Abstract: Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.

Abstract: A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.

Abstract: A system determines a scheduling value based on a current length of a downstream queue in a network device. The system sends the scheduling value from the downstream queue to an upstream queue and schedules dequeuing of one or more data units, destined for the downstream queue, from the upstream queue based on the scheduling value.

Abstract: A system aggregates connections to multiple customer devices. The system receives data, performs switching functions on the data when the data is to be transmitted in a first direction, performs routing functions on the data when the data is to be transmitted in a second direction, and transmits the data in the first or second direction.

Abstract: A router detects a network attack and forwards traffic associated with the network attack to a discard interface. The router applies one or more filters to calculate traffic flow statistics for the traffic forwarded to the discard interface. The router may exchange routing communications with one or more other routers to alert the routers of the network attack. For example, the router may generate a routing communication in accordance with a routing protocol that advertises a route to the targeted device, and includes a policy tag that indicates the existence of a network attack. The other routers update forwarding information in accordance with the advertised route, and automatically forward traffic to respective discard interfaces based on the policy tag, thereby diffusing the network attack.

Abstract: A network device includes a memory, a routing engine and a forwarding engine. The memory stores a forwarding table and the routing engine constructs a first composite next hop that includes multiple next hops, where each of the multiple next hops represents an action to be taken on a data unit as it transits the network device or represents another composite next hop, and where the first composite next hop specifies a function to be performed on the plurality of next hops. The routing engine further stores the composite next hop in an entry of the forwarding table. The forwarding engine retrieves the composite next hop from the forwarding table, and forwards a data unit towards one or more network destinations based on the composite next hop.

Abstract: Plural arbiters arbitrate over a set of queues. The arbiters are constructed as a series of pipelined stages. Conflict detection logic detects conflicts among the arbiters in arbitrating across the queues, and, when a conflict is detected, the conflict detection logic alters processing related to conflicting queues in one arbiter when another arbiter has not passed a predetermined commit point in processing the queue.

Abstract: A standalone router is integrated into a multi-chassis router. Integrating the standalone router into a multi-chassis router requires replacing switch cards in the standalone router with multi-chassis switch cards. The multi-chassis switch cards forward packets to a central switch card chassis for routing within the multi-chassis router. By incrementally replacing standalone switch cards with multi-chassis switch cards in the standalone router, packet forwarding performance is maintained during the integration.

Abstract: Detecting if a label-switched path (LSP) is functioning properly. To test that packets that belong to a particular Forwarding Equivalence Class (FEC) actually end their MPLS LSP on an label switching router (LSR) that is an egress for that FEC, a request message carrying information about the FEC whose LSP is being verified may be used. The request message may be forwarded like any other packet belonging to that FEC. A basic connectivity test as well as a fault isolation test are supported. In a basic connectivity test mode, the packet should reach the end of the LSP, at which point it is sent to the control plane of the egress LSR. The LSR then verifies that it is indeed an egress for the FEC. In a fault isolation test mode, the packet is sent to the control plane of each transit LSR, which performs various checks that it is indeed a transit LSR for the LSP. The transit LSR may also return further information that helps check the control plane against the data plane, i.e.

Abstract: In one embodiment, a method includes accessing a condition test vector, selecting a key from a plurality of keys, and determining whether the key selected and a condition value satisfy a condition relation. The accessing being based on an index value. The condition test vector including a first plurality of bit values defining the condition relation, a second plurality of bit values defining a key selector, and a third plurality of bit values defining the condition value. The selecting being based on the second plurality of bit values. Each key from the plurality of keys including a combination of bit values representing a portion of a data packet. A result is defined based on the determining.

Abstract: This disclosure relates to a secure network device for multi-homed devices. An example network device includes a state table, an association establishment module, and an inspection module. The state table is configured to store information for communication associations between devices. The association establishment module is configured to process a request to establish a communication association between a first device and a second device and to store state information for the communication association in the state table. The first device and the second device each comprise a multi-homed device associated with a plurality of Internet Protocol (IP) addresses, and the state information includes the IP addresses associated with the first device and the IP addresses associated with the second device. The inspection module is configured to secure the communication association between the first device and the second device by using the state information that is stored in the state table.

Abstract: Filters are selectively applied to packets depending on forwarding equivalence classes (FECs) of the packets. A FEC filter is defined within the network device and qualified by incoming interface information that identifies source sites of the packets. A label distribution protocol (LDP) FEC is configured such that packets of the given FEC are associated with the FEC filter. The FEC identifies a destination site of the packets received by the router and is automatically combined with incoming interface information. In this way, packet flows may be filtered based on FECs of the packets. FEC filters may be further refined to operate at forwarding class granularity. The techniques allow accurate billing of packets traveling between specific source and destination sites regardless of the number of interfaces of the network device the packets utilize. In addition, the filtering can be used to provide anti-spoofing capabilities.

Abstract: A system distributes extended traffic accounting information of bandwidth availability on links throughout a network. For example, routers within the network utilize an extended reservation protocol to calculate bandwidth availability information for links. In calculating the bandwidth availability information, the extended reservation protocol accounts for not only the amount of bandwidth reserved on each of links via the resource reservation protocol itself, but also for the bandwidth usage by other traffic on the links, such as Label Distribution Protocol (LDP) traffic or Internet Protocol (IP) traffic. The routers exchange bandwidth availability information using a routing protocol to gain network-wide knowledge of bandwidth availability.

Abstract: Requests from a client to a network device are authenticated based on a session ID obtained by the network device. Requests may be authenticated by obtaining a session ID value when a session is initiated and transmitting a document to the client that embeds the session ID in such a manner that additional requests to the network device based on the document include the session ID in the request. The additional requests are authenticated based on a determination of whether the session ID is included in the additional requests.

Abstract: A network device may include logic configured to receive a problem report from a second network device, where the problem report includes event data, determine at least one of an action to perform or whether reconfiguration information is associated with the event data in the received problem report and add information to the received problem report to provide a reformatted problem report and transmit the reformatted problem report to a third network device when it is determined that reconfiguration information is not associated with the event data in the problem report.

Abstract: In general, techniques are described for managing multiple access policies in a network access control system. An endpoint device may send, to a policy decision point (“PDP”), a request to communicate on a network. When the PDP receives such an access request, the PDP typically identifies a set of access policies to be enforced with regard to the endpoint device and causes the identified access policies to be enforced with regard to the endpoint device. These access policies may specify rights to communicate on networks and/or rights to communicate with server resources and/or endpoint configuration requirements. However, because the endpoint device may issue multiple access requests, conflicting sets of access policies may potentially be enforced with regard to the endpoint device. The techniques described herein ensure that only a consistent set of access policies are enforced with regard to the endpoint device when accessing the network.

Abstract: A front-to-back cooling system allows cooling of an apparatus containing two orthogonal sets of modules. A vertical set of modules is cooled with vertical air flow across the modules that enters from a front of the apparatus and exits from the back of the apparatus. A horizontal set of modules is cooled with air flow that passes through openings in a midplane connecting the two sets of modules.

Abstract: A device may include a processor to execute a thread. The processor may be further configured to execute a set of wrappers that are called from within the thread to invoke a set of one-shot signal objects to generate delayed signals. Each of the set of wrappers may be configured to detect whether different ones of one-shot signal objects that were invoked from within the thread have generated signals at periodic time intervals, determine a delay to be used for invoking one of the set of one-shot signal objects, and invoke the one of the set of one-shot signal object to generate one of the delayed signals based on the delay when the different ones of one-shot signal objects have generated signals at periodic time intervals. The processor may be further configured to receive the delayed signals generated from the set of one-shot signal objects over a time period.

Abstract: A system determines bandwidth use by queues in a network device. To do this, the system determines an instantaneous amount of bandwidth used by each of the queues and an average amount of bandwidth used by each of the queues. The system then identifies bandwidth use by each of the queues based on the instantaneous bandwidth used and the average bandwidth used by each of the queues.

Abstract: In general, the principles of this invention are directed to techniques of locally caching endpoint security information. In particular, a local access module caches endpoint security information maintained by a remote server. When a user attempts to access a network resource through an endpoint device, the endpoint device sends authentication information and health information to the local access module. When the local access module receives the authentication information and the health information, the local access module controls access to the network resource based on the cached endpoint security information, the authentication information, and a security state of the endpoint device described by the health information.