Abstract: An apparatus and method is provided for facilitating the seamless handoff of IP connections between access routers in an IP network. The mobile IP network includes two or more access routers each serving a different geographic service area. When a mobile terminal moves from the first service area to the second service area, the mobile terminal transmits to the second access router the IP address of the previous access router. The second access router uses this information to learn capabilities of the first access router (e.g., bandwidths supported, security schemes, and the like) for use in future handoff decisions, and exchanges capability information with the first access router. The assumption is made based on the exchanged information that the access routers are geographically proximate.

Abstract: A method is described that involves presenting packet header information from a packet and packet size information for the packet to a pipeline that comprises multiple stages. One of the stages identifies, with the packet header information, where input flow information for the packet is located. The input flow information is then fetched. The input flow information identifies where input capacity information for the packet is located and the input capacity information is then fetched. Another of the stages compares an input capacity for the packet with the packet's size and indicates whether the packet is conforming or non-conforming based upon the comparison. The input capacity is calculated from the input capacity information.

Abstract: Systems and methods are disclosed for marking a packet with a precedence value in a TCP-friendly way. One system and method marks packets with a precedence value based on a probability function. Another system and method marks packets with one of three precedence values based on network traffic but enables interleaving of differently marked packets when a certain number of packets have been successively marked with a low or medium precedence value.

Abstract: Methods and systems for selectively capturing content and delivering the captured content to mobile communications devices via wireless communications are disclosed. In some embodiments, a mobile unit sends a request for content to a nearby content server, to which the content server may respond with a list of available content items. The mobile unit may send a second, refined request for a specific content item. The content server may send the requested content item to the mobile unit, or the content server may send a pointer to the mobile unit, which indicates a network location from which a user may later retrieve the actual content item. In another embodiment, a mobile unit sends a request to a content server for presently displayed content. The content server may capture a screen image and send the captured image to the mobile unit. Alternatively, the content server may send the file in a native file format of the file from which the displayed content was generated.

Abstract: The invention provides a two-phase hash value matching technique in message protection systems. This invention further improves the performance of message protection systems by avoiding computations associated with sophisticated signature hash value (SSHV) where possible. A message protection system that implements the two-phase hash value matching technique caches rough outline hash values (ROHVs) of previously scanned objects. The system can roughly distinguish one object from another using ROHVs. The system performs an initial check using ROHVs before performing the relatively time-consuming computations associated with SSHVs.

Abstract: A system and method is directed to detecting tampering of a computer system's operating system (OS). The OS includes a kernel binary and at least one user level binary. When the user level binary is generated, selected integrity data is also generated. Such integrity data may include, but is not limited to, a digital signature, a hash associated with the user level binary, and the like. In one embodiment, integrity data is also generated for the kernel. The kernel is modified to include the integrity data associated with the user level binary. The kernel further includes a tamper detector that is configured to examine the OS binary against its associated integrity data. If tampering is detected, the tamper detector may provide a message indicating which OS binary may have been modified. The tamper detector may also quarantine the modified OS binary, log the message, and the like.

Abstract: Apparatus, system, method and computer program product for verifying the integrity of remote network devices that request access to network services and resources. Unintended computer programs such as viruses, worms, or Trojan horses, may compromise remote devices. The invention involves downloading verification software over the web into the web browser of a client for the purpose of performing checks to verify the integrity and security of the client's device or system. The results of such checks are returned over the web to be used in security decisions involving authentication and the grant of authorization to access services and resources.

Abstract: The present invention provides cluster management from a single application. A user may perform management tasks on all of the devices within the cluster using a GUI or a CLI. The system automatically discovers the members of the cluster and acquires a configuration lock on the devices preventing other users from performing conflicting operations. If a problem occurs during a configuration, the devices may be rolled back to a previous working configuration. A message format is provided to help ensure message integrity beyond the security provided by a secure transport. An aggregator aggregates configuration information and motored data and allows the information to be presented according to a user's requirements.

Abstract: The invention provides a system and method for updating network appliances using urgent update notifications. The network appliances periodically initiates connection to “poll” updates from the update server and the update server collects IP addresses from the connections and updates an IP address log. The update server obtains updates for the network appliances and determines whether a particular update is urgent. When an urgent update is available, the server delivers an urgent update notification (UUN) to each known network appliance through an existing port used for messaging. Each network appliance receives the UUN and distinguishes it from other messages. In response to the UUN, each network appliance automatically connects to the server, obtains the urgent update and installs the urgent update.

Abstract: The present invention clones configuration information onto a device joining a cluster. A Configuration Acquisition System (CAS) component, which, using a list of attributes to be cloned, connects to a cluster member, interacts with the cluster member to retrieve all the attributes, reconciles the values of the attributes from the cluster member with the values of the attributes in its own configuration and applies the reconciled configuration to its Configuration Subsystem.

Abstract: The present invention is directed at rebooting a cluster while maintaining cluster operation. Cluster operation is automatically maintained during the reboot since at least one member of the cluster stays active during the process. An administrator triggers the reboot process and then does not have to perform any other steps during the reboot process. An algorithm executes which reboots members of the cluster at different times, while always maintaining operation of at least one member of the cluster.

Abstract: A mobile or other device connects to a server via a publicly accessible network such as the Internet. After installation upon the device, a virtual private network (VPN) client connects to the server and downloads a VPN profile. In one embodiment the device creates public/private key pairs and requests enrollment of a digital certificate. In another embodiment a digital certificate and public/private key pairs are provided. The device also receives a digital certificate from the server and verifies the server certificate by requesting the user to supply a portion of a fingerprint for the certificate. The invention further includes an automatic content updating (ACU) client that downloads a user profile for the VPN, requests certificate enrollment, and updates the VPN client and other applications when new content is available. A security service manager (SSM) server includes, or is in communication with, a Web server, multiple databases, an enrollment gateway and an internal certification authority (CA).

Abstract: A mobile or other device connects to a server via a publicly accessible network such as the Internet. After installation upon the device, a virtual private network (VPN) client connects to the server and downloads a VPN profile. In one embodiment the device creates public/private key pairs and requests enrollment of a digital certificate. In another embodiment a digital certificate and public/private key pairs are provided. The device also receives a digital certificate from the server and verifies the server certificate by requesting the user to supply a portion of a fingerprint for the certificate. The invention further includes an automatic content updating (ACU) client that downloads a user profile for the VPN, requests certificate enrollment, and updates the VPN client and other applications when new content is available. A security service manager (SSM) server includes, or is in communication with, a Web server, multiple databases, an enrollment gateway and an internal certification authority (CA).

Abstract: The present invention discloses a methods and systems for securely connecting mobile nodes to an internal private network using IPsec based Virtual Private Network (VPN) technology. The system employs a proxy home agent (PHA) coupled to a home network associated with a mobile node that is located within a secure network, a home agent (HA) that is located outside of the secure network, and a VPN gateway to provide VPN services to a mobile device that changes its current address during the VPN session. The HA and PHA are configured to provide Mobile IP Home Agent functionality through a distributed system.

Abstract: A system and method is directed to electronic licensing of software using a public key infrastructure (PKI). A Licensing Authority is employed as a trusted entity to issue and manage licenses to an end-user, in a substantially similar manner as a certification authority in the PKI might issue and manage a public-key certificate. The Licensing Authority may request information including a credit card number from the end-user seeking to purchase the software. The Licensing Authority employs the provided information to authenticate the end-user and issue a digitally signed license to the end-user. The end-user employs the license to enable access to the requested software. In one embodiment, the license format is substantially similar to a public key certificate's format. The license may include a period of validity after which the license is invalid. Moreover, in one embodiment, the license may be renewed to enable continued access of the associated software.

Abstract: The present invention provides a system and method for monitoring network appliances using well-formatted data files. A system for monitoring a network appliance by recording operational data in well-formatted data files includes a data management module and a data presentation module. The data management module is configured to determine selected operational data associated with the network appliance and to record the selected operational data in well-formatted data files. The selected operational data are a subset of data regarding transactions performed by the network appliance. The data management module is also configured to record the selected operational data with minimum processing. The data presentation module is configured to present statistical data. The statistical data is determined from the selected operational data in the well-formatted data files. The data presentation module is also configured to provide the statistical data in real-time.

Abstract: A system and method is directed to providing a knock notification in response to a message from an unknown sender. The method includes maintaining a data store of message senders that an end-user has identified as an allowed sender. A received message is evaluated to determine whether its sender is an allowed sender. If the sender is an allowed sender, the received message is forwarded to the end-user. If it is determined that the sender is an unknown sender, a knock notification message is generated. In one embodiment, the knock notification message includes the information about the sender and a mechanism to enable the end-user to allow/disallow the sender. If the end-user disallows the sender, the received message is discarded. Information associated with the disallowed sender is included in a data store for disallowed senders. The end-user may review and revise the data stores of allowed and disallowed senders.

Abstract: A film layer for a mobile station that allows the appearance of the mobile station to be easily changed. The layer is thin enough to allow it to be positioned between the plungers on a plunger mat and the keys on a key mat of the mobile station. Flexibility of the film layer allows a key press to be transmitted through the film insert to one of the plungers, which in turn compresses a contact on a printed wiring board. Flexibility may be due to perforations around the keys of the key mat. Preferably, the film layer includes some visually detectable characteristic, such as a color, that is visible through openings or translucent portions of the key mat. The film layer may be constructed of various materials, such as paper, elastomer, polymer or electric luminescent materials which can be interchangeably inserted into the mobile station to change its appearance.

Abstract: An email gateway diagnostic, tool, system, and method are provided for automated troubleshooting of email gateway functionality. Troubleshooting can occur in multiple modes of operation including: full diagnostic, interactive, and undeliverable mail status information. Based upon a set of rules and conditional statements, network and email gateway configurations, and user responses, an automated troubleshooting tool performs necessary testing to the email and network systems to interpret the available information and present the user with the source of the problem or suggest solutions and make recommendations as to why the email gateway may not be functioning properly.

Abstract: The invention relates to a method and an arrangement against fraudulent use in a telecommunications network. The invention is based on the idea that at least one fraud profile identified by an identifier is created and the identifier is included in the subscriber data of some subscribers. Based on this identifier the fraud restriction parameters of the subscriber are retrieved from the subscriber's fraud profile, and these fraud restriction parameters are used in detecting and indicating possible fraudulent use. The fraud restriction parameters include values for different service limits, such as the maximum number of call forwarding re-quests and/or the maximum number of location updates during a certain period, and possibly at least for some features an action parameter related to a service limit and implemented when the service limit is reached.