Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin.

Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin.

Abstract: Methods and apparatus for detecting and handling evil twin access points (APs). The method and apparatus employ trusted beacons including security tokens that are broadcast by trusted APs. An Evil twin AP masquerades as a trusted AP by broadcasting beacons having the same SSID as the trusted AP, as well as other header field and information elements IE in the beacon frame body containing identical information. A sniffer on the trusted AP or in another AP that is part of a Trusted Wireless Environment (TWE) receives the beacons broadcasts by other APs in the TWE including potential evil twin APs. The content in the header and one or more IEs in received beacons are examined to determine whether a beacon is being broadcast by an evil twin.

Abstract: Computer-implemented systems, methods, and computer-readable media are provided for causing an action to be performed in response to a network communication, such as a malicious network communication. In accordance with some embodiments, a first network communication sent from a client device is received, and a protocol used in the first network communication is determined. Once the protocol is determined, the protocol may be implemented to enable a second network communication with the client device. An action to be performed based at least in part on the protocol may be identified, and an instruction may be sent to the client device in the second network communication.

Abstract: A system and method for providing a reputation service for use in messaging environments employs a reputation of compiled statistics, representing whether SPAM messages have previously been received from respective a selected set of identifiers for the origin of the message, in a decision making process for newly received messages. In a preferred embodiment, the set of identifiers includes the IP address, a tuple of the domain and IP address and a tuple of the user and IP address and the set of identifiers allows for a relatively fine grained set of reputation metrics to be compiled and used when making a determination of a likelihood as to whether a received message is undesired in accordance with the invention.

Abstract: A networking device may operate according to a first configuration profile adapted to cause the device to conform to restrictions applicable within a plurality of different locations. The networking device may obtain a second, location-aware configuration profile, which may include restrictions applicable to the location where the device is deployed. The second, location-aware configuration profile may be provided by a location-aware configuration service responsive to a request from the device. The service may determine a location of the device from the request. The service may identify restrictions applicable within the region the device is located.

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

Abstract: A configuration service comprises a deployment package and a production configuration for a network security device. One or more configuration parameters of the production configuration may be defined by an administrator of the network security device (e.g., the customer). The network security device may be preconfigured with a network address and identifier. The network security device may be configured to automatically request and apply the deployment package at deployment time by use of the preconfigured network address and identifier. The network security device may automatically request and apply the production configuration from the configuration service in response to applying the deployment package.

Abstract: A network security device may gather a large amount of metadata pertaining to the connections being managed thereby. A refinement module may filter and/or aggregate the connection metadata. The metadata may be refined on the network security device. The refined metadata may be provided for display on a terminal. The refined metadata may include a subset of the larger connection metadata, which may reduce the overhead required to display and/or transmit monitoring information to the terminal device. The refined metadata may comprise connection groups, which may be formed based on aggregation criteria, such as connection source, destination, application, security policy, protocol, port, and/or the like. The connection groups may be ranked in accordance with ranking criteria.

Abstract: A network security device may gather a large amount of metadata pertaining to the connections being managed thereby. A refinement module may filter and/or aggregate the connection metadata. The metadata may be refined on the network security device. The refined metadata may be provided for display on a terminal. The refined metadata may include a subset of the larger connection metadata, which may reduce the overhead required to display and/or transmit monitoring information to the terminal device. The refined metadata may comprise connection groups, which may be formed based on aggregation criteria, such as connection source, destination, application, security policy, protocol, port, and/or the like. The connection groups may be ranked in accordance with ranking criteria.

Abstract: A configuration service comprises a deployment package and a production configuration for a network security device. One or more configuration parameters of the production configuration may be defined by an administrator of the network security device (e.g., the customer). The network security device may be preconfigured with a network address and identifier. The network security device may be configured to automatically request and apply the deployment package at deployment time by use of the preconfigured network address and identifier. The network security device may automatically request and apply the production configuration from the configuration service in response to applying the deployment package.

Abstract: A facility for proxying network traffic between a pair of nodes is described. The facility receives packets traveling between the pair of nodes that together constitute a network connection. For each packet of the connection that is part of a transport protocol setup process, the facility updates a representation of the status of the setup process to reflect the packet, and forwards the packet to its destination without proxying the packet. For each packet of the connection that is subsequent to the setup process, the facility proxies the contents of the packet to the packet's destination.

Abstract: A system and method for recognizing an incoming email as a desired email examines outgoing email messages to arrange the email into fragments for which representations are created and stored. When an incoming message is received, the message is arranged into fragments for which representations are created. The representations of the incoming message are compared to the stored representations and if the matches between stored representations and the representations of the incoming message meet a predefined threshold test, the incoming message is recognized as being desirable. An incoming email message which has been recognized as being desirable can be subjected to a lesser examination to recognize a SPAM message, or to no further examination to recognize a SPAM message.

Abstract: A networking device may operate according to a first configuration profile adapted to cause the device to conform to restrictions applicable within a plurality of different locations. The networking device may obtain a second, location-aware configuration profile, which may include restrictions applicable to the location where the device is deployed. The second, location-aware configuration profile may be provided by a location-aware configuration service responsive to a request from the device. The service may determine a location of the device from the request. The service may identify restrictions applicable within the region the device is located.

Abstract: A system and method for providing a reputation service for use in messaging environments employs a reputation of compiled statistics, representing whether SPAM messages have previously been received from respective a selected set of identifiers for the origin of the message, in a decision making process for newly received messages. In a preferred embodiment, the set of identifiers includes the IP address, a tuple of the domain and IP address and a tuple of the user and IP address and the set of identifiers allows for a relatively fine grained set of reputation metrics to be compiled and used when making a determination of a likelihood as to whether a received message is undesired in accordance with the invention.

Abstract: An email system comprises a plurality of email servers connected by a data communications network. The email system avoids single points of failure by employing multiple email servers which self configure, without requiring dedicated servers, through self addressing and discovery and announcement protocols. An email server can act as a primary email server by executing an administration tool allowing an administrator to modify the configuration data set which the email servers utilize, and the primary email server will then announce the resulting change in the version level of the configuration data set to other email servers. Each email server will then determine and request any needed updates to its respective configuration data set from the primary email server or another email server.

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

Abstract: A security device for SIP communications operates to inhibit the effect of malicious attacks and/or inadvertent erroneous events on the provision of SIP-based services within a private network and between private and public networks. The security device acts as a conventional Firewall, NAT and PAT to isolate SIP User Agents on the private network from SIP User Agents on the public network and to Blacklist undesired callers. Also, the security device preferably includes a virus scanner to scan attachments to sessions and/or other communications to identify and block virus contaminated data and the security device includes a hardened SIP stack to scan for and detect malformed SIP messages to prevent malicious attacks and/or inadvertent erroneous messages from adversely impacting the operation of SIP services.

Abstract: A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.