Abstract: A method and apparatus for policy management in a network intermediary device. One embodiment of the invention, includes establishing a session between a client and an intermediary device on a network to enable processing of a communication between the client and the intermediary device. Then, the communication is processed by the intermediary device while maintaining a consistent version of policy throughout the communication. Finally, after the communication is complete, the intermediary terminates the communication. The intermediary device may maintain consistent policy by utilizing a policy ticket upon which transactional information is stored and that references the version of policy that was current when the communication first began.

Abstract: Techniques for suspending a TCP three-way handshake, offering the partial connection to an L-7 application or module at a proxy to perform further processing, and then allowing the L-7 application or module to instruct the proxy's network kernel to perform various actions are described. In various embodiments these actions may include: silently dropping the connection, verbosely rejecting the connection, accepting and processing the connection locally, or forwarding the connection to another proxy or the original destination. This additional functionality is provided, in one particular embodiment, via extensions to the POSIX socket API.

Abstract: A method for recording a complete stream of live data packets from a server in a media cache with reduced server-cache bandwidth includes utilizing a first amount of server-cache bandwidth to receive only a portion of the complete stream of live data packets from the server, determining when the stream of live data packets from the server finishes, thereafter utilizing a second amount of server-cache bandwidth to receive missing portions of the complete stream of live data packets, and combining the portion of the complete stream of live data packets and the missing portions of the complete stream of live data packets to form the complete stream of live data packets in the memory.

Abstract: A digital certificate associating a unique identifier for a computer-based appliance with an authentication key pair for that appliance is obtained from a certificate authority using a different, manufacturing key pair for the appliance. The manufacturing key pair may be generated by the appliance at or about its time of manufacture. The public key portion of the manufacturing key pair along with the unique identifier for the appliance may be provided via secure means to the certificate authority prior to the request for the digital certificate concerning the authentication key pair. Eventually, the digital certificate associated with the authentication key pair may be used by the appliance when joining a network, as part of a one-way or two-way authentication process.

Abstract: A method and apparatus for dynamically encoding transactional information into a document over a network. The transactional information may include information about client data, object properties, or network conditions. The document may contain embedded links with embedded objects that can be requested by a client. The embedded links may contain a URLs with associated domain names. The transactional information may be inserted into the domain name so that when the object request is subsequently translated by a DN.

Abstract: A transparent load balancer receives incoming Ethernet frames having incoming source and destination IP and MAC addresses. The load balancer diverts the incoming frames to one of several multi-application platforms. The incoming frames are communicated across a first TCP connection that terminates on a multi-application platform. The first TCP connection is defined by TCP source and destination ports. The transparent load balancer receives outgoing frames from the multi-application platform and outputs the outgoing frames with source and destination IP and MAC addresses that are identical to the incoming source and destination IP and MAC addresses. The outgoing frames are communicated across a second TCP connection, the second TCP connection being defined by the same TCP source port and TCP destination port of the first TCP connection. The transparent load balancer and multi-application platforms can be inserted into a running network without noticeable interruption to devices on the network.

Abstract: Provided are a method and system for tracking access to application data and preventing data exploitation by malicious programs. In one example, the method includes shimming into a running process of the system to create at least one monitoring hook to monitor a program, building an execution path of the monitored program, and monitoring a behavior of the execution path for malicious behavior using the monitoring hook.

Abstract: A multi-application transparent platform intercepts an incoming application file communicated from a source across a first TCP connection by terminating the first TCP connection on the multi-application transparent platform and supplying the application file to an application program. The application file is received onto the platform in the form of multiple incoming Ethernet frames. The application layer program analyzes the application file and identifies characteristics of the application file, such as virus content, that are not apparent in the individual Ethernet frames that carried the application file over the first TCP connection. The platform resends the application file over a second TCP connection in outgoing frames having the same IP addresses and Ethernet MAC addresses as the incoming frames. The platform can be inserted into a running network without reconfiguring devices on the network.

Abstract: The invention provides a method and system for operating multiple communicating caches. Between caches, unnecessary transmission of repeated information is substantially reduced. Each cache maintains information to improve the collective operation of the system of multiple communicating caches. This can include information about the likely contents of each other cache, or about the behavior of client devices or server devices coupled to other caches in the system. Pairs of communicating caches substantially compress transmitted information. This includes both reliable compression, in which the receiving cache can reliably identify the compressed information in response to the message, and unreliable compression, in which the receiving cache will sometimes be unable to identify the compressed information. A first cache refrains from unnecessarily transmitting the same information to a second cache when each already has a copy.

Abstract: The invention provides a method and system for operating multiple communicating caches. Between caches, unnecessary transmission of repeated information is substantially reduced. Each cache maintains information to improve the collective operation of the system of multiple communicating caches. This can include information about the likely contents of each other cache, or about the behavior of client devices or server devices coupled to other caches in the system. Pairs of communicating caches substantially compress transmitted information. This includes both reliable compression, in which the receiving cache can reliably identify the compressed information in response to the message, and unreliable compression, in which the receiving cache will sometimes be unable to identify the compressed information. A first cache refrains from unnecessarily transmitting the same information to a second cache when each already has a copy.

Abstract: A method and system for operating multiple communicating caches. Between caches, unnecessary transmission of repeated information is reduced. Pairs of communicating caches compress transmitted information, including noncacheable objects. A first cache refrains from unnecessarily transmitting the same information to a second cache when each already has a copy. This includes both maintaining a record at a first cache of information likely to be stored at a second cache, and transmitting a relatively short identifier for that information in place of the information itself. Caches are disposed in a graph structure, including a set of root caches and a set of leaf caches. Both root and leaf caches maintain noncacheable objects beyond their initial use, along with a digest of the non-cacheable objects. When a server devices returns identical information to a root cache, root caches can transmit only a digest to leaf caches, avoiding re-transmitting the entire noncacheable object.

Abstract: Requests are identified as being for a cacheable object or a non-cacheable object according to information included in a Uniform Resource Locator (URL) associated with the object. For example, the URL may include a port designation for requests for cacheable objects (e.g., images and the like). Thus, a request may be recognized as being for a cacheable or non-cacheable object according to the port on which the request is made. In some cases, requests for non-cacheable objects may be made on port 80. A router may be thus configured to recognize a request as being for a cacheable object or a non-cacheable object according to a port on which the request is received and redirect it to a cache as appropriate.