Abstract: Management of user keys for public key authentication using the SSH in large SSH deployments is automated by deploying a management system in the environment, discovering SSH identity keys and authorized keys, analyzing authorized connections between user accounts, and automatically managing the authorized connections and the key pairs used for authentication.

Abstract: Use of one or more computer systems may be audited by performing a man-in-the-middle attack against a cryptographic protocol (e.g., SSH) at one or more interceptors, transmitting audit data to a centralized audit server. Operations performed using the encrypted connection may be controlled and restricted.

Abstract: Encrypted SFTP file transfers and other encrypted file transfers may be audited and what files can be transferred may be controlled at a firewall or other gateway. Transferred files may be subjected to data loss prevention analysis and/or virus checks.

Abstract: SSH sessions and other protocol sessions (e.g., RDP) may be audited using an interceptor embedded within an SSH server or other protocol server. Operations performed over an SSH connection may be controlled, including controlling what files are transferred.

Abstract: Management of user keys for public key authentication using the SSH in large SSH deployments is automated by deploying a management system in the environment, discovering SSH identity keys and authorized keys, analyzing authorized connections between user accounts, and automatically managing the authorized connections and the key pairs used for authentication.

Abstract: A method, device, system and computer program for providing a transport distribution scheme for a security protocol are disclosed. A first packet data connection is established to a remote node for transmitting packet data over a network with a security protocol. An authentication procedure is performed with the remote node via the first packet data connection for establishing a security protocol session with the remote node. At least one security parameter is negotiated with the remote node for transmitting packets through the first packet data connection. A second packet data connection is established to the remote node, and at least one security parameter is negotiated with the remote node for use with the second packet data connection. The first and second packet data connections are handled as packet data subconnections associated with the security protocol session.

Abstract: A method, device, system, and computer program for authenticating a user in connection with a security protocol comprising a plurality of authentication methods are described. A packet data connection is established to a remote node. An authentication procedure of the security protocol is initiated with the remote node via the packet data connection. State information is provided for the authentication procedure, and cumulative state information is taken into account in selection of at least one appropriate authentication method when carrying out the authentication procedure.

Abstract: A method, device, system and computer program for providing a transport distribution scheme for a security protocol are disclosed. A first packet data connection is established to a remote node for transmitting packet data over a network with a security protocol. An authentication procedure is performed with the remote node via the first packet data connection for establishing a security protocol session with the remote node. At least one security parameter is negotiated with the remote node for transmitting packets through the first packet data connection. A second packet data connection is established to the remote node, and at least one security parameter is negotiated with the remote node for use with the second packet data connection. The first and second packet data connections are handled as packet data subconnections associated with the security protocol session.

Abstract: The invention relates to methods for processing data packets according to a set of rules, and especially for preparing of decision trees for selecting the correct rule for processing of a data packet. In preparation of a decision tree, a splitting point within a dimension being studied is chosen as follows. The rules are sorted to allow monotonous iteration through all range end values specified in the rules in the dimension being studied. The range end values are then iterated through in a monotonous fashion, either increasing or decreasing. At each iteration, the number of range low end values and the number of range high end values being equal to the current iteration value is counted. From these counts and the accumulated results from the corresponding counts in previous iterations, the numbers of rules with ranges in different positions relative to the current iteration value are deduced, and from these values, the goodness of the iteration value is calculated.

Abstract: A method and devices are provided for handling a broadcast packet in a computer (131, 132, 612, 622, 632, 711, 721, 731, 741, 1111, 1112, 1301) that has an IPsec-protected connection to a part (121, 122, 141, 732, 733, 742, 743, 1113, 1114) of a logical network segment (101, 601, 701, 1101) within which the broadcast packet should be distributed. The IPsec protection specifies, what kinds of packets are acceptable for transmission over the IPsec-protected connection. The broadcast packet is encapsulated (204, 311, 508, 835, 838, 840, 842, 849, 852, 909) into a form that is acceptable for transmission over the IPsec-protected connection. It is then transmitted (205, 206, 312, 509, 836, 839, 841, 843, 850, 853, 910) to the part of the logical network segment through the IPsec-protected connection.

Abstract: According to the invention, the problem of checking the identity of others is alleviated by creating a mechanism, which allows users to trust and utilize the checking work performed by certain other users, so that every user need not check and confirm the identity of every other user. This can be accomplished by allowing a user who has checked that the identity of a number of other users truly correspond to their certificates, produce a list of these checked certificates, so that other users can import the list of checked certificates into their systems.