Abstract: A method and apparatus are provided for authenticating a user attempting to establish a service which uses SIP. The user registers with the SIP server by providing the digital otoacoustic signature of the user. Thereafter, when the user attempts to initiate a session through the SIP server, the SIP server sends an Authorization Request message to the SIP client of the user. The SIP client reads the user's digital otoacoustic signature, generates a response based on the digital otoacoustic signature, and embeds the response in a second Invite message sent back to the SIP server. Meanwhile, the SIP server determines an expected response, based on the digital otoacoustic signature registered by the user. If the response provided by the SIP client matches the response expected by the SIP server, the SIP server allows establishment of the server.

Abstract: The invention concerns a router associated to a secure device (DC) and included in a communication network (RC), comprising an interface (IRT) to communicate with the secure device following an authentication of the router by the secure device, and comprising a protocol interpreter (INT) to command the execution of the critical operations of one or more routing protocols by the secure device. The sensitive or critical portions of a routing protocol are executed in a secure and reliable manner in the secured device, for example of a chip card type.

Abstract: Mechanisms and methods for providing a mobile/wireless device with protection against false access-point/base-station attacks using MAC address protection are presented. The mobile/wireless device known as mobile client (MC) gains access to wireless network by discovering and selectively associating with an access point (AP). The MAC addresses of both the AP and the MC are protected during all communications between the AP and MC during the discovery phase. This protection mitigates MAC address spoofing type attacks on both the AP and the MC.

Abstract: Communication network security risk exposure management systems and methods are disclosed. Risks to a communication network are determined by analyzing assets of the communication network and vulnerabilities affecting the assets. Assets may include physical assets such as equipment or logical assets such as software or data. Risk analysis may be adapted to assess risks to a particular feature of a communication network by analyzing assets of the communication network which are associated with that feature and one or more of vulnerabilities which affect the feature and vulnerabilities which affect the assets associated with the feature. A feature may be an asset itself or a function or service offered in the network and supported by particular assets, for example.

Abstract: The invention concerns a router associated to a secure device (DC) and included in a communication network (RC), comprising an interface (IRT) to communicate with the secure device following an authentication of the router by the secure device, and comprising a protocol interpreter (INT) to command the execution of the critical operations of one or more routing protocols by the secure device. The sensitive or critical portions of a routing protocol are executed in a secure and reliable manner in the secured device, for example of a chip card type.

Abstract: A distributed authentication framework is presented. The framework includes an authentication stack that is created by an authentication server. The server receives an authentication request from an end-user, the request including an authentication domain ID that distinguishes the end-user. The authentication stack has entries that trigger local or remote specific authentication actions providing respective results. When the results are consolidated the authentication status of the end-user is determined.

Abstract: The present invention provides adequate service virtualization and compartmentalization in Network Management Systems for heterogeneous Network Elements to provide interoperability. It introduces a generic mediation layer that can be added to each Network Element that does not provide a network compartmentalization model that is compatible with the one used by the Network Management System. The mediation layer acts as a reverse proxy for the Network Management System to provide an operator with transparent access to an appropriate Management Service. The present invention is also instrumental in providing a high level of security in such hybrid networks.

Abstract: A method and apparatus are provided for authenticating a user attempting to establish a service which uses SIP. The user registers with the SIP server by providing the digital otoacoustic signature of the user. Thereafter, when the user attempts to initiate a session through the SIP server, the SIP server sends an Authorization Request message to the SIP client of the user. The SIP client reads the user's digital otoacoustic signature, generates a response based on the digital otoacoustic signature, and embeds the response in a second Invite message sent back to the SIP server. Meanwhile, the SIP server determines an expected response, based on the digital otoacoustic signature registered by the user. If the response provided by the SIP client matches the response expected by the SIP server, the SIP server allows establishment of the server.

Abstract: A method and apparatus are provided for authenticating a user of a mobile phone. While the user holds the phone to his or her ear, a microphone near the earpiece emits clicks into the user's ear. The speaker of the phone measures the response from the ear as an otoacoustic signal. A processor digitizes the measured otoacoustic signal to produce a received digital otoacoustic signature, and compares this with a stored digital otoacoustic signature of a legitimate user. If the signatures match, the phone is enabled. The invention allows secure authentication of mobile phones in a manner very natural and convenient to users.

Abstract: Systems and methods of dynamically introducing security features into a client-server application program are described. A security server between an application server and a database has multiple security components with a shared dependency. This shared dependency enables the introduction of a new security component providing a new security function without compromising the security of the application program. The new security component acquires state information from other security components in the security server thereby dynamically reconfiguring the component-based security system.

Abstract: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.

Abstract: A virtual security server enabling a set of applications to access a plurality of security services. In response to a service request from a software application, the virtual security server receive service determines which of the security servers is able to provide the requested service. The virtual security server sends to a selected security server data enabling the selected security server to provide the security service corresponding to the service request. Accordingly, communication between the applications and the security servers is simplified because the application are not required to manage negotiation protocols associated with the security servers and choose the security server(s) appropriate for the required service.

Abstract: A secured execution device (SED) maintains security credentials for a certain user that requests access to the network for performing specified operations or for obtaining specified information. The NE from where the user requests access to the network is authenticated using SED credentials against a multi-level and multi-factor credentials table maintained by a NE authentication controller provided in the EMS/NM/OSS controlling the respective NE. The NE authentication controller issues a challenge and transmits it to the NE. The SED receives the challenge and both the SED and the NE authentication controller process the random number in the same way. The SED then returns a one time usage cryptographic message with the response to the challenge. The NE authentication controller checks the SED response against the expected response calculated locally; the user gains access to the network over the NE if the two responses coincide.

Abstract: Mechanisms and methods for providing a mobile/wireless device with protection against false access-point/base-station attacks using MAC address protection are presented. The mobile/wireless device known as mobile client (MC) gains access to wireless network by discovering and selectively associating with an access point (AP). The MAC addresses of both the AP and the MC are protected during all communications between the AP and MC during the discovery phase. This protection mitigates MAC address spoofing type attacks on both the AP and the MC.

Abstract: Communication network security risk exposure management systems and methods are disclosed. Risks to a communication network are determined by analyzing assets of the communication network and vulnerabilities affecting the assets. Assets may include physical assets such as equipment or logical assets such as software or data. Risk analysis may be adapted to assess risks to a particular feature of a communication network by analyzing assets of the communication network which are associated with that feature and one or more of vulnerabilities which affect the feature and vulnerabilities which affect the assets associated with the feature. A feature may be an asset itself or a function or service offered in the network and supported by particular assets, for example.

Abstract: A system for improving security of management and control functions at a network element in a communications network is described. The control card of the network element is configured to function in association with an execution device such as a smartcard. The execution device has embedded thereon one or several processors each implementing specific security related operations. This limits access to the network element which, in turn, minimizes access to sensitive and confidential information.

Abstract: A distributed authentication framework is presented. The framework includes an authentication stack that is created by an authentication server. The server receives an authentication request from an end-user, the request including an authentication domain ID that distinguishes the end-user. The authentication stack has entries that trigger local or remote specific authentication actions providing respective results. When the results are consolidated the authentication status of the end-user is determined.

Abstract: The present invention provides adequate service virtualization and compartmentalization in Network Management Systems for heterogeneous Network Elements to provide interoperability. It introduces a generic mediation layer that can be added to each Network Element that does not provide a network compartmentalization model that is compatible with the one used by the Network Management System. The mediation layer acts as a reverse proxy for the Network Management System to provide an operator with transparent access to an appropriate Management Service. The present invention is also instrumental in providing a high level of security in such hybrid networks.

Abstract: Systems and methods of dynamically introducing security features into a client-server application program are described. A security server between an application server and a database has multiple security components with a shared dependency. This shared dependency enables the introduction of a new security component providing a new security function without compromising the security of the application program. The new security component acquires state information from other security components in the security server thereby dynamically reconfiguring the component-based security system.

Abstract: A system and method for providing distribution security measures in a distributed computer network environment. For consistency and ease of administration purposes, in a distributed computer network environment a security policy server can be used to maintain the global security policy of the environment. This server would need to distribute local security policies founded on the global policy to managed clients. The present invention provides a higher level of distribution security by utilizing robust cryptographic material in the distribution mechanism.