Abstract: First data that identifies forbidden resources hosted outside a network that client devices on the network are not permitted to access, and second data that associates, for each forbidden resource, a permitted resource that the client devices on the network are permitted to access is maintained. Each permitted resource offers comparable services as its associated forbidden resource. A request from a client device for a forbidden resource is intercepted. The request is redirected to a permitted resource associated with the requested forbidden resource.

Abstract: Methods and systems for providing device authentication using device-specific proxy addresses are described. One example method includes associating a particular proxy network address with a device; receiving, over a network, a request to access a network resource, the request being received at the particular proxy network address; authenticating the device based on the particular proxy network address; and after authenticating the device, authenticating a user of the device based on user-specific credentials associated with the user.

Abstract: A device within the network receives a domain name service (DNS) request for an address of a first resource outside the network, the first resource associated with a security policy of the network. An address of a second resource within the network is returned to the device within the network in response the DNS request, the second resource address having previously been associated with the first resource address. A first encrypted connection is established between the device and the second resource, and a second encrypted connection is established between the second resource and the first resource, to facilitate encrypted communication traffic between the device and the first resource. The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for prioritizing content classification categories. One of the methods includes maintaining two or more content categories including a first content category and a second content category, each content category having an associated score, receiving, from a user device, a request to access a resource, the resource being associated both with the first content category and with the second content category, determining a content access policy for the user device to the resource based on the respective scores associated with the first and second content categories, and selectively permitting or denying access to the resource by the user device depending on the determined content access policy.

Abstract: An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on network activity thresholds. The recording application is typically not installed on the computer to be recorded but can reside on the computer to be recorded. The application contains a configuration interface that allows a user to set thresholds for certain types of network activity usage. When a threshold is reached, the application will begin a video recording of the computer's video activity which will be stored for later use. The application can be configured to include settings such as the length of the recording. For example, the application is a hardware appliance capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording. The computer to be recorded can have specific software capable of capturing the video.

Abstract: Technologies for wireless device authentication are disclosed.

Abstract: Methods and systems for providing destination-specific network management are described. One example method includes identifying a data movement rule associated with a set of one or more computers, the data movement rule including one or more criteria identifying restricted data movement, and one or more actions to take when a computer from the set of computers violates the data movement rule, detecting a data movement associated with a computer from the set of computers, the data movement including data being transferred from the computer to a destination, determining that the detected data movement violates the data movement rule, and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule.

Abstract: This specification generally relates to controlling access of a device to a network based on the detection of a network application running on the device. One example method includes maintaining one or more application profiles, each application profile associated with one or more network activities in a network; detecting one or more network activities associated with a device connected to the network; determining that the one or more detected network activities associated with the device substantially match network activities associated with a predetermined application profile; and denying network access by the device to the network based upon the determination.

Abstract: At a gateway within a network, a message containing content is received. The message conforms to a protocol that specifies a format of the content, the message having been sent from a server outside the network to a client within the network. The message is routed from the gateway to the client. The message is analyzed to determine whether the content is static. Depending on a result of the analyzing, the content is selectively caused to be stored in the format specified by the protocol in a cache within the network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel.