Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

Abstract: A system for maintaining network information. The system resides in a network comprising a plurality of sub-networks in communication with one another over a communications backbone. Each sub-network has a router for use in performing communications with other sub-networks. A directory service is linked to the communications backbone and includes a database. The database stores router attribute information that is published by each of the routers. Using a query engine associated with the directory service, meaningful information can be gathered from the database as a function of specified router attribute information.

Abstract: A system for maintaining network information. The system resides in a network comprising a plurality of sub-networks in communication with one another over a communications backbone. Each sub-network has a router for use in performing communications with other sub-networks. A directory service is linked to the communications backbone and includes a database. The database stores router attribute information that is published by each of the routers. Using a query engine associated with the directory service, meaningful information can be gathered from the database as a function of specified router attribute information.

Abstract: Network devices access a communications network and engage in secure associations with one or more network access points upon authenticating the access points and upon verifying the discovery information that is broadcast by the access point. Once a secure association is created, management frames that are subsequently transmitted between the network devices and the access points and that are used to control the secure association are verified to further enhance the security of the communications network.

Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

Abstract: Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.

Abstract: The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.

Abstract: A trust web keying process provides secure peer networking of computing devices on an open network. A device is initially keyed at distribution to an end user or installer with a device-specific cryptographic key, and programmed to respond only to peer networking communication secured using the device's key. The device-specific key is manually entered into a keying device that transmits a re-keying command secured with the device-specific key to the device for re-keying the device with a group cryptographic key. The device then securely peer networks with other devices also keyed with the group cryptographic key, forming a trust web. Guest devices can be securely peer networked with the trust web devices via a trust web gateway.

Abstract: A system and method for measuring the performance of a network, such as the Internet, uses a server on the network to collect network performance data in the process of servicing clients on the network. When the server receives a data transfer request from a client, it records operation information such as the time it takes to transfer the requested data, the size of the data, etc. and derives performance evaluation data such as round-trip time, bandwidth, packet loss, etc. that indicate network performance between the client and the server. The recorded performance data for the multiple clients are aggregated and analyzed together with client information to determine the network performance experienced by the clients.