an exemplary method, a master blade processes a configuration command, updates a first configuration file with the configuration command and generates an updated tag, and sends a configuration message to at least one slave blade of the virtual application distribution chassis informing of the updated configuration file. The configuration message is received by a given slave blade of the one or more slave blades and compared with a second configuration file stored at the given slave blade; and in response to determining that the updated tag in the configuration message is more recent than the tag in the second configuration file stored at the given slave blade, the slave blade sends a request for the updated configuration file to the master blade.

Abstract: Policy-driven management of application traffic is provided for services to cloud-based applications. A steering policy refers to a set of rules is generated for a deployment from a current code environment to one or more replicated code environment differing in some key respect. The steering policy can guide steering decisions between the current and updated code environments. A steering server uses the steering policy to make decisions about whether to send service requests to the current code environment or the updated code environment. Feedback concerning actual steering decisions made by the steering server is received (e.g., performance metrics). The steering policy is automatically adjusted in response to the feedback.

Abstract: Provided are methods and systems for load balancing client requests between sites associated with a domain name. A method comprises determining a first active response delay time between a Domain Name System server and a first site. The method further comprises determining a first application response delay time between the first site and one or more first servers associated with the first site. According to the method, the first active response delay time and the first application response delay time are compounded to produce a first compounded response delay time. The method further comprises determining a second active response delay time and a second application response delay for a second site to produce a second compounded response delay time. The first compounded response delay time and the second compounded response delay time are compared to perform load balancing between the first site and the second site.

Abstract: A method and system for measuring application response delay is described. The method may commence with receiving a Domain Name System (DNS) request from a client DNS server. The method may include measuring round trip time between the client DNS server and a first Global Server Load Balancing (GSLB) controller, between the first GSLB controller and a server load balancer (SLB) collocated with the first GSLB controller, and between the SLB and an application server. The method may further include receiving measurements of round trip time between the client DNS server and a second GSLB controller, between the second GSLB controller and an SLB collocated with the second GSLB controller, and between the second GSLB controller and a further application server. A cumulative response time associated with the application servers may be calculated based on the measurements to select an application server having a lowest cumulative response time.

Abstract: Provided are methods and systems for adjusting of subscriber policies. A method for adjusting of subscriber policies may include applying traffic enforcement rules to a data traffic associated with a subscriber. The method can further include determining network conditions associated with the data traffic. The method can include modifying, based on the determination of the network conditions, attributes according to attribute adjustment rules to obtain modified attributes. The method can further include modifying the traffic enforcement rules based on the modified attributes to obtain modified traffic enforcement rules.

Abstract: A system and method for providing a network proxy layer are disclosed. The network proxy layer may receive a connection establishment event for a client connection of an application session and send the client connection event to an application proxy for the application session, the application proxy being associated with an application of a server. Upon establishment of the client connection, the network proxy layer may receive one or more data packets from the client connection. The network proxy layer may further receive a connection establishment event for a server connection of the application session of the server, and receive one or more data packets from the server connection.

Abstract: Provided are methods and systems for mitigating a DDoS event. The method may comprise receiving an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. In response to the received indication of the collapse, the collapse may be attributed to the DDoS event. Furthermore, the method may comprise redirecting the network data traffic to one or more DDoS mitigation services. The method may further comprise mitigating the DDoS event by the one or more DDoS mitigation services.

Abstract: Provided are methods and systems for caching network generated security certificates. An example system may include a security gateway node and a storage module. The security gateway node may be operable to receive, from a client, a session request to establish a secure connection with a server. Based on the session request, the security gateway node may establish a first secure session between the client and the security gateway node and a second secure session between the security gateway node and the server. The security gateway node may receive a server certificate from the server. The security gateway node may match the server certificate against a gateway certificate table. Based on the matching, the security gateway node may receive a gateway certificate associated with the gateway certificate entry that matches the server certificate. The gateway certificate may be used for performing the first secure session.

Abstract: Provided are methods and systems for distributing application traffic. A method for distributing application traffic may commence with receiving, from a host, a first service request for a first service session. The first service request may be associated with a service request time. The method may continue with relaying the first service request from a service gateway to a server. The method may further include receiving, from the server, a service response. The service response may be associated with a service response time. The method may continue with calculating a service processing time for the first service request based on the service request time and the service response time. The method may further include receiving, from the host, a second service request for a second service session. The method may continue with selectively relaying the second server request to the server based on the service processing time.

Abstract: User authentication techniques based on geographical locations associated with a client device are provided. An example method for authentication of the client device includes receiving an authentication request from the client device. The method may include establishing current geographical location of the client device based on metadata received from the client device. The method may further include establishing a trusted tolerance geographical area based on historical location area associated with the client device. After establishing the trusted tolerance geographical area, the method may proceed with determining whether the current geographical location of the client device is within the trusted tolerance geographical area. The method may further include authenticating the client device based on the determination that the current geographical location of the client device is within the trusted tolerance geographical area.

Abstract: Provided are methods and systems for mitigating a denial of service attack. A system for mitigating a denial of service attack may include a network module, a storage module, and a processor module. The network module may be operable to receive a request from a network device to establish a data connection between the network device and a server based on a determination that the network device is trusted. The storage module may be operable to store a whitelist associated with a plurality of trusted network devices. The processor module may be operable to determine that the network device is trusted. Based on the determination, the processor module may associate the network device with the whitelist for a predetermined period of time.

Abstract: Systems and methods are provided herein. An exemplary servicing node may include: an interface to a data network, the interface coupled to an object machine; and the object machine, the object machine: receiving a data packet from the data network using the network interface, the data packet comprising at least one of a destination address, a destination port number, and an application protocol; determining a condition associated with the at least one of the destination address, the destination port number, and the application protocol; identifying a program name using the condition; executing a program using a name table, the name table linking each of a plurality of program names to a respective program, the executing comprising getting an instruction of the program, the instruction including object information.

Abstract: A method for intercepting, by a security gateway, a secure data session comprises the steps of establishing a first secure data session between a client device and a server device, intercepting the first secure data session by the security gateway, establishing a second secure data session between the server device and the security gateway, receiving a first secure session request from the client device, generating a second secure session request based on the first secure session request, receiving a server certificate from the server device, sending the second secure session request to the server device, receiving first secure content from the client device over the first secure data session, creating first encrypted secure content using the first secure content and the server certificate, and sending the first encrypted secure content to the server device over the second secure data session.

Abstract: Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.