Abstract: A security system for a distributed application obtains and, in effect, preserves provisioning information for the purpose of auto-populating whitelists used to protect the distributed application from intrusions. The provisioning information identifies allowable connections on a software-package level. Entries mapping processes to connection destinations are added to a whitelist if a process requesting a connection results from execution of an executable file installed as part of a software package for which the connection was allowed according to the provisioning information.

Abstract: The subject matter described herein is generally directed towards generating security parameter index (“SPI”) values at a plurality of endpoints (EP) in a network using time-based one-time passwords (TOTPs). In this manner, the SPI values are generated in a decentralized manner. The SPI values are used for distributed network encryption among the EPs.

Abstract: A computer security system provides for auto-populating process-connection whitelists using process wildcarding and connection wildcarding. Process wildcarding involves grouping process-connection requests together in a process* group without regard to the presence of distinct process arguments; in contrast, some process-connection requests may be separated both by process and by argument into process argument groups. The process-connection requests may then be analyzed on a group-by-group basis to determine which processes can be mapped to wildcarded connection in a respective process-connection whitelist.

Abstract: A security system for a customer computer site includes a cloud-based manager (CBM) and on-site components. The on-site components include a manager appliance, guest agents of the CBM installed within respective virtual machines, and host agents of the CBM installed on hypervisors on which the virtual machines. The guest agents have a many-to-one relationship with the host agents, which have a many-to-one relationship with the appliance. In a scenario, many guest agents may generate alarms and send them to the host agents. Each host agent consolidates alarms across the different virtual machines it hosts and pushes the consolidated alarms to the manager appliance. The appliance batch processes the consolidated alarms across host agents, and pushes the batched alarms to the CBM, which deduplicates the alarms and notifies an administrator.

Abstract: An example method is provided for a first edge device to perform traffic forwarding in a network with geographically dispersed first site and second site. The method may comprise reconfiguring, for a workload migrated from the second site to the first site, the first edge device located at the first site as a default gateway of the workload from the second edge device located at the second site by causing the workload to learn an association between a default gateway Internet Protocol (IP) address associated with the second edge device to a Media Access Control (MAC) address associated with the first edge device. The method may further comprise receiving, from the workload, traffic for forwarding to a destination, and in response to determination that the destination is not within the second site, forwarding the received traffic to the destination without using the second edge device.

Abstract: Example methods are provided for a first endpoint to communicate with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise detecting an offload segment from a protocol stack of the first endpoint. The offload segment may be destined for the second endpoint, generated by the protocol stack from a chunk of data sent by an application executing on the first endpoint and detected using a virtual adapter that emulates a transport protocol task offload. The method may further comprise processing the offload segment to generate a processed offload segment for transfer through a tunnel connecting the virtual adapter over the public network with a gateway associated with the private network; and sending the processed offload segment through the tunnel in a plurality of tunnel segments, the gateway being configured to generate a plurality of transport protocol segments.

Abstract: Certain embodiments described herein are generally directed to allocating security parameter index (“SPI”) values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plurality of parameters enables endpoints and servers to instantaneously derive SPI values without the need for servers to store them.

Abstract: A method for visualizing network flows of a network is provided. The method monitors network flows between a group of machines in a network. The method associates identifiers with the monitored network flows. The method aggregates the monitored network flows into a set of groups based on the associated identifiers. The method displays a set of flow records for the each group of the set of groups.

Abstract: An example method of key management for encryption of traffic in a network having a network nodes includes negotiating, between a first network node and a centralized key management server, to obtain a master key shared among the network nodes; receiving, at the first network node, a first identifier for the first network node and a second identifier for a second network node; generating, at the first network node, a first session key by supplying the master key, the first identifier, and the second identifier as parametric input to a function; establishing, using a network stack of the first network node, a first point-to-point tunnel through the network to the second network node without a key exchange protocol; and sending first traffic from the first network node to the second network node through the first point-to-point tunnel, the first traffic including a portion encrypted by the first session key.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: Example methods are provided for a first endpoint to communicate with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise detecting a chunk of data directly from an application executing on the first endpoint. The virtual adapter may emulate a transport protocol task offload to bypass transport protocol processing by a protocol stack of the first endpoint. The method may comprise processing the chunk of data to generate a chunk of processed data for transfer through a tunnel connecting the virtual adapter over the public network with a gateway associated with the private network and sending the chunk of processed data through a tunnel in a plurality of tunnel segments, wherein the gateway is configured to perform transport protocol processing to generate a plurality of transport protocol segments from the chunk of processed data for transfer to the second endpoint.

Abstract: Example methods are provided for a first endpoint to perform congestion control during communication with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise generating a plurality of tunnel segments containing unreliable transport protocol data destined for the second endpoint; and determining whether congestion control is required based on a data amount of the plurality of tunnel segments and a congestion window associated with a tunnel connecting the first endpoint with the private network. The method may further comprise, in response to determination that congestion control is required, performing congestion control by dropping at least some of the plurality of tunnel segments; otherwise, sending the plurality of tunnel segments through the tunnel supported by the reliable transport protocol connection.

Abstract: Example methods are provided for a first endpoint to communicate with a second endpoint over a public network, the second endpoint being in a private network. The method may comprise detecting an offload segment from a protocol stack of the first endpoint. The offload segment may be destined for the second endpoint, generated by the protocol stack from a chunk of data sent by an application executing on the first endpoint and detected using a virtual adapter that emulates a transport protocol task offload. The method may further comprise processing the offload segment to generate a processed offload segment for transfer through a tunnel connecting the virtual adapter over the public network with a gateway associated with the private network; and sending the processed offload segment through the tunnel in a plurality of tunnel segments, the gateway being configured to generate a plurality of transport protocol segments.

Abstract: Example methods are provided to perform traffic forwarding between geographically dispersed first site and second site and to support traffic forwarding via a trunk interface. In one example, the method may comprise receiving, by a first edge device at the first site, network traffic comprising a plurality of packets via a trunk interface of the first edge device from a virtual tunnel endpoint, the virtual tunnel endpoint having decapsulated the packets prior to communicating the packets through the trunk interface. The method may further comprise reading an overlay network identifier from each of the packets to identify a source overlay network of the received network traffic from the multiple overlay networks; modifying each of the packets to include a virtual local area network (VLAN) identifier; and forwarding modified network traffic to a second edge device at the second site to identify the destination network based on the VLAN identifier.

Abstract: A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy.

Abstract: An example method is provided for a first edge device to perform traffic forwarding in a network with geographically dispersed first site and second site. The method may comprise reconfiguring, for a workload migrated from the second site to the first site, the first edge device located at the first site as a default gateway of the workload from the second edge device located at the second site by causing the workload to learn an association between a default gateway Internet Protocol (IP) address associated with the second edge device to a Media Access Control (MAC) address associated with the first edge device. The method may further comprise receiving, from the workload, traffic for forwarding to a destination, and in response to determination that the destination is not within the second site, forwarding the received traffic to the destination without using the second edge device.

Abstract: A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for use in financial forecast systems, where historical financial data is analyzed for purposes of providing projected financial statements. An exemplary apparatus is configured to receive financial data, from a predetermined period of time in the past that is associated with a business entity requesting to receive projected financial statements, analyze the financial data from the predetermined period of time in the past, and determine based on the analysis a financial forecast for the entity for a predetermined period of time in the future, and provide one or more projected financial statements for the predetermined time period in the future based at least partially on the financial forecast of the entity.