Abstract: A method and system to illuminate data related to an application, has been described. Initially a data analyzer at an application is installed. Next the installed data analyzer analyzes the data related to the application. Finally based on the analysis, the data is categorized in one or more of a plurality of categories.

Abstract: A computer-implemented method and a system provide a complete traceability of changes incurred in a security policy corresponding to a resource. A policy tracing engine (PTE) monitors and determines events of interest occurring at the resource. The PTE determines administrator-initiated intent-based changes and dynamic event-based changes incurred in the security policy and assigns a unique policy identifier (UPI) to the security policy. The UPI is a combination of unique identifiers assigned to the intent-based change and the event-based change. The PTE recomputes and stores the security policy and the UP in a policy database. The PTE receives network access information including the UPI from the corresponding resource deployed with the security policy. The PTE generates a traceability report that provides a complete traceability of each policy action performed in a networked environment to a source of each change incurred in the security policy as identified by the UPI.

Abstract: Instrumentation codes are inserted into predetermined portions of a bytecode. Every transaction referenced in the bytecode is virtually combined and arranged hierarchically to describe a virtual transaction stack describing the computer-based resources accessed during the transaction. Based at least on the origin of the transaction, the characteristics of the transaction and the computer-based resources accessed during the transaction, the sensitivity of the transaction, and the security context of each of the computer-based resources accessed during the transaction are determined. A policy store is searched for at least one access control policy referencing the transaction, or the computer-based resources requested accessed by the transaction. If such an access control policy is found, it is selectively modified to refer exclusively to the transaction and the corresponding sensitive computer-based resources.

Abstract: A method and a system for automatically managing security policies at multiple resources are provided. A policy management engine receives and deploys a security policy configured for each resource with one or more configuration parameters on a security component of each resource. The policy management engine determines modifications made to the security policy at a corresponding resource and automatically corrects the security policy at the corresponding resource. The policy management engine generates and renders a notification including the security policy, the modifications, and detailed information of the modifications and the automatic correction of the security policy to an administrator device. The detailed information includes a description, a type, a timestamp, number of instances, etc.

Abstract: Disclosed herein are a method, a device, and a non-transitory computer readable medium for detecting user migration from an enterprise network to a non-enterprise network by using DNS probing. The method includes detecting at least one of a change in state of network connection and change in operational state of a user migration computing device. A domain name system (DNS) query is generated in response to detecting the at least one of a change in state of network connection and change in operational state of a user migration computing device. Further, the DNS query is sent to at least one of a plurality of DNS servers. If an expected DNS response is received, it is determined that the user migration computing device is in the enterprise network. If expected DNS response is not received, that the user migration computing device is outside the enterprise network.

Abstract: A method and system for peer-to-peer communication across network is described. At an internet key exchange (IKE) daemon, an IKE packet including an application data packet and an IKE header is received. The received IKE packet is de-multiplexed to identify a data destination that receives the application data packet, the data destination identified based on a data destination identifier included in the IKE header. Finally, the application data packet is forwarded to a receiving peer when the data destination is the receiving peer.

Abstract: In a method of Local Peer to Peer Direct Connection in NAT and overlay network. A request is received from a first peer at a relay gateway to establish a direct connection with a second peer. The first peer and the second peer are located behind a NAT firewall. An authentication request is relayed from the first peer at the relay gateway. The authentication request is forwarded from the relay gateway to the second peer. Upon performing authentication at the second peer, an authentication response is received at the relay gateway. The authentication response is received from the relay gateway at the first peer. An internal route propagation is performed from the second peer to the first peer via the relay gateway. A Local Peer to Peer Direct Connection is established between the first peer and the second peer for packet flow through the direct connection.

Abstract: A method and system for determining a session count is described. At a user interface a request is received to determine a session count for a time period. Based on the received request, the session count is determined based on unique new session counts corresponding to one or more time intervals included in the time period and carry forward session count corresponding to an initial time interval included in the time period. Finally, the determined session count is displayed at the user interface.

Abstract: In randomized traffic selection in a IPsec network, a source node sends a packet to a destination node. The packet is encapsulated with an application specific metadata header and the source node encapsulates the packet in a transport protocol header (UDP/TCP). The application specific metadata header includes information such as a final destination node, a configured number of hops, a current hop count. A security association associated with an intermediate node is randomly selected by a randomized traffic selector algorithm. The security association is randomly selected from the list of security associations. Upon receiving the packet at the intermediate node, a current hop count is incremented. It is determined that the current hop count is equal to the configured number of hops. The packet is sent to the destination node via the intermediate node based on the randomly selected security association.

Abstract: A hostname based access configuration system (HNACS) is provided for configuring a host-based firewall to implement firewall policies referencing hostnames. The HNACS defines a hostname based firewall policy (HNFP) referencing a host server using a corresponding hostname instead of an internet protocol (IP) address. The HNACS incorporates the HNFP onto the host-based firewall but renders the HNFP non-implementable on the computing device until a domain name system (DNS) query is generated. If the DNS query includes the hostname in the HNFP, the HNACS determines a mapping between the hostname specified in the DNS query and an IP address corresponding to the hostname (obtained via a DNS response corresponding to the DNS query). Based on the mapping, the HNFP is transformed via an implicit replacement of the hostname in the HNFP with the IP address of the host server, thereby rendering the HNFP executable on the host-based firewall.

Abstract: A point-to-point Virtual Private Network (VPN) tunnel is established for facilitating fully cloaked transmission of a data packet from a source endpoint device to a destination endpoint device. The data packet includes a payload portion, an inner header, and an outer header. An ‘end-to-end key’, a ‘next-hop-destination key’ and a plurality of ‘next-hop’ keys are calculated. The end-to-end key is used at the source endpoint device and the destination endpoint device respectively to encrypt and decrypt the payload portion. The next-hop keys are used to encrypt the inner header during the hop-to-hop communication from one intermediary node to another, along the incrementally constructed path connecting the source endpoint device with the destination endpoint device. The encryption of the payload portion is maintained throughout the hop-to-hop communication regardless of the number of intermediary nodes traversed by the data packet en route to the destination endpoint device.

Abstract: In secure and seamless remote access to enterprise applications with zero user intervention, a first set of policies is generated at a controller based on a user role. A user device associated with the user role is in an enterprise network. The first set of policies is pushed to the security agent in the user device associated with a user, an enterprise server, and a secure remote access gateway from the controller. Upon determining that the user device moves to a remote network, a secure connection is initiated by the security agent from the user device to the secure remote access gateway. Upon determining by the controller that the user is authenticated for the secure connection, a second set of policies is generated by the controller for the user device, the enterprise server and the secure remote access gateway. The second set of policies is pushed to the devices.

Abstract: A system and method for routing data packets between different overlay networks is disclosed. The method includes receiving a DNS lookup request for a resource from a first computing device coupled to a first overlay network. The first overlay network comprises a first edge application gateway. The method includes identifying a second computing device coupled to a second overlay network comprising the resource requested. The second overlay network comprises a second edge application gateway. The method further includes identifying a third overlay network. The data packets generated at, the first computing device is transferred to the first edge application gateway. The data packets are then transmitted from the first edge application gateway and the second edge application gateway over the third overlay network.

Abstract: Described herein are systems, methods, and software to enhance secure communications between computing systems. In one implementation, a private domain name system (DNS) receives a DNS lookup request from a computing system of a plurality of computing systems associated with a private communication group, and forwards the DNS lookup request to a public DNS. The private DNS further receives a public address associated with the DNS lookup request from the public DNS, translates the public address to a private address, and transfers the private address to the requesting computing system.

Abstract: A system and method for performing load balancing over an overlay network is disclosed. The load balancing is performed by a DNS load balancing module communicating to a plurality of computing devices communicatively coupled over the overlay network. The DNS load balancing module calculates and maintains a weighted value of each computing device among the plurality of computing device based on a plurality of parameters. The DNS load balancing module on receiving a DNS lookup request for a resource from a first computing device identifies a list of computing device among the plurality of computing device hosting the requested resource. The DNS load balancing module further performs load balancing by selecting a computing device among a list of computing devices for accessing the resource based on a weighted value calculated.

Abstract: A centralized controller for probing and securing vulnerable network resources is disclosed. A list of services hosted by a resource is received at the controller. A request to probe the list of services hosted on the resource is received by the controller. A probe candidate is determined by the controller. The probing is triggered by the controller based on a user scheduled time. The probing includes sending a probe packet that contains a special marker. The controller sends the list of resources to be probed for a set of port and protocol, to the probe candidate. A probe result generated as a result of the probing is received at the controller. The probe result includes vulnerable service information. A policy is computed based on the probe result and is enforced on the probed resources.

Abstract: Whenever an IP packet is routed from a source computing device through to a NAT device on the way to a destination computing device, a PCP client transmits a PCP query to a PCP server to determine the external IP address and external port number that have been substituted for the source IP address and source port number previously incorporated within the IP packet. Subsequently, the PCP server responds to the PCP client with the information denoting the mapping between the source IP address-some port number pair and the external IP address-external port number pair. A snooping agent is utilized to firstly snoop on the mapping communicated from the PCP server to the PCP client, and secondly to communicate the mapping information to a policy server incorporating a plurality of predefined firewall rules usable in deducing appropriate PACKET ALLOW/PACKET DROP decisions, based on the mapping information.

Abstract: Systems, methods, and software described herein enhance connectivity between computing systems and containers. In one implementation, a method of allocating virtual network interfaces to containers on a host includes transferring, from the host, a request to at least one configuration resource to obtain an address configuration for one or more containers to be executed on the host. The method further provides for receiving an addressing configuration for the one or more containers to be executed on the host, and assigning a virtual network interface to each of the one or more containers based on the addressing configuration.

Abstract: Techniques to facilitate enhanced addressing of local and network resources from a computing system are provided herein. In one implementation, a method of mapping a virtual address space for an application on a computing system includes in response to initiating the application, identifying access information for at least one configuration resource. The method further includes transferring a request to the at least one configuration resource for a virtual addressing configuration, and receiving the virtual addressing configuration from the at least one configuration resource. The method further provides, based on the virtual addressing configuration, generating a mapping of virtual addresses for the application to local addresses for local resources and network addresses and network addresses for network resources.

Abstract: A method, system and computer program product are envisaged for facilitating encoding ‘configuration information’ corresponding to a software application, within a filename assigned to the software application. The software application is embodied in a ‘computer executable file’, while the corresponding ‘configuration information’ is incorporated into a configuration file. The computer executable file is referenced by a symbolic link, and the symbolic link is assigned a file name. A file path referencing the storage location of the configuration file is created and embedded within the filename. A checksum created on the basis of the filename is also embedded there within. Upon transmission, the symbolic link is accessed by each of the end-point computer devices, which process the symbolic link and access the ‘computer executable file’ and the ‘configuration file’ incorporating configuration information relevant to the ‘computer executable file’.