Abstract: This disclosure describes techniques for verifying the identity of a user with a network access control (NAC) device in response to receiving a security assertion request for the user. To verify the identity of a user, an NAC device may, in response to receiving a security assertion request from a user agent executing on a client device, cause the user agent to redirect a session verification request to an NAC client executing on the client device. The NAC client may detect the session verification request, and provide information indicative of a valid network access session for the user to the NAC device. The NAC device may verify the identity of the user based on the information indicative of the valid network access session. In this way, an NAC device may verify the identity of a user without requiring the user to re-authenticate with the NAC device.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Abstract: A policy device grants access to a client device, without authenticating the client device, when the client device provides a session identifier to the policy device that was previously granted to the client device by a second policy device upon authenticating the client device by the second policy device. In one example, a policy device includes a network interface that receives a session identifier from a client device, wherein the policy device comprises an individually administered autonomous policy server, and an authorization module that grants the client device access to a network protected by the policy device based on the session identifier without authenticating the client device by the policy device. In this manner, the client device need not provide authentication information multiple times within a short time span, and the policy device can deallocate resources when a session migrates to a second policy device.

Abstract: Systems and techniques for improving network performance are described. In some embodiments, an intermediary device can intercept a response from a server to a client, wherein the response corresponds to a request for a document. Next, the intermediary device can assign priorities to a plurality of resources in the document. The intermediary device can then push the plurality of resources in the document to the client in accordance with the assigned priorities.

Abstract: Virtual private network (VPN)-related techniques are described. The techniques provide intuitive mechanisms by which a client device more efficiently establishes a VPN connection. In one example, a client device includes a memory, processor(s), and a VPN handler. The VPN handler is configured to monitor actions initiated by one or more applications executable by the programmable processor(s), and determine whether each of the initiated actions requires a VPN connection via which to transmit outbound data traffic corresponding to a respective application of the one or more applications. The VPN handler is further configured to, in response to a detection that at least one initiated action requires the VPN connection via which to transmit the outbound data traffic, automatically establish the VPN connection to couple the client device to an enterprise network, and transmit the outbound data traffic corresponding to the respective application, via the VPN connection.

Abstract: Systems and techniques for transparently intercepting and optimizing resource requests are described. Some embodiments can send a request to a server. In response to the request, the embodiments can receive a first script and at least a second script from the server, wherein the first script includes instructions for intercepting invocations to a set of functions, and wherein the second script includes at least one invocation to at least one function in the set of functions. The first script can then be executed, thereby causing subsequent invocations to each function in the set of functions to be intercepted by a corresponding resource optimization handler. Next, the second script can be executed. When the executing second script invokes a function in the set of functions, the invocation of the function can be intercepted, and a resource optimization handler corresponding to the function can be invoked instead of invoking the function.

Abstract: This disclosure describes techniques for verifying the identity of a user with a network access control (NAC) device in response to receiving a security assertion request for the user. To verify the identity of a user, an NAC device may, in response to receiving a security assertion request from a user agent executing on a client device, cause the user agent to redirect a session verification request to an NAC client executing on the client device. The NAC client may detect the session verification request, and provide information indicative of a valid network access session for the user to the NAC device. The NAC device may verify the identity of the user based on the information indicative of the valid network access session. In this way, an NAC device may verify the identity of a user without requiring the user to re-authenticate with the NAC device.

Abstract: In one example, a network device may store health status information specifying a current security status for each of a plurality of authenticated endpoint devices in accordance with an authorization data model. The network device may update the current security status of each of at least two of the plurality of authenticated endpoint devices connected to an enterprise network to indicate that each of the at least two of the plurality of authenticated endpoint devices has a compromised security status, and identify a characteristic common to both of the authenticated endpoint devices having the compromised security status. The network device may interface with one or more policy enforcement devices to quarantine a set of endpoint devices associated with the identified characteristic. The current security status of at least one of the quarantined endpoint devices may indicate that the quarantined endpoint device does not have a compromised security status.

Abstract: Virtual private network (VPN)-related techniques are described. The techniques provide intuitive mechanisms by which a client device more efficiently establishes a VPN connection. In one example, a client device includes a memory, processor(s), and a VPN handler. The VPN handler is configured to monitor actions initiated by one or more applications executable by the programmable processor(s), and determine whether each of the initiated actions requires a VPN connection via which to transmit outbound data traffic corresponding to a respective application of the one or more applications. The VPN handler is further configured to, in response to a detection that at least one initiated action requires the VPN connection via which to transmit the outbound data traffic, automatically establish the VPN connection to couple the client device to an enterprise network, and transmit the outbound data traffic corresponding to the respective application, via the VPN connection.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.

Abstract: A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams.

Abstract: In general, a mobile virtual private network (VPN) is described in which service provider networks cooperate to dynamically extend a virtual routing area of a home service provider network to the edge of a visited service provider network and thereby enable IP address continuity for a roaming wireless device. In one example, a home service provider network allocates an IP address to a wireless device and establishes a mobile VPN. The home service provider network dynamically provisions a visited service provider network with the mobile VPN, when the wireless device attaches to an access network served by the visited service provider network, to enable the wireless device to exchange network traffic with the visited service provider network using the IP address allocated by the home service provider network.

Abstract: A device creates a pool of available licenses for secure network resources, and receives an unused license from a network device. The device also provides the unused license in the pool of available licenses, and receives a request for a license from another network device. The device further provides, to the other network device, the unused license from the pool of available licenses.

Abstract: Improved approaches for providing secure remote access to resources maintained on private networks are disclosed. According to one aspect, predetermined elements, such as applets, can be modified to redirect all communications to and from an application server through an intermediate server. The intermediate server in turn communicates with the application servers. According to another aspect, a communication framework can be provided to funnel communication between an applet and a server through a communication layer so as to provide managed and/or secured communications there between.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Abstract: In general, techniques are described for provisioning layer two access in computer networks. A network device located in a public network comprising an interface and a control unit may implement the techniques. The interface establishes a session with a mobile device. The control unit requests security state data identifying a security state of the mobile device via the established session. The interface receives a mobile device identifier and the security state data from the mobile device via the session. The mobile device identifier identifies the mobile device. The control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier.

Abstract: An integrated, multi-service virtual private network (VPN) network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise VPN connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The multi-service client integrates with an operating system of the device to provide a VPN handler to establish a VPN connection with a remote VPN security device. The VPN network client includes to data acceleration module exchange network packets with the VPN handler and apply at least one acceleration service to the network packets, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the data acceleration module.

Abstract: In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.

Abstract: A cellular service provider network includes a subscriber database that associate identifiers from the cellular mobile devices (e.g., IMSIs stored within SIM cards of the devices) with layer three (L3) network addresses currently assigned to the cellular mobile device by the cellular network for providing data service to the cellular mobile devices. The subscriber database further stores identifiers for wireless local area network (WLAN) interfaces of the cellular mobile devices. The cellular service provider network includes a server coupled to a layer two (L2) network having a plurality of wireless access points. In response to access requests from the cellular mobile devices over the L2 network, the server queries the subscriber database of the cellular service provider network and assigns the network addresses to the cellular mobile devices by matching L2 network addresses specified within the access requests with the identifiers of WLAN interfaces stored in the subscriber database.