Abstract: Controlling a user's usage of network resources, after the user has been authenticated, without using any network resources beyond the user's entry point to the network. A plurality of users may be connected to an entry point of a network of a network device by a shared transmission medium. Each users' usage of network resources is controlled, after such user has been authenticated, without using any network resources beyond such user's entry point to the network. For each one or more users, packet rules may be provisioned to the user's entry point to the network, where such entry point may be shared with other users. The packet rules may be applied to each packet received from the user before any network resources beyond the entry point are used. These packet rules may be associated with an identity of the user and then provisioned to the user's entry point in response to the user being authenticated.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the mirror destination point.

Abstract: A plug assembly is provided with integral optical indication. The plug assembly includes a housing having a leading portion and a trailing portion. The leading portion is configured for information exchanging engagement with an internally illuminated receptacle sized and shaped to releasably receive said leading portion therein. The receptacle is configured to radiate light onto the leading portion of the plug. This leading portion includes a light collector configured to receive the light, which is then conveyed via an optical coupling to an optical indicator located on the trailing portion of the plug assembly. The indicator has optical properties distinct from those of said trailing portion to facilitate viewing.

Abstract: A system and method to respond to intrusions detected on a network system including attached functions and a network infrastructure. The system includes means for receiving from an intrusion detection function information about intrusions, a directory service function for gathering and reporting at least the physical and logical addresses of devices of the network infrastructure associated with the detected intrusions, and a plurality of distributed enforcement devices of the network infrastructure for enforcing policies responsive to the detected intrusions. A policy decision function evaluates the reported detected intrusions and makes a determination whether one or more policy changes are required on the enforcement devices in response to a detected intrusion. A policy manager function configures the distributed enforcement devices with the responsive changed policy or policies.

Abstract: A user's usage of network resources is controlled, after the user has been authenticated, without using any network resources beyond the user's entry point to the network. Packet rules may be provisioned to the user's entry point to the network, and the packet rules may be applied to each packet received from the user before any network resources beyond the entry point are used. These packet rules may be associated with an identity of the user and then provisioned to the user's entry point in response to the user being authenticated. Usage of network resources of a communications network by a user beyond a network device of the communications network that serves as the user's entry point to the communications network is controlled. The port module of the network device is configured with one or more packet rules corresponding to an identity of the user.

Abstract: A system and method for the dynamic distribution of intrusion signatures to aid in protecting a network system from harmful activities. An analysis function includes means for identifying one or more intrusion signatures to be dynamically distributed to an intrusion detection function for monitoring. The analysis function and/or the intrusion detection function may be centralized or distributed. Monitoring may be prioritized, localized, and made operational or non-operational. The intrusion detection function may be embodied in either or both of an appliance and a network forwarding device. The analysis function may distribute the intrusion detection function in addition to the intrusion signatures. In one embodiment of the invention, the system includes an intrusion detection function and a dynamic intrusion signatures function. The intrusion detection function monitors for and reports detected intrusion signatures.

Abstract: A system is described where delay and bandwidth guarantees are implemented with a crossbar switch. A rate controller is provided as a front-end to a crossbar switch with an arbiter running a work-conserving arbitration algorithm. The system provides bandwidth and delay guarantees to all properly behaving flows independently of improperly behaving flows.

Abstract: A system and method that provides dynamic network policy management. The system enables a network administrator to regulate usage of network services upon initiation of and throughout network sessions. The system employs a method of identifying selectable characteristics of attached functions to establish static and dynamic policies, which policies may be amended before, during and after any session throughout the network based on the monitored detection of any of a number of specified triggering events or activities. Particular policies associated with a particular identified attached function in prior sessions may be cached or saved and employed in subsequent sessions to provide network usage permissions more rapidly in such subsequent sessions. The cached or saved policy information may also be used to identify network usage, control, and security. The system and method of the present invention provides static and dynamic policy allocation for network usage provisioning.

Abstract: The packet-buffering system and method of the present invention enables communication devices incorporating a full-mesh architecture to achieve bandwidth aggregation levels ordinarily associated with partial-mesh architectures. The packet-buffering invention uses a hierarchical memory structure having first and second packet-buffers to buffer packets between the input and output ports of the communication device. The received packets are organized by output port and priority level in the first packet buffer, which operates at the aggregate network rate of the communication device. The packets are then funneled to second packet buffers, having corresponding priority and output port assignments, at less than the aggregate network rate and which exhibit buffer depths that exceed that of the first packet buffer.

Abstract: A network communication device for directing data units over a communication network includes at least one input and/or output port arranged to receive and/or transmit data units, a plurality of buffer units divided into several sub-pools, and a buffer allocator for allocating buffer units between the sub-pools. The buffer allocator is arranged to determine a priority value for each sub-pool based on quality of service for each connection established at at least one port. The buffer allocator is also arranged to determine a utilization value of the port, and arranged to allocate buffer units for each sub-pool based on the priority value and based on the utilization value. The buffer allocator creates a precedence list to ensures that a minimal number of connections, which are established at a most utilized port, will suffer data unit loss while receiving the data units.

Abstract: A user interface enables a user to concurrently select a plurality of network objects of a network object database (e.g., a MIB) from a same network device or different network devices and specify a value, only once, to which to set the selected objects. The user can initiate setting of the selected objects on the one or more devices by specifying only once that the objects on such devices be set to the specified value. The user interface, which may include a GUI, may be configured to enable the user to specify a value for a cell of a first table (“editing table”), in response to which a plurality of cells of a second table (“primary table”) are set equal to the specified value. The primary table may represent a view of a network object database, each column of the view representing an object type of the network object database.

Abstract: A system and method to authenticate attached functions seeking access to network services through a network entry device. The system includes a relay function of the network entry device for forwarding authentication messages to a device having full IEEE Standard 802.1X Port Access Entity (PAE) functionality. The relay function directs authentication information to the PAE device to perform the authentication function pursuant to that standard. The relay function eliminates the need for the network entry device to operate as a PAE device. The relay function may forward the authentication messages in a form compatible with IEEE Standard 802.1D or IEEE Standard 802.1Q.

Abstract: A user is enabled to edit a table defining a view of a network object database, for example, a MIB. The user can select from among a plurality of network object types and select from among a plurality of columns of the table. At least one column of the table is specified by the user and edited to represent a network object type specified by the user. The view definition can be extracted from the application and transported to another device where it can be edited and/or viewed using a suitable application. Such portable view definition may be defined as part of a document, for example, a document formatted in accordance with a markup language, such as XML. Such document may include information for requesting objects to populate the view, which may be used to construct requests (e.g., SNMP requests) to retrieve objects from one or more network devices.

Abstract: Protection from a distributed clock failure in a packet switched network device involves monitoring primary clocking information that is received from an input port of the network device, distributing the clocking information to an output port for use in synchronous transmissions, and supplying backup clocking information from within the packet switched network device to the output port if the primary clocking information fails. In an embodiment, the integrity of the primary clocking information is directly monitored in hardware and the backup clocking information is provided by a local clock source that is located within the network device. If a failure in the primary clocking information is detected, the backup clocking information is supplied to the output port from the local clock source.

Abstract: Assisting a user to navigate through a performance of a task, the task including a plurality of sub-tasks. Two or more of the sub-tasks are serially presented on a graphical user interface. Each of the two or more sub-tasks is displayed in a respective area of the graphical user interface. For each of the two or more sub-tasks, the user is enabled to perform the sub-task by entering information into the respective area of the sub-task as the sub-task is presented. While the two or more sub-tasks are being presented, a sub-task list of items is displayed to the user on the graphical user interface. Each item represents a respective one of the plurality of sub-tasks. Displaying the sub-task list includes displaying, within at least one of the items, information corresponding to the sub-task represented by the at least one item.

Abstract: A method and apparatus are provided for creating a virtual hierarchical local area network. The method and apparatus provide a hierarchical framing technique that allows a network architecture to realize a local area network hierarchy within the network. In this manner, a first local area network hierarchy is defined by communication in a first frame format between a first set of network devices and a second set of network devices. A second local area network hierarchy is defined by communication in a second frame format between members of the second set of network devices. The second frame format includes the fields of a frame in the first frame format that is used to communicate between the first set of communication devices and the second set of communication devices.

Abstract: Method and apparatus providing connection-oriented services for packet switched data communications networks. Directory services include distributed discovery of MAC addresses and protocol alias addresses. Topology services include a link state topology exchange among switches, which provides each switch with a complete topology graph of the network. This enables an access switch receiving a data packet to determine a complete path from a source end system to a destination end system. Another service includes resolution of broadcast frames to unicast frames, in order to reduce the amount of broadcast traffic. Policy restrictions may be applied prior to connection setup. Path determination services enable multiple paths from a source to a destination. Connection management includes source routed mapping of connections on the desired path.

Abstract: A host-based intrusion detection system (HIDS) sensor that monitors system logs for evidence of malicious or suspicious application activity running in real time and monitors key system files for evidence of tampering. This system detects attacks targeted at the host system on which it is installed and monitors output to the system and audit logs. It is signature-based and identifies and analyzes system and audit messages for signs of system misuse or attack. The system monitors the logs of applications running on the host, including mail servers, web servers and FTP servers. The system also monitors system files and notifies the system administrator when key system and security files have been accessed, modified or even deleted.

Abstract: In a secure fast packet switch having a plurality of input ports and a plurality of output ports, a method of determining which port in the plurality of output ports data that is received on one input port in the plurality of input ports is to be sent to, the method including the steps of determining a physical layer address of a sending node, determining a physical layer address of a receiving node, determining an input port in the plurality of input ports that the data was received on, determining if the physical layer address of the sending node and the physical layer address of the receiving node are an allowed combination, determining the magnitude of the node identification number of the sending node, determining the magnitude of the node identification number of the receiving node, obtaining outbound port information from a first predetermined location in a data structure stored in a memory if the node identification number of the sending node is greater than the node identification number of the recei

Abstract: A new type of communication protocol provides semi-reliable transport of data over a data channel, such as over the Internet. The new type of protocol limits the number of retransmissions of unsuccessfully delivered data and may eventually “give up” on successfully delivering particular data and go on sending subsequent data to the destination. When a reliable communication protocol, such as TCP/IP is tunneled between two computers over a virtual connection which uses the new type of semi-reliable protocol, overall error control of data passing between the two computers involves elements of error control implemented by both the semi-reliable protocol and the reliable protocol. This overall error control can provide higher throughput than provided by using either a completely reliable protocol (e.g., TCP) for the virtual connection, or a completely unreliable protocol (e.g., UDP) for the virtual connection.