Abstract: Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Abstract: Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

Abstract: In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource.

Abstract: A generic master-slave mechanism enables a single processor of a cluster of firewall processors to define the behavior of the other processors in the cluster for a specific logical connection. The cluster of firewall processors utilizes virtual adapters representing physical adapters on other processors in the firewall cluster. This virtualization allows each cluster member to act as though it is a standalone machine that owns all local IP addresses of the entire cluster. When traffic is received by a firewall processor, the firewall processor determines if there is a master associated with the logical connection for the traffic. If so, the traffic is routed to the master. If no master is associated, in an example configuration, the receiving firewall processor becomes the master. A message traffic logical connection has a single master. A master remains the master of a logical connection until the connection is terminated.

Abstract: Verification of Internet connectivity using multiple prior connection attempts to Internet destination(s). The Internet destinations may be destinations that have high reliability and that do not easily have intermediating systems that might deny a connection request. Such an Internet destination might be, for example, root Domain Name Server (DNS) servers. Connection attempt results are obtained by for at least some of the connection attempts, tracking which resulted in success and failure. Internet connectivity is then verified based on the collective results, rather than relying on any one single connection attempt. In one embodiment, the frequency of the connection attempts may depend on a current state of the Internet connection.

Abstract: In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource.

Abstract: Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

Abstract: The evaluation of a policy can be delayed until all rules criteria needed for evaluation are available. Also, new types of rules criteria can be registered without requiring changes to a rules engine. A policy manager allows rules to be evaluated and decisions made at different stages of the request handling. The policy manager facilitates interaction with the rules engine until all criteria are evaluated. The policy manager also allows modules developed by third parties to provide notification when criteria can be decided and thus complete evaluation.

Abstract: Verification of Internet connectivity using multiple prior connection attempts to Internet destination(s). The Internet destinations may be destinations that have high reliability and that do not easily have intermediating systems that might deny a connection request. Such an Internet destination might be, for example, root Domain Name Server (DNS) servers. Connection attempt results are obtained by for at least some of the connection attempts, tracking which resulted in success and failure. Internet connectivity is then verified based on the collective results, rather than relying on any one single connection attempt. In one embodiment, the frequency of the connection attempts may depend on a current state of the Internet connection.

Abstract: Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Abstract: Given a language with all words in a fixed length, and a set of regular expressions composed only from characters in the alphabet of the language or the “?” sign (any single character), the method of the invention defines a data structure that is used to efficiently find the set of matching regular expressions for a given query word. The method may be adjusted by appropriate selection of a control variable to vary the storage space required and the search time necessary to complete the query. Specifically, the method of the present invention provides a space versus time trade-off between the storage space required for the data structures of the present invention and the amount of time to search those data structures to determine the matching set of regular expressions.

Abstract: Given a language with all words in a fixed length, and a set of regular expressions composed only from characters in the alphabet of the language or the “?” sign (any single character), the system of the invention defines a data structure that is used to efficiently find the set of matching regular expressions for a given query word. The system may be adjusted by appropriate selection of a control variable to vary the storage space required and the search time necessary to complete the query. Specifically, the system of the present invention provides a space versus time trade-off between the storage space required for the data structures of the present invention and the amount of time to search those data structures to determine the matching set of regular expressions.

Abstract: The evaluation of a policy can be delayed until all rules criteria needed for evaluation are available. Also, new types of rules criteria can be registered without requiring changes to a rules engine. A policy manager allows rules to be evaluated and decisions made at different stages of the request handling. The policy manager facilitates interaction with the rules engine until all criteria are evaluated. The policy manager also allows modules developed by third parties to provide notification when criteria can be decided and thus complete evaluation.

Abstract: A generic master-slave mechanism enables a single processor of a cluster of firewall processors to define the behavior of the other processors in the cluster for a specific logical connection. The cluster of firewall processors utilizes virtual adapters representing physical adapters on other processors in the firewall cluster. This virtualization allows each cluster member to act as though it is a standalone machine that owns all local IP addresses of the entire cluster. When traffic is received by a firewall processor, the firewall processor determines if there is a master associated with the logical connection for the traffic. If so, the traffic is routed to the master. If no master is associated, in an example configuration, the receiving firewall processor becomes the master. A message traffic logical connection has a single master. A master remains the master of a logical connection until the connection is terminated.

Abstract: Given a language with all words in a fixed length, and a set of regular expressions composed only from characters in the alphabet of the language or the “?” sign (any single character), the system of the invention defines a data structure that is used to efficiently find the set of matching regular expressions for a given query word. The system may be adjusted by appropriate selection of a control variable to vary the storage space required and the search time necessary to complete the query. Specifically, the system of the present invention provides a space versus time trade-off between the storage space required for the data structures of the present invention and the amount of time to search those data structures to determine the matching set of regular expressions.

Abstract: Given a language with all words in a fixed length, and a set of regular expressions composed only from characters in the alphabet of the language or the “?” sign (any single character), the method of the invention defines a data structure that is used to efficiently find the set of matching regular expressions for a given query word. The method may be adjusted by appropriate selection of a control variable to vary the storage space required and the search time necessary to complete the query. Specifically, the method of the present invention provides a space versus time trade-off between the storage space required for the data structures of the present invention and the amount of time to search those data structures to determine the matching set of regular expressions.

Abstract: Given a language with all words in a fixed length, and a set of regular expressions composed only from characters in the alphabet of the language or the “?” sign (any single character), the method of the invention defines a data structure that is used to efficiently find the set of matching regular expressions for a given query word. The method may be adjusted by appropriate selection of a control variable to vary the storage space required and the search time necessary to complete the query. Specifically, the method of the present invention provides a space versus time trade-off between the storage space required for the data structures of the present invention and the amount of time to search those data structures to determine the matching set of regular expressions.

Abstract: Given a language with all words in a fixed length, and a set of regular expressions composed only from characters in the alphabet of the language or the “?” sign (any single character), the method of the invention defines a data structure that is used to efficiently find the set of matching regular expressions for a given query word. The method may be adjusted by appropriate selection of a control variable to vary the storage space required and the search time necessary to complete the query. Specifically, the method of the present invention provides a space versus time trade-off between the storage space required for the data structures of the present invention and the amount of time to search those data structures to determine the matching set of regular expressions.