Abstract: The present disclosure is directed to mapping indoor user movement using a combination of Wi-Fi and 60 GHz sensing. The methods include detecting, via a Wi-Fi access point, a wireless device associated with a first user, wherein the Wi-Fi access point is configured to determine location information and a device signature associated with the wireless device; transmitting the location information of the wireless device to a 11ay sensor; detecting the first user, via the 11ay sensor, based on the location information of the wireless device; creating a user signature associated with the first user, wherein the user signature is based on one or more physical characteristics of the first user detected by the 11ay sensor; and using the device signature associated with the wireless device and the user signature associated with the first user to subsequently identify the first user.

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: In one embodiment, an electronic device maintains one or more tunnel-based overlays for a communication network. The communication network includes two or more physical provider networks. The device maintains a mapping between a particular application and the one or more overlays for the communication network. The device adjusts the mapping between the particular application and the one or more overlays for the communication network. The device causes one or more routers in the communication network to route traffic for the particular application according to the adjusted mapping between the application and the one or more overlays for the communication network.

Abstract: Secure network segmentation using logical subnet segments is described. A single network segment or subnet provided by a third party is mapped into multiple layer-3 virtual or logical segments without requiring separate subnets. This mapping is accomplished by using virtual routing functions (VRFs) per logical subnet segment while retaining a single subnet across the segments. The logical subnet segments interact with the single network segment provided by the third party (ISP). The layer-3 VRF instances are created without the need for separate IP subnet pools per layer-3 segment. Each VRF instance for the various logical subnet segments is mapped to a Virtual Network Identifier (VNI) and Scalable Group Tag (SGT).

Abstract: Systems and methods are provided for receiving, at an enterprise network, first authentication data of a citizens broadband radio service (CBRS)-enabled device, receiving, at the enterprise network, second authentication data of the CBRS-enabled device, the first authentication data of the CBRS-enabled device being a different type of authentication data than the second authentication data of the CBRS-enabled device, determining a class of the CBRS-enabled device based on the first authentication data and the second authentication data of the CBRS-enabled device, determining a network segment for the CBRS-enabled device based on the class of the CBRS-enabled device, and providing access to the CBRS-enabled device based on the determining of the network segment for the CBRS-enabled device.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: Systems and methods for managing traffic in a hybrid environment include monitoring traffic load of a local network to determine whether the traffic load exceeds or is likely to exceed a maximum traffic load, where the maximum traffic load is a traffic load for which a service can be provided by the local network, based on a license. An excess traffic load is determined if the traffic load exceeds or is likely to exceed the maximum traffic load. One or more external networks which have a capacity to provide the service to the excess traffic load are determined, to which the excess traffic load is migrated. The local network includes one or more service instances for providing the service for up to the maximum traffic load, and the service to the excess traffic load is provided by one or more additional service instances in the one or more external networks.

Abstract: Systems and methods are provided for receiving, at an enterprise network, first authentication data of a citizens broadband radio service (CBRS)-enabled device, receiving, at the enterprise network, second authentication data of the CBRS-enabled device, the first authentication data of the CBRS-enabled device being a different type of authentication data than the second authentication data of the CBRS-enabled device, determining a class of the CBRS-enabled device based on the first authentication data and the second authentication data of the CBRS-enabled device, determining a network segment for the CBRS-enabled device based on the class of the CBRS-enabled device, and providing access to the CBRS-enabled device based on the determining of the network segment for the CBRS-enabled device.

Abstract: A mapping system, under administrative control of a Wide Area Network (WAN) controller, can track each host, authorized to access a plurality of Local Area Networks (LANs), in one or more mapping databases including a first network address representing an identifier and a second network addressing representing a locator for each host. The mapping system can receive a request for resolution of a first identifier of a host not presently connected to the network. The mapping system can determine the mapping databases exclude a mapping for the first identifier. The mapping system can update the mapping databases with a first mapping including the first identifier and a first locator corresponding to a honeypot network device. The mapping system can transmit, to one or more LANs of the plurality of LANs, routing information to route traffic destined for the first identifier to the honeypot network device.

Abstract: The present disclosure is directed to mapping indoor user movement using a combination of Wi-Fi and 60 GHz sensing. The methods include detecting, via a Wi-Fi access point, a wireless device associated with a first user, wherein the Wi-Fi access point is configured to determine location information and a device signature associated with the wireless device; transmitting the location information of the wireless device to a 11ay sensor; detecting the first user, via the 11ay sensor, based on the location information of the wireless device; creating a user signature associated with the first user, wherein the user signature is based on one or more physical characteristics of the first user detected by the 11ay sensor; and using the device signature associated with the wireless device and the user signature associated with the first user to subsequently identify the first user.

Abstract: Technologies for attestation techniques, systems, and methods to that reduces handover delay between LTE/5G eNBs by leveraging Wi-Fi for determining UE location. The systems, methods and computer-readable storage media disclosed here in may operate in the following deployments: the User Equipment (UE) is connected to enterprise Wi-Fi system in addition to being connected to private LTE/5G; enterprise Wi-Fi system having indoor location enabled; and the location system provides an API to give indoor location of the UE; and wherein Wi-Fi AP and LTE eNBs can communicate with each other, which can be accomplished in one instance wherein the two are co-located.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: The present disclosure is directed to seamless mobility between Wi-Fi technologies and includes one or more processors and one or more computer-readable non-transitory storage media comprising instructions that perform operations including detecting a client device having 802.11ax and 802.11ay Wi-Fi capability, identifying a 802.11ax access point associated with a first data path, wherein the first data path is configured to transmit traffic to and from the client device, identifying a 802.11ay access point associated with a second data path, wherein the second data path is configured to transmit the traffic to and from the client device, and wherein the 802.11ay access point is non-colocated with the 802.11ax access point, and establishing a mobility anchor point through which the traffic is switched, wherein a determination is made in the mobility anchor point as to whether the traffic will be transmitted via the 802.11ax access point through the first data path or via the 802.

Abstract: The present disclosure is directed to enhanced location analytics based on 802.11ay Wi-Fi technology and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including determining enhanced location information of at least one user in a physical space based on first data received from at least one 802.11ay access point, generating an emotional quotient of the at least one user based on second data received from at least one 802.11ay sensor, combining the location information and the emotional quotient to generate one or more enhanced location analytics associated with the at least one user, and integrating the one or more enhanced location analytics with customer information in a partner database to derive one or more insights.

Abstract: An enterprise controller of an enterprise network sends to a service gateway of a service provider network a request for network slice information about network slices provisioned on a data plane of the service provider network. Responsive to the sending, the enterprise controller receives from the service gateway the network slice information including identifiers of and properties associated with the network slices. Responsive to receiving a request for the network slice information from a network device at a border of a forwarding plane of the enterprise network, the enterprise controller sends the network slice information to the network device to cause the network device to perform configuring network traffic in the forwarding plane with identifiers of ones of the network slices that match the network traffic, and to perform forwarding the network traffic configured with the identifiers to the data plane of the service provider network.

Abstract: Systems and methods are provided for receiving, at an enterprise network, first authentication data of a citizens broadband radio service (CBRS)-enabled device, receiving, at the enterprise network, second authentication data of the CBRS-enabled device, the first authentication data of the CBRS-enabled device being a different type of authentication data than the second authentication data of the CBRS-enabled device, determining a class of the CBRS-enabled device based on the first authentication data and the second authentication data of the CBRS-enabled device, determining a network segment for the CBRS-enabled device based on the class of the CBRS-enabled device, and providing access to the CBRS-enabled device based on the determining of the network segment for the CBRS-enabled device.

Abstract: In one embodiment, a method by a first network apparatus includes receiving a request to access a resource from a client device associated with a user, determining that the request does not comprise a session cookie, sending an authorization request to a second network apparatus, receiving an authorization response including a resource authorization token from the second network apparatus, determining that the user is authorized to access the resource using the client device based on the received resource authorization token, establishing a first communication session with the client device by sending a message to the client device, and establishing a second communication session with a resource server that provides the resource, where the first network apparatus relays traffic between the client device and the resource server.

Abstract: The present disclosure is directed to systems and methods for dynamic firewall discovery on a service plane. The method includes the steps of identifying a source data packet for transmission from a source machine at a source site to a destination machine at a destination site, wherein the source data packet corresponds to a request for connection between the source machine and the destination machine over a WAN, inspecting the source data packet at a first firewall associated with the source site, marking the source data packet with a marker to indicate inspection by the first firewall, transmitting the marked source data packet to the destination site, determining at the destination site that the source data packet has been inspected based on the marker, and forwarding the source data packet to the destination machine at the destination site, without inspection of the source data packet by a second firewall associated with the destination site.

Abstract: Techniques for providing flow meta data exchanges between network and security functions for a security service are disclosed. In some embodiments, a system/process/computer program product for providing flow meta data exchanges between network and security functions for a security service includes receiving a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device; inspecting the flow to determine meta information associated with the flow; and communicating the meta information associated with the flow to the SD-WAN device.

Abstract: Secure network segmentation using logical subnet segments is described. A single network segment or subnet provided by a third party is mapped into multiple layer-3 virtual or logical segments without requiring separate subnets. This mapping is accomplished by using virtual routing functions (VRFs) per logical subnet segment while retaining a single subnet across the segments. The logical subnet segments interact with the single network segment provided by the third party (ISP). The layer-3 VRF instances are created without the need for separate IP subnet pools per layer-3 segment. Each VRF instance for the various logical subnet segments is mapped to a Virtual Network Identifier (VNI) and Scalable Group Tag (SGT).