Patents Assigned to A10 Networks, Inc.
-
Patent number: 8387128Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.Type: GrantFiled: October 29, 2011Date of Patent: February 26, 2013Assignee: A10 Networks, Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto
-
Patent number: 8332925Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.Type: GrantFiled: August 8, 2006Date of Patent: December 11, 2012Assignee: A10 Networks, Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto
-
Publication number: 20120311116Abstract: Synchronization of configuration files of a virtual application distribution chassis, includes: processing a configuration command received by a master blade; updating a first configuration file with the configuration command and an updated tag by the master blade; sending a configuration message by the master blade to the slave blades informing of the updated configuration file, the configuration message comprising the updated tag; in response to receiving the configuration message by a given slave blade of the one or more slave blades, comparing the updated tag in the configuration message with a tag in a second configuration file stored at the given slave blade; and in response to determining that the updated tag in the configuration message is more recent than the tag in the second configuration file stored at the given slave blade, sending a request for the updated configuration file to the master blade by the given slave blade.Type: ApplicationFiled: June 6, 2011Publication date: December 6, 2012Applicant: A10 Networks, Inc.Inventors: Rajkumar JALAN, Dennis OSHIBA
-
Patent number: 8312507Abstract: Method for applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.Type: GrantFiled: May 27, 2010Date of Patent: November 13, 2012Assignee: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Dennis Oshiba
-
Patent number: 8291487Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.Type: GrantFiled: February 16, 2012Date of Patent: October 16, 2012Assignee: A10 Networks, Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto
-
Patent number: 8266235Abstract: A method for electing a master blade in a virtual application distribution chassis (VADC), includes: sending by each blade a VADC message to each of the other blades; determining by each blade that the VADC message was not received from the master blade within a predetermined period of time; in response, sending a master claim message including a blade priority by each blade to the other blades; determining by each blade whether any of the blade priorities obtained from the received master claim messages is higher than the blade priority of the receiving blade; in response to determining that none of the blade priorities obtained is higher, setting a status of a given receiving blade to a new master blade; and sending by the given receiving blade a second VADC message to the other blades indicating the status of the new master blade of the given receiving blade.Type: GrantFiled: January 31, 2012Date of Patent: September 11, 2012Assignee: A10 Networks, Inc.Inventors: Rajkumar Jalan, Dennis Oshiba
-
Publication number: 20120084419Abstract: A method, system, and computer program product for balancing servers based on server load status, include: receiving from a server a service response to a service request, the service response including a result from a processing of the service request and a server status indicating a computing load status of the server; obtaining the server status from the service response; receiving a next service request from a host, the next service request comprising a Uniform Resource Locator (URL); determining that the server is configured to process the URL; determining whether the server status indicates that the server is available to process the next service request; and in response to determining that the server status indicates that the server is available to process the next service request, sending the next service request to the server.Type: ApplicationFiled: September 30, 2010Publication date: April 5, 2012Applicant: A10 Networks, Inc.Inventors: Lalgudi Narayanan KANNAN, Ronald Wai Lun Szeto, Lee Chen, Feilong Xu, Rajkumar Jalan
-
Patent number: 8151322Abstract: Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response. The secure data network may comprise an application level secure data network, in which the user uses the user device to request access to a network application.Type: GrantFiled: May 16, 2006Date of Patent: April 3, 2012Assignee: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Yang Yu
-
Patent number: 8079077Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.Type: GrantFiled: November 29, 2007Date of Patent: December 13, 2011Assignee: A10 Networks, Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto
-
Publication number: 20110239289Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.Type: ApplicationFiled: June 3, 2011Publication date: September 29, 2011Applicant: A10 Networks, Inc.Inventors: Xin Wang, Lee Chen, John Chiong
-
Patent number: 7979585Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.Type: GrantFiled: April 30, 2010Date of Patent: July 12, 2011Assignee: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Xin Wang
-
Patent number: 7716378Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.Type: GrantFiled: October 17, 2006Date of Patent: May 11, 2010Assignee: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Xin Wang
-
Patent number: 7675854Abstract: Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.Type: GrantFiled: February 21, 2006Date of Patent: March 9, 2010Assignee: A10 Networks, Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto, Shih-Tsung Hwang
-
Patent number: 7647635Abstract: A system and method for resolving an identity includes a security console, which displays security information regarding a secure network. The security information includes at least a first identity used to access the secure network. An operator selects the first identity, and the security console sends it to a resolver. The resolver connects with an identity server to find an access session record with an identity matching the first identity. A second identity is extracted from this record, and the resolver returns a result that includes the second identity. The security console displays the second identity; The first identity can be a user identity of a user, where the second identity is corresponding host identity, or vise versa. In this manner, an efficient interface to security information is provided to an operator, where the operator may resolve a user/host identity to a host/user identity interactively.Type: GrantFiled: November 2, 2006Date of Patent: January 12, 2010Assignee: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Philip Kwan
-
Patent number: 7552126Abstract: Systems and methods of managing access records of user access to a secure data network include an access record gateway and an access record datastore; the access record gateway being in communication with an access server of the secure data network; and the access record datastore being in communication with the access record gateway. The access record gateway acquires user access information, such as time information; records the user access information in at least one access record; and stores the at least one access record in the access record datastore. The access record gateway also acquires user access activity information, such as user access termination information, and updates previously recorded user access information with the user access activity information. The at least one access record includes a plurality of sub-records, selected from a list including a user information sub-record, a network information sub-record, and a time information sub-record.Type: GrantFiled: June 2, 2006Date of Patent: June 23, 2009Assignee: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Phillip Kwan
-
Publication number: 20080148357Abstract: The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.Type: ApplicationFiled: October 17, 2006Publication date: June 19, 2008Applicant: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Xin Wang
-
Publication number: 20080109887Abstract: A system and method for resolving an identity includes a security console, which displays security information regarding a secure network. The security information includes at least a first identity used to access the secure network. An operator selects the first identity, and the security console sends it to a resolver. The resolver connects with an identity server to find an access session record with an identity matching the first identity. A second identity is extracted from this record, and the resolver returns a result that includes the second identity. The security console displays the second identity; The first identity can be a user identity of a user, where the second identity is corresponding host identity, or vise versa. In this manner, an efficient interface to security information is provided to an operator, where the operator may resolve a user/host identity to a host/user identity interactively.Type: ApplicationFiled: November 2, 2006Publication date: May 8, 2008Applicant: A10 Networks, Inc.Inventors: Lee Chen, John Chiong, Philip Kwan
-
Publication number: 20080040789Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.Type: ApplicationFiled: August 8, 2006Publication date: February 14, 2008Applicant: A10 Networks Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto
-
Publication number: 20070283429Abstract: In a computer communication network including a firewall which protects a secured host against attack from outside computers, the host communicating with an outside computer, through the firewall, via data packets which include byte sequence numbers. In a communication between the host and computer in which one of them acts as a source and the other as a destination for the communication, a sequence number offset is derived by the firewall which characterizes the byte sequence number received from the source and the byte sequence number the firewall will provide to the destination for that communication. In a communication received from the source, the firewall adds the offset to byte sequence numbers in a packet passing between the source and destination, in order to determine the byte sequence numbers it will provide to the destination. Thus, proper sequence numbers can be provided to both locations, without the firewall having to restructure packets.Type: ApplicationFiled: May 30, 2006Publication date: December 6, 2007Applicant: A10 Networks Inc.Inventors: Lee Chen, Ronald Wai Lun Szeto, Shih-Tsung Hwang
-
Publication number: 20070282855Abstract: Systems and methods of managing access records of user access to a secure data network include an access record gateway and an access record datastore; the access record gateway being in communication with an access server of the secure data network; and the access record datastore being in communication with the access record gateway. The access record gateway acquires user access information, such as time information; records the user access information in at least one access record; and stores the at least one access record in the access record datastore. The access record gateway also acquires user access activity information, such as user access termination information, and updates previously recorded user access information with the user access activity information. The at least one access record includes a plurality of sub-records, selected from a list including a user information sub-record, a network information sub-record, and a time information sub-record.Type: ApplicationFiled: June 2, 2006Publication date: December 6, 2007Applicant: A10 Networks Inc.Inventors: Lee Chen, John Chiong, Phillip Kwan