Abstract: Methods and systems for blocking unwanted software downloads within a network. Such methods may thereby prevent (i) downloads of spyware from one or more identified locations, and/or (ii) certain outbound communications from the network and/or may also permit software downloads only from specified locations. In general, the policies are defined by rules specified by a network administrator or other user.

Abstract: A host computer system is categorized according to uniform resource locator (URL) information extracted from a digital certificate purportedly associated with said host. Thereafter, a secure communication session (e.g., an SSL session) with said host may be granted or denied according to results of the categorizing. If granted, messages associated with the secure session may be tunneled through a proxy without decryption, or, in some cases, even though the secure communication session was authorized messages may be decrypted at the proxy.

Abstract: A digital certificate associating a unique identifier for a computer-based appliance with an authentication key pair for that appliance is obtained from a certificate authority using a different, manufacturing key pair for the appliance. The manufacturing key pair may be generated by the appliance at or about its time of manufacture. The public key portion of the manufacturing key pair along with the unique identifier for the appliance may be provided via secure means to the certificate authority prior to the request for the digital certificate concerning the authentication key pair. Eventually, the digital certificate associated with the authentication key pair may be used by the appliance when joining a network, as part of a one-way or two-way authentication process.

Abstract: In one embodiment, an intermediary device situated along a communication path between two endpoint devices may receive communication packets sent along the communication path. If the intermediary device receives a connection-initiating packet having a customization indicator and a connection-acknowledgement packet having a customization indicator, then the intermediary device may install a bypass rule.

Abstract: A first computer-based device is authenticated at a second computer-based device communicatively coupled thereto through use of a unique identifier and an encrypted token, each received from the first device. Following the authentication, configuration information for the first device is sent from the second device to the first device and the first device is authorized to join a network that includes the second device. Further, permissions related to the network may be granted to the first device.

Abstract: In one embodiment, an electronic device receives a request; obtains a current state from each of a plurality of electronic devices; and selects one of the plurality of electronic devices to service the request based on the current state of each of the plurality of electronic devices. The current state of each of the plurality of electronic devices is one of a plurality of states in a state model. Each of the plurality of states in the state model indicates a discrete level of workload for the plurality of electronic devices.

Abstract: A DLL that includes an API hook is injected into the address space of a target computer process called by an application program. Upon termination of the application program, computer-readable instructions describing a process for filtering exceptions returned from the target computer process are stored in memory locations accessible to the target computer process and the DLL is ejected from the address space.

Abstract: In accordance with one embodiment of the present disclosure, a system includes one or more computer systems including a memory, one or more processors, and a bypass switch with an open position and a closed position. The one or more computer systems further include computer-executable program code. The computer-executable program code includes one or more virtual machines modules including computer-executable instructions configured, when executed, to cause the one or more processors to implement one or more virtual machines that host one or more guest operating systems and one or more applications. The computer-executable program code further includes a virtual bypass switch module including computer-executable instructions configured, when executed, to cause the one or more processors to, responsive to the availability of the one or more applications, forward packets received on the first physical network interface to at least one of the one or more virtual machines.

Abstract: Data useful in analyzing the effectiveness of policies for handling transactions involving client communications is automatically collected at network intermediary devices and delivered to an analysis server as part of feedback communications from the network intermediary devices. The data may be collected according to data collection directives distributed to the network intermediary devices along with updates to policies for handling transactions, those updates being configured to alter actions of the network intermediary devices, for example to accommodate changes in behaviors of content servers from which the network intermediary devices obtain content in connection with the client communications.

Abstract: A policy distribution server provides, on a subscription basis, policy updates to effect desired behaviors of network intermediary devices. The policy updates may specify caching policies, and may in some instances, include instructions for data collection by the network intermediary devices. Data collected in accordance with such instructions may be used to inform future policy updates distributed to the network intermediary devices.

Abstract: A method and apparatus for dynamically encoding transactional information into a document over a network. The transactional information may include information about client data, object properties, or network conditions. The document may contain embedded links with embedded objects that can be requested by a client. The embedded links may contain URLs with associated domain names. The transactional information may be inserted into the domain name so that when the object request is subsequently translated by a DNS server, the DNS server can utilize the transactional information to intelligently translate the domain name into an IP address of a network device that can most advantageously serve the request.

Abstract: A secure communication protocol (e.g., SSL) transaction request from a client to a server is intercepted at a client-side proxy communicatively coupled to the client and logically deployed between the client and the server. The client-side proxy initiates a secure connection with the server and passes an attribute (e.g., a cryptographic key) associated with that secure connection to a server-side proxy communicatively coupled to the server and logically deployed between the client and the server. This enables the server-side proxy to engage in secure communications with the server in a transparent fashion.

Abstract: Methods, systems, and apparatus for storing and accessing data stored in a data array are presented. In one embodiment, data is stored in a data array that includes a plurality of nodes. The nodes of the data array are segmented into one or more standard and priority pages. The pages are represented in a packed index. The priority pages are then cached and the standard pages are saved to disk. In another embodiment, data stored in a node of a data array may be accessed wherein the data array is segmented into at least one priority page and at least one standard page and the data array includes a plurality of nodes. A request for data stored in the node may be received. A priority page and/or a standard page may be searched for the node and, when found, the node may be accessed.

Abstract: Storage space on one or more hard disks of a network caching appliance is divided into a plurality S of stripes. Each stripe is a physically contiguous section of the disk(s), and is made up of a plurality of sectors. Content, whether in the form of objects or otherwise (e.g., byte-cache stream information), is written to the stripes one at a time, and when the entire storage space has been written the stripes are recycled as a whole, one at a time. In the event of a cache hit, if the subject content is stored on an oldest D ones of the stripes, the subject content is rewritten to a currently written stripe, where 1?D?(S?1).

Abstract: Methods, apparatuses and systems facilitating enhanced classification of network traffic based on observed flow-based and/or host-based behaviors.

Abstract: A peering relationship among two or more network appliances is established through an exchange of control messages among the network appliances. The peering relationship defines a cluster of peered network appliances, and at each network appliance of the cluster traffic flow state information for all the network appliances of the cluster is maintained. Network traffic associated with traffic flows of the network appliances of the cluster is managed according to the state information for the traffic flows. This managing of the network traffic may include forwarding among the network appliances of the cluster (i.e., to those of the appliances handling the respective flows) at least some of the network traffic associated with one or more of the traffic flows according to the state information for the one or more traffic flows. The traffic flows may be TCP connections or UDP flows.

Abstract: A method and system for protecting an application's operational data are described. According to one aspect of the invention, an administrator interacts with a policy distribution server to generate an operational data protection policy. Next, the policy distribution server generates a data protection application embodying the policy. Various computing devices download and execute the data protection application. The data protection application controls how various applications access data storage objects and data interfaces, based on the operational data protection policy.

Abstract: Methods, apparatuses and systems directed to enhanced random early discard mechanisms implemented in various networked devices including end-systems such as servers and intermediate systems such as gateways and routers. In one implementation, the present invention enables a random early discard mechanism that intelligently biases the drop probabilities of select packets based on one or more application-aware and/or flow-aware metrics or state conditions.

Abstract: Methods, apparatuses and systems directed to detecting, and in some implementations, responding to, asymmetric routing in network deployments. In a particular embodiment, a first process detects asymmetric routing at connection initiation, while the second process can detect asymmetric routing that may after connection initiation.

Abstract: TCP options are provided to address TCP performance problems during data exchanges over large bandwidth long delay communication links. These options address problems such as in sequence tail drops, inaccurate estimations of available bandwidth over a communication link, and slow responses to dynamic changes in link conditions.