Abstract: A computer with an extensible framework for facilitating communication between a software component installed on the computer and a device driver that executes functions in response to vendor-specific command objects (e.g., OIDs). The framework defines data structures and a standardized format for defining and implementing private interfaces. After selecting a private interface that is commonly supported by a software component and a driver, a private communication path may be established by an operating system component to facilitate the transfer of command information from the software component to the driver. The private communication path allows commands packaged as OIDs to be routed from software components to intended drivers. By defining private interfaces which route commands from software components to intended drivers, the extensible framework mitigates potential incompatibilities that may arise when drivers created by different vendors include OIDs with the same OID value.

Abstract: Location of a communication network subscriber is determined employing confidence metrics such as remote vs. local computer usage, primary user in a multi-user computing environment, likelihood of forgery, and comparable ones. A fine-grained location determination is then made based on the metric results and directory information for the particular subscriber such that services like emergency services can be provided with accurate location information.

Abstract: A networked computer with a networking framework that can operate in accordance with a standard protocol or may be configured to perform one or more functions that alter or extend processing according to the standard. The framework includes extensibility points and a mechanism to receive plug-ins that may perform extensibility functions. Network profile information indicates configuration of the extensibility points, including specific extensibility functions to be executed at the extensibility points. This information may be used to configure the extensibility points so that, as the computer operates, the extensibility functions are selectively executed instead of or in addition to standard functions.

Abstract: Location of a communication network subscriber is determined employing confidence metrics such as remote vs. local computer usage, primary user in a multi-user computing environment, likelihood of forgery, and comparable ones. A fine-grained location determination is then made based on the metric results and directory information for the particular subscriber such that services like emergency services can be provided with accurate location information.

Abstract: Generating symmetric keys among distributed appliances, includes generating public and private values on at least one appliance, importing a public value from another appliance via an out-of-band entity, and generating a secret value as a function of the private value corresponding to the local appliance and the public value received from the other appliance.

Abstract: One embodiment of the invention is directed to managing access of a host computer to a network. A first communication session with the host computer may be conducted to authenticate the host computer's identity. A second communication session with the host computer may be conducted to determine the health status of the host computer.

Abstract: One embodiment of the invention is directed to managing access of a host computer to a network. A first communication session with the host computer may be conducted to authenticate the host computer's identity. A second communication session with the host computer may be conducted to determine the health status of the host computer.

Abstract: A networked computer with a networking framework that can operate in accordance with a standard protocol or may be configured to perform one or more functions that alter or extend processing according to the standard. The framework includes extensibility points and a mechanism to receive plug-ins that may perform extensibility functions. Network profile information indicates configuration of the extensibility points, including specific extensibility functions to be executed at the extensibility points. This information may be used to configure the extensibility points so that, as the computer operates, the extensibility functions are selectively executed instead of or in addition to standard functions.

Abstract: A computer with an extensible framework for facilitating communication between a software component installed on the computer and a device driver that executes functions in response to vendor-specific command objects (e.g., OIDs). The framework defines data structures and a standardized format for defining and implementing private interfaces. After selecting a private interface that is commonly supported by a software component and a driver, a private communication path may be established by an operating system component to facilitate the transfer of command information from the software component to the driver. The private communication path allows commands packaged as OIDs to be routed from software components to intended drivers. By defining private interfaces which route commands from software components to intended drivers, the extensible framework mitigates potential incompatibilities that may arise when drivers created by different vendors include OIDs with the same OID value.

Abstract: One embodiment of the invention is directed to managing access of a host computer to a network. A first communication session with the host computer may be conducted to authenticate the host computer's identity. A second communication session with the host computer may be conducted to determine the health status of the host computer.

Abstract: One embodiment of the invention is directed to managing access of a host computer to a network. A first communication session with the host computer may be conducted to authenticate the host computer's identity. A second communication session with the host computer may be conducted to determine the health status of the host computer.

Abstract: The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.

Abstract: A trust web keying process provides secure peer networking of computing devices on an open network. A device is initially keyed at distribution to an end user or installer with a device-specific cryptographic key, and programmed to respond only to peer networking communication secured using the device's key. The device-specific key is manually entered into a keying device that transmits a re-keying command secured with the device-specific key to the device for re-keying the device with a group cryptographic key. The device then securely peer networks with other devices also keyed with the group cryptographic key, forming a trust web. Guest devices can be securely peer networked with the trust web devices via a trust web gateway.

Abstract: The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.

Abstract: Generating symmetric keys among distributed appliances, includes generating public and private values one at least one appliance, importing a public value from another appliance via an out-of-band entity, and generating a secret value as a function of the private value corresponding to the local appliance and the public value received from the other appliance.

Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

Abstract: An abstraction module that facilitates security configuration amongst a number of initiators in a manner that there are no conflicts in the security information across all initiators. The abstraction module exposes a common interface that may be used to configure any of the initiators, receives through this common interface an indication that a selected one of the initiators is to be configured to communicate with a selected target device, and retrieves security information from a common database, the database including information that is relevant to configuring security for any of the plurality of initiators. The abstraction module identifies a security configuration for the selected initiator using the retrieved security information and, if the settings would not cause a conflict with any of the other of the initiators, uses the identified security configuration to configure the selected initiator.