Abstract: In processing Hypertext Transfer Protocol (HTTP) headers, a packet pre-processor is configured with at least one predetermined header field identifier. The packet pre-processor detects at least one header field identifier in a header field of an HTTP packet received over an HTTP session between a host and a server, matches the predetermined header field identifier to the header field identifier in the HTTP packet, generates a header report block comprising information corresponding to the header field identifier in the HTTP packet, and sends the HTTP packet and the header report block to a processor module for processing the HTTP packet based on the header report block. The processor module receives the HTTP packet and the header report block from the packet pre-processor, retrieves a service policy using the header report block, applies the service policy to the HTTP packet, and sends the HTTP packet to the host or the server.

Abstract: Methods and systems for synchronization of configuration files of a plurality of blades in a virtual application distribution chassis are disclosed. In an exemplary method, a master blade processes a configuration command, updates a first configuration file with the configuration command and generates an updated tag, and sends a configuration message to at least one slave blade of the virtual application distribution chassis informing of the updated configuration file. The configuration message is received by a given slave blade of the one or more slave blades and compared with a second configuration file stored at the given slave blade; and in response to determining that the updated tag in the configuration message is more recent than the tag in the second configuration file stored at the given slave blade, the slave blade sends a request for the updated configuration file to the master blade.

Abstract: Provided are methods and systems for mitigating a DoS attack. A method for mitigating a DoS attack may commence with receiving, from a client, a request to initiate a secure session between the client and a server. The method may continue with determining whether the client is on a whitelist. Based on a determination that client is absent from the whitelist, a pre-generated key may be sent to the client. The method may include determining validity of the established secure session. The determination may be performed based on further actions associated with the client. Based on the determination that the secure session is valid, a renegotiation of the secure session may be forced. The method may further include generating a new key using a method for securely exchanging cryptographic keys over a public channel. The new key is then sent to the client.

Abstract: In providing packet forwarding policies in a virtual service network that includes a network node and a pool of service load balancers serving a virtual service, the network node: receives a virtual service session request from a client device, the request including a virtual service network address for the virtual service; compares the virtual service network address in the request with the virtual service network address in each at least one packet forwarding policy; in response to finding a match between the virtual service network address in the request and a given virtual service network address in a given packet forwarding policy, determines the given destination in the given packet forwarding policy; and sends the request to a service load balancer in the pool of service load balancers associated with the given destination, where the service load balancer establishes a virtual service session with the client device.

Abstract: Provided are methods and systems for flagging security threats in web service requests. Specifically, a method for flagging security threats in web service requests can include receiving a request addressed to an addressee. The method can further include analyzing the request based on at least one security signature. The method can continue with determining a threat level associated with the request. The determination can be carried out based on the analysis. The method can further include creating a flag corresponding to the threat level. The method can further include inserting the flag into a network packet associated with the request, thereby creating a modified request. The method may further include sending the modified packet to the addressee. An application associated with the addressee can be operable to selectively process the request based on the threat level.

Abstract: Reducing buffer usage for a TCP proxy session between a client and a server by a service gateway includes: determining a first round trip time (RTT) for a server side TCP session and determining a second RTT for a client side TCP session; comparing the first RTT with the second RTT; determining whether the second RTT exceeds the first RTT beyond a threshold; if so, then calculating a desired RTT based on the second RTT; and setting a timer according to the calculated desired RTT, where a TCP acknowledgement for the server side TCP session is delayed until the timer expires. The desired RTT may be calculated as a percentage of the second RTT or as the second RTT minus a predetermined value. The service gateway waits until the timer has expired before sending a TCP acknowledgement data packet to the server.

Abstract: Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: A method for electing a master blade in a virtual application distribution chassis (VADC), includes: sending by each blade a VADC message to each of the other blades; determining by each blade that the VADC message was not received from the master blade within a predetermined period of time; in response, sending a master claim message including a blade priority by each blade to the other blades; determining by each blade whether any of the blade priorities obtained from the received master claim messages is higher than the blade priority of the receiving blade; in response to determining that none of the blade priorities obtained is higher, setting a status of a given receiving blade to a new master blade; and sending by the given receiving blade a second VADC message to the other blades indicating the status of the new master blade of the given receiving blade.

Abstract: User authentication techniques based on geographical locations associated with a client device is provided. A network connection can be established between two or more host machines and a client device. Upon a request received from the client device by one of these host machines, round trip times of test messages may be measured between the client device and each of the host machines. The round trip times can be utilized to determine the current geographical location of the client device. If the location is within a tolerance geographical area, the client device may be authenticated. Otherwise, the authentication may fail or additional security procedures may be implemented. In some examples, a travel time from a historical geographical location to current geographical location can be determined. This data may be also utilized in the user authentication process.

Abstract: A service gateway includes a fast path module for processing data packets without using packet buffers and a normal path module for processing data packets using packet buffers. The fast path module receives a service request data packet from a client side session, determines that the service request data packet cannot be processed by the fast path module, and in response, sends the service request data packet to the normal path module. After receiving the service request data packet, the normal path module retrieves a first proxy session record created by the fast path module, where the first proxy session record is associated with a client session record for the client side session, creates a second proxy session record based on the service request data packet and the client session record, and processes the service request data packet according to the second proxy session record.

Abstract: A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy.

Abstract: A method for applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response.

Abstract: In providing packet forwarding policies in a virtual service network that includes a network node and a pool of service load balancers serving a virtual service, the network node: receives a virtual service session request from a client device, the request including a virtual service network address for the virtual service; compares the virtual service network address in the request with the virtual service network address in each of a plurality of packet forwarding policies; in response to finding a match between the virtual service network address in the request and a given virtual service network address in a given packet forwarding policy, determines the given destination in the given packet forwarding policy; and sends the request to a service load balancer in the pool of service load balancers associated with the given destination, where the service load balancer establishes a virtual service session with the client device.

Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time, To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record, if they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

Abstract: Provided are methods and systems for mitigating a DDoS event. The method may comprise receiving an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. In response to the received indication of the collapse, the collapse may be attributed to the DDoS event. Furthermore, the method may comprise redirecting the network data traffic to one or more DDoS mitigation services. The method may further comprise mitigating the DDoS event by the one or more DDoS mitigation services.

Abstract: Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Abstract: The processing of data packets sent over a communication session between a host and a server by a service gateway includes processing a data packet using a current hybrid-stateful or hybrid-stateless processing method. The processing then checks whether a hybrid-stateless or hybrid-stateful condition is satisfied. When one of the sets of conditions is satisfied, the process includes changing from a hybrid-stateful to a hybrid-stateless processing method, or vice versa, for a subsequently received data packet. If the conditions are not satisfied, the process continues as originally structured.

Abstract: Provided are methods and systems for distributing service sessions from a client device in a service data network. A packet of the service session is received by a forwarding node. The forwarding node determines whether the packet matches a service address associated with the service session. Responsive to the determining, a servicing node associated with the service address is selected based on a forwarding policy. The packet is sent to the selected servicing node. The servicing node determines whether the packet is a service request packet. A server is selected based on a service policy, wherein the server is configured to serve the service session. The packet is sent to the server. Before being received by a forwarding node, the packet is received by a gateway node. The gateway node determines whether the packet matches the service address and selects the forwarding node based on a notification.