Abstract: Improved approaches for providing secure remote access to resources maintained on private networks are disclosed. According to one aspect, predetermined elements, such as applets, can be modified to redirect all communications to and from an application server through an intermediate server. The intermediate server in turn communicates with the application servers. According to another aspect, a communication framework can be provided to funnel communication between an applet and a server through a communication layer so as to provide managed and/or secured communications there between.

Abstract: In one example, a network device may store health status information specifying a current security status for each of a plurality of authenticated endpoint devices in accordance with an authorization data model. The network device may update the current security status of each of at least two of the plurality of authenticated endpoint devices connected to an enterprise network to indicate that each of the at least two of the plurality of authenticated endpoint devices has a compromised security status, and identify a characteristic common to both of the authenticated endpoint devices having the compromised security status. The network device may interface with one or more policy enforcement devices to quarantine a set of endpoint devices associated with the identified characteristic. The current security status of at least one of the quarantined endpoint devices may indicate that the quarantined endpoint device does not have a compromised security status.

Abstract: In general, the disclosure relates to techniques for identifying a reduced set of remediation actions that are to be performed by a network endpoint to achieve compliance with a security policy defined by a network entity. One example method comprises receiving integrity data via a network from a network endpoint, performing a plurality of tests on the integrity data to generate corresponding test results, identifying a set of remediation actions based upon the test results, and comparing the remediation actions in the set. The method further comprises eliminating at least one remediation action in the set based upon the comparison to form a reduced set of remediation actions, and sending the reduced set of remediation actions to the network endpoint, wherein each remediation action in the reduced set specifies an action to be performed by the network endpoint to achieve compliance with a security policy.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: A system and method for detecting malware on a limited access mobile platform in a mobile network. The system and method uses one or more feature sets that describe various non-executable portions of malware-infected and malware-free applications, and compares a application on the limited access mobile platform to the features sets. A match of the features in a suspect application to one of the feature sets provides an indication as to whether the suspect application is malware-infected or malware-free.

Abstract: A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client in accordance with an authentication protocol, and authenticate the client based on a comparison of the first form to a value derived from a second form of the password stored in a password database. The comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client over the secure connection, authenticate the client by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client when the authentication server receives the first form.

Abstract: In one example, a system includes a first computing device configured to execute a virtual machine, wherein the virtual machine is communicatively coupled to a virtual private network (VPN) via a first attachment circuit using a first set of network parameters, stop execution of the virtual machine, and create checkpoint data for the virtual machine, and a second computing device configured to execute the virtual machine, using at least some of the checkpoint data, and to cause the virtual machine to become communicatively coupled to the VPN via a second attachment circuit using a second set of network parameters different from the first set of network parameters. The system may further include a first provider edge (PE) routing device communicatively coupled to the first computing device via the first attachment circuit, and a second PE routing device communicatively coupled to the second computing device via the second attachment circuit.

Abstract: In general, techniques are described for provisioning layer two access in computer networks. A network device located in a public network comprising an interface and a control unit may implement the techniques. The interface establishes a session with a mobile device. The control unit requests security state data identifying a security state of the mobile device via the established session. The interface receives a mobile device identifier and the security state data from the mobile device via the session. The mobile device identifier identifies the mobile device. The control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier.

Abstract: A network device, such as a policy server, supports a plurality of different layer two (L2) networks. The network device receives a request to initiate a communication session from an endpoint device, selects an L2 network to which to assign the endpoint device, and assigns the endpoint device to the selected L2 network, selects one of a plurality of L3 network addresses for the policy server based on the selected L2 network, and sends the L3 network address to the endpoint device. The network device also includes a monitoring module that monitors activities of the endpoint device, and a plurality of L2 network interfaces, wherein each L2 network interface is associated with at least one L2 network. The L2 networks may be virtual local area networks.

Abstract: An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. Once installed on the cellular mobile device, the multi-service client integrates with an operating system of the device to provide a single entry point for user authentication for secure enterprise connectivity, endpoint security services including endpoint compliance with respect to anti-virus and spyware software, and comprehensive integrity checks.