Abstract: A system and method for recognizing an incoming email as a desired email examines outgoing email messages to arrange the email into fragments for which representations are created and stored. When an incoming message is received, the message is arranged into fragments for which representations are created. The representations of the incoming message are compared to the stored representations and if the matches between stored representations and the representations of the incoming message meet a predefined threshold test, the incoming message is recognized as being desirable. An incoming email message which has been recognized as being desirable can be subjected to a lesser examination to recognize a SPAM message, or to no further examination to recognize a SPAM message.

Abstract: An email system comprises a plurality of email servers connected by a data communications network. The email system avoids single points of failure by employing multiple email servers which self configure, without requiring dedicated servers, through self addressing and discovery and announcement protocols. An email server can act as a primary email server by executing an administration tool allowing an administrator to modify the configuration data set which the email servers utilize, and the primary email server will then announce the resulting change in the version level of the configuration data set to other email servers. Each email server will then determine and request any needed updates to its respective configuration data set from the primary email server or another email server.

Abstract: Sensor nodes (or addresses therefore), acting as real-time message decoys, are distributed across a real-time communications network to attract unsolicited real-time messages. Filtering rules are derived from the message characteristics (such as the source address) and messaging content of the traffic encountered at the sensor nodes. The filtering rules are distributed to filtering agents positioned in the communications network in such a way that they can filter traffic for legitimate users. The filtering agents may identify and control the disposition of real-time messaging traffic that is part of a mass communication campaign on behalf of legitimate users of the real-time messaging communication system. Disposition may include suppressing, diverting, or labeling.

Abstract: A Voice over IP (VoIP) or Real Time Messaging (RTM) firewall device is claimed that protects VoIP or RTM network traffic by identifying and controlling the delivery of such network traffic that is unsolicited and undesired by the recipient (i.e. VoIP or RTM spam). The system involves applying a unique marking to RTM messages close to a point of message origination and then at a point close to message termination for the intended recipient examining a reputation store for information on the unique marking and using that information in conjunction with a set of policy rules to decide whether to pass, reject, pass on to an RTM store or otherwise filter the RTM message. The unique marking serves to identify a source characteristic of the message such as the message originator, a corporate affiliation for the originator, or a RTM network characteristic of the originator such as a transmission gateway.

Abstract: A hardware-based policy engine that employs a policy cache to process packets of network traffic. The policy engine includes a stream classifier that associates each packet with at least one action processor based on data in the packet, and the action processor further acts on the packets based on the association determined by the stream classifier.

Abstract: A facility in a single manager computer system for managing properties for a plurality of managed computer systems is described. The facility reiteratively receives new managed properties for an identified managed computer system. In response, the facility delivers the received new managed properties to the identified managed computer system.

Abstract: A system and method are provided to couple tunnel servers to tunnel clients executing host applications for use in a virtual private network (VPN) environment. A receiver receives requests from host applications executing on the tunnel clients. The requests are addressed to the tunnel coupling system to establish a VPN tunnel. A processor processes the requests and an indication of loads on the tunnel servers to establish the VPN tunnels by designating at least one of the tunnel servers to each requested tunnel. A tunnel traffic distributor distributes tunnel traffic to the tunnel servers based at least part on the designations. In additional aspects, an evaluation processor evaluates the tunnel traffic before the tunnel traffic distributor distributes the tunnel traffic to the tunnel servers. For example, the evaluation performed by the evaluation processor includes at least performing security functions on the tunnel traffic.

Abstract: A software facility for automatically identifying subnetworks in a network is described. The facility receives a plurality of addresses of hosts in the network, and accesses a binary tree. The nodes of the binary tree each represent a range of addresses within the network. A facility traverses the binary tree to identify candidate nodes where both child nodes have one or more descendent leaf nodes representing host addresses. The facility tests the address range represented by each candidate node visited in the traversal to determine whether the address range is a subnet address range for a subnet being used on the network. If testing indicates that a visited candidate node represents such an address range, the facility identifies the visited candidate node as a subnet node. The facility skips, in the traversal, any candidate notes that are descendents of an identified subnet node.

Abstract: A hardware-based policy engine that employs a policy cache to process packets of network traffic. The policy engine includes a stream classifier that associates each packet with at least one action processor based on data in the packet, and the action processor further acts on the packets based on the association determined by the stream classifier.

Abstract: A facility for communicating between two computing devices is described. The facility determines a first computing device has been connected to a distinguished computer network that is connected to a second level computer network. The facility then utilizes the distinguished computer network and the second level computer network to establish contact with a second computing device that is outside the distinguished computer network.

Abstract: The present invention is directed to a facility for distributing network security information. The facility receives network security information and recipient selection information specifying a characteristic of perspective recipients to be used in selecting recipients for the security information. The facility then compares the received recipient selection information to each of a plurality of perspective recipient profiles. Each perspective recipient profile corresponds to one or more perspective recipients and indicates one or more characteristics of the perspective recipients relating to the receipt of network security information. Based upon this comparison, the facility selects at least a portion of the plurality of perspective recipients as recipients of the network security information, and addresses the network security information to each of the selected recipients.

Abstract: A method and apparatus for responding to denial of service attacks. Rather than a firewall or other device either denying all new session requests or denying no new session requests (and, albeit, dropping then-pending session requests), new session requests are selectively passed to the device.

Abstract: The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.

Abstract: A system and method for scheduling packet output according to a quality of service (QoS) action specification. A system is provided with a calendar queue with a plurality of bandwidth timeslots, wherein the bandwidth timeslots are organized into groups. A look-up logic circuitry inspects a group of bandwidth timeslots substantially simultaneously and determines from the group a first unoccupied bandwidth timeslot in which a current packet can be scheduled. The look-up logic circuitry also determines a first occupied bandwidth timeslot that contains a next packet to be transmitted.

Abstract: The present invention is directed to a facility for using a security policy manager device to remotely manage multiple network security devices (NSDs). The manager device can also use one or more intermediate supervisor devices to assist in the management. Security for the communication of information between various devices can be provided in a variety of ways. The system allows the manager device to create a consistent security policy for the multiple NSDs by distributing a copy of a security policy template to each of the NSDs and by then configuring each copy of the template with NSD-specific information. For example, the manager device can distribute the template to multiple NSDs by sending a single copy of the template to a supervisor device associated with the NSDs and by then having the supervisor device update each of the NSDs with a copy of the template. Other information useful for implementing security policies can also be distributed to the NSDs in a similar manner.

Abstract: A policy engine for handling incoming data packets. The policy engine includes a stream classification module, a data packet input/output module, and a policy enforcement module. The policy enforcement module further includes a packet scheduler, an on-chip packet buffer circuitry, and a plurality of action processors. The stream classification module creates a packet service header for each data packet, wherein the packet service header indicates policies to be enforced for that data packet. The action processors enforce the policies.

Abstract: A software facility for automatically identifying subnetworks in a network is described. The facility receives a plurality of addresses of hosts in the network, and accesses a binary tree. The nodes of the binary tree each represent a range of addresses within the network. A facility traverses the binary tree to identify candidate nodes where both child nodes have one or more descendent leaf nodes representing host addresses. The facility tests the address range represented by each candidate node visited in the traversal to determine whether the address range is a subnet address range for a subnet being used on the network. If testing indicates that a visited candidate node represents such an address range, the facility identifies the visited candidate node as a subnet node. The facility skips, in the traversal, any candidate notes that are descendents of an identified subnet node.

Abstract: The present invention is directed to a facility for classifying network packets. The classified network packets each contain a source address, a source port number, a destination address, and a destination port number. The facility first sums the source address, the source port number, the destination address, and the destination port number contained by the packet. The facility then determines the modulo remainder of the sum over a constant predetermined value. The facility uses the determined modulo remainder to classify the packet into a class of packets predicted to relate to the same network session.

Abstract: A method of scheduling packet output according to a quality of service action specification, the method maintains a calendar queue of bandwidth timeslots, organizes the timeslots into groups, invokes a look-up logic circuitry to inspect a group of timeslots substantially simultaneously, determines a first unoccupied timeslot to schedule a current packet, and also determines a first occupied timeslot that contains a next packet to transmit.