Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: An example endpoint device includes one or more processors configured to allocate a range of IP addresses to use for fully qualified domain name (FQDN)-based tunnel splitting; send a DNS query to a DNS server; receive a DNS response from the DNS server; modify a first IP address in the DNS response to one of the allocated IP addresses; associate the first IP address and the one of the allocated IP addresses in a data table; change a destination address that corresponds to the one of the allocated IP addresses in a first TCP packet received from a user application to be the first IP address; and in response to receiving, from a gateway, a second TCP packet with a source address that corresponds to the first IP address, change a source address in a second TCP packet to be the one of the allocated IP addresses.

Abstract: This invention provides secure, policy-based separation of data and applications on computer, especially personal computers that operate in different environments, such as those including personal applications and corporate applications, so that both types of applications can run simultaneously while complying with all required policies. The invention enables employees to use their personal devices for work purposes, or work devices for personal purposes. The secure, policy-based separation is created by dividing the data processing device into two or more “domains,” each with its own policies. These policies may be configured by the device owner, an IT department, or other data or application owner.

Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.

Abstract: The techniques described herein relate to authorizing networked devices to access protected network zones and/or network resources in a private network. In response to a first access request, a network appliance requests full compliance information from the networked device. The received compliance information is stored in a database. Subsequently, when the compliance information on the networked device changes, the network device sends updated compliance information to the network appliance. The network appliance reevaluates the compliance state of the networked device based on the updated compliance information and the compliance information stored in the database.

Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.

Abstract: An example profiler device includes one or more processors implemented in circuitry and configured to monitor network traffic entering and exiting the protected network zone; identify one or more endpoints that interface with the protected network zone; compare network traffic characteristics of network traffic associated with the endpoints to network traffic characteristics of known device types to determine device types corresponding to the endpoints; assign one or more network policies to the identified endpoints according to the determined device types; and distribute data representing the assigned network policies to a policy enforcement point (PEP) device to cause the PEP device to enforce the network policies on network traffic, associated with the identified endpoints, entering and exiting the protected network zone.

Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: This disclosure is related to devices, systems, and techniques for controlling access to network services based on a trust ledger. In some examples, a trust broker system enables a relying party to control network service access of client device, where the trust broker system comprises one or more computing devices configured to maintain a trust ledger including a trust account balance (TAB) associated with each user of a set of users, where the TAB associated with each user of the set of users represents a value used to determine whether the respective user is permitted to access a resource.

Abstract: A system includes a virtual private network (VPN) gateway and a client device. The VPN gateway receives a domain name system response through a physical coding sublayer. The VPN gateway fetches a fully qualified domain name corresponding to the domain name system response, and fetches one or more access control list rules from an access control list table for a specific user account. The VPN gateway installs an Internet protocol (IP) address in the access control list table for each access control list rule and handles requested data traffic to the IP address. The client device creates a virtual tunnel interface route with a port of a transmission control protocol (TCP) listener device and parses the domain name system response. The client device updates a domain name system cache with the fully qualified domain name and the IP address and sends unencrypted network traffic over the virtual tunnel interface route.

Abstract: A private network includes a plurality of network security appliances participating in authenticating end users. Each network security appliance maintains a locally stored user list. A first network security appliance receives at least a portion of a non-local user list comprising second user identifier records for a second network security appliance of the plurality of network security appliances. The first network security appliance compares the local user list with the non-local user list received from the second network security appliance to identify one or more deviations. The first network security appliance merges the portion of the second user identifier records of the non-local user list corresponding with the one or more deviations with the first user identifier records of the local user list to generate an updated local user list. The first network security appliance authenticates a request to access the network using the updated local user list.

Abstract: A system includes a virtual private network (VPN) gateway and a client device. The VPN gateway receives a domain name system response through a physical coding sublayer. The VPN gateway fetches a fully qualified domain name corresponding to the domain name system response, and fetches one or more access control list rules from an access control list table for a specific user account. The VPN gateway installs an Internet protocol (IP) address in the access control list table for each access control list rule and handles requested data traffic to the IP address. The client device creates a virtual tunnel interface route with a port of a transmission control protocol (TCP) listener device and parses the domain name system response. The client device updates a domain name system cache with the fully qualified domain name and the IP address and sends unencrypted network traffic over the virtual tunnel interface route.

Abstract: Virtual private network (VPN)-related techniques are described. The techniques provide intuitive mechanisms by which a client device more efficiently establishes a VPN connection. In one example, a client device includes a memory, processor(s), and a VPN handler. The VPN handler is configured to monitor actions initiated by one or more applications executable by the programmable processor(s), and determine whether each of the initiated actions requires a VPN connection via which to transmit outbound data traffic corresponding to a respective application of the one or more applications. The VPN handler is further configured to, in response to a detection that at least one initiated action requires the VPN connection via which to transmit the outbound data traffic, automatically establish the VPN connection to couple the client device to an enterprise network, and transmit the outbound data traffic corresponding to the respective application, via the VPN connection.

Abstract: A policy device grants access to a client device, without authenticating the client device, when the client device provides a session identifier to the policy device that was previously granted to the client device by a second policy device upon authenticating the client device by the second policy device. In one example, a policy device includes a network interface that receives a session identifier from a client device, wherein the policy device comprises an individually administered autonomous policy server, and an authorization module that grants the client device access to a network protected by the policy device based on the session identifier without authenticating the client device by the policy device. In this manner, the client device need not provide authentication information multiple times within a short time span, and the policy device can deallocate resources when a session migrates to a second policy device.

Abstract: In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.

Abstract: Data files are supplied to a plurality of requesting stations (102 to 106) by accessing serving devices (109 to 116). A plurality of requests are received for one or more data files at a traffic management system (101) from requesting stations via an external network (107). A specific server is selected at the traffic management system and a request is issued to the selected server over a local network for the requested file. The requested file is accepted at the traffic management system from the selected server over the local network and the requested file is sent from the traffic management system to the requesting station over external network. The response of selected servers is monitored (302) when responding to issued requests thereby generating monitored responses. The monitored responses are compared (303) against an operational criterion to identify sub-standard operations.

Abstract: An integrated, multi-service network client for cellular mobile devices is described. The multi-service client includes a VPN handler having an interface programmed to exchange the network packets with the security manager for application of the security service, wherein the VPN handler is configurable to operate in one of an enterprise mode and in a non-enterprise mode, wherein in the enterprise mode the VPN handler establishes a VPN connection with a remote VPN security device and provides encryption services to securely tunnel the network packets between the cellular mobile device and the remote VPN security device, and wherein in the non-enterprise mode the VPN handler directs the network packets to the security manager without application of the encryption services and communicates the network packets to a packet-based network without tunneling the packets.

Abstract: This disclosure describes techniques for verifying the identity of a user with a network access control (NAC) device in response to receiving a security assertion request for the user. To verify the identity of a user, an NAC device may, in response to receiving a security assertion request from a user agent executing on a client device, cause the user agent to redirect a session verification request to an NAC client executing on the client device. The NAC client may detect the session verification request, and provide information indicative of a valid network access session for the user to the NAC device. The NAC device may verify the identity of the user based on the information indicative of the valid network access session. In this way, an NAC device may verify the identity of a user without requiring the user to re-authenticate with the NAC device.