Abstract: A data security device for providing a network transport connection via a transparent network proxy that employs different encryption security mediums along a communications session between two endpoints by emulating one of the endpoints at an intermediate node such that the communication session appears as an atomic, secure connection to the endpoints yet provides appropriate security over the end-to-end connection. A sender node sends a connection request to establish a secure communication session with an intended receiver node. A transparent proxy on an intermediate node receives the request and establishes the link employing an encryption mechanism. The transparent proxy establishes a second link with the intended receiver, and applies a second, less expensive encryption mechanism. The transparent proxy combines the two links to form the trusted, secure connection but incurring only the mitigated expense over the second link.

Abstract: A data security device for providing a network transport connection via a transparent network proxy that employs different encryption security mediums along a communications session between two endpoints by emulating one of the endpoints at an intermediate node such that the communication session appears as an atomic, secure connection to the endpoints yet provides appropriate security over the end-to-end connection. A sender node sends a connection request to establish a secure communication session with an intended receiver node. A transparent proxy on an intermediate node receives the request and establishes the link employing an encryption mechanism. The transparent proxy establishes a second link with the intended receiver, and applies a second, less expensive encryption mechanism. The transparent proxy combines the two links to form the trusted, secure connection but incurring only the mitigated expense over the second link.

Abstract: A method, apparatus and computer program product for providing failover capability of cached secure sessions is presented. A cached secure session involving a first device and a second device is identified. The cached secure session is encrypted and replicated to a failover device. The encrypted session is then decrypted on the failover to device. An occurrence of a hot failover involving the second device is detected, and processing resumes between the first device and the failover device.

Abstract: A method, apparatus and computer program product for providing failover capability of cached secure sessions is presented. A cached secure session involving a first device and a second device is identified. The cached secure session is encrypted and replicated to a failover device. The encrypted session is then decrypted on the failover to device.

Abstract: A method, apparatus and computer program product for providing failover capability of cached secure sessions is presented. A cached secure session involving a first device and a second device is identified. The cached secure session is encrypted and replicated to a failover device. The encrypted session is then decrypted on the failover device. An occurrence of a hot failover involving the second device is detected, and processing resumes between the first device and the failover device.

Abstract: Disclosed is a system and method for distributing connections among a plurality of servers at an Internet site. All connections are made to a single IP address and a local director selects the server from among the plurality of servers which is to receive the connection. Thus, the DNS server is not relied upon to distribute connections, and the connection distribution scheme is not avoided when DNS is bypassed. In one embodiment, a session distribution scheme is implemented such that connections are distributed to the server in the group of servers which has the fewest connections of the group. In other embodiments, other session distribution schemes which route connections based on the predicted response times of the servers or according to a round robin scheme are used.

Abstract: A data security device for providing a network transport connection via a transparent network proxy that employs different encryption security mediums along a communications session between two endpoints by emulating one of the endpoints at an intermediate node such that the communication session appears as an atomic, secure connection to the endpoints yet provides appropriate security over the end-to-end connection. A sender node sends a connection request to establish a secure communication session with an intended receiver node. A transparent proxy on an intermediate node receives the request and establishes the link employing an encryption mechanism. The transparent proxy establishes a second link with the intended receiver, and applies a second, less expensive encryption mechanism. The transparent proxy combines the two links to form the trusted, secure connection but incurring only the mitigated expense over the second link.

Abstract: Conventional SSL termination devices support secure connections only to a predetermined destination address. An SSL termination device accepts a plaintext connection and associate it to a secure connection to an arbitrary destination endpoint by intercepting a connection request from the local subnetwork, identifying the intended destination of the connection, and establishing a secure connection to the destination, bridges the local connection and the secure connection to provide a connection through the gateway device. The SSL termination device identifies an outgoing secure connection request from a client, and intercepts the connection request to identify the recipient destination. The SSL termination device establishes a secure connection using the identified destination, and associates the connections by mapping the intercepted connection to the recipient.

Abstract: Disclosed is a system and method for distributing connections among a plurality of servers at an Internet site. All connections are made to a single IP address and a local director selects the server from among the plurality of servers which is to receive the connection. Thus, the DNS server is not relied upon to distribute connections, and the connection distribution scheme is not avoided when DNS is bypassed. In one embodiment, a session distribution scheme is implemented such that connections are distributed to the server in the group of servers which has the fewest connections of the group. In other embodiments, other session distribution schemes which route connections based on the predicted response times of the servers or according to a round robin scheme are used.

Abstract: A system and method are disclosed for maintaining the state of a virtual connection supported by an active connection manager on a standby connection manager. The method includes configuring the standby connection manager to include a physical machine object that stores a physical IP address of a physical machine that is available to the active connection manager and a virtual machine object that stores a virtual IP address of a virtual machine that is implemented on the connection manager. A replication packet is received at the standby connection manager from the active connection manager wherein the replication packet includes a foreign IP address, the virtual IP address and the physical IP address. A standby connection object is stored in the connection manager. The standby connection object includes the foreign IP address, the virtual IP address and the physical IP address from the replication packet on the standby connection manager.

Abstract: A method of obtaining instructions for routing a packet is described that includes receiving a packet having a packet flow identifier that includes a packet source IP address, a packet destination IP address, a packet source port, and a packet destination port and checking whether the packet flow identifier matches a stored instruction. If the packet flow identifier does not match a stored instruction, whether the packet flow identifier matches a stored criteria is checked and if the packet matches a stored criteria, the packet is forwarded to a service manager.

Abstract: A system and method are disclosed for virtualizing locally initiated outbound connections from a physical machine used to implement a virtual machine. The method includes providing a virtual machine object having a virtual IP address that corresponds to the virtual machine. Inbound connections directed to the virtual machine are handled by the physical machine having a physical machine IP address. A static physical machine object is also provided. The static physical machine object contains the virtual IP address and the physical machine IP address. When a SYN packet is intercepted for an outbound connection having a SYN packet source IP address that corresponds to the physical machine IP address and a packet destination address that corresponds to a foreign IP address, it is determined whether the packet source IP address matches the physical machine IP address.

Abstract: A system and method are disclosed for maintaining the state of a virtual connection supported by an active connection manager on a standby connection manager. The method includes configuring the standby connection manager to include a physical machine object that stores a physical IP address of a physical machine that is available to the active connection manager and a virtual machine object that stores a virtual IP address of a virtual machine that is implemented on the connection manager. A replication packet is received at the standby connection manager from the active connection manager wherein the replication packet includes a foreign IP address, the virtual IP address and the physical IP address. A standby connection object is stored in the connection manager. The standby connection object includes the foreign IP address, the virtual IP address and the physical IP address from the replication packet on the standby connection manager.

Abstract: A system and method are disclosed for assigning an incoming connection to a server. The method includes defining a client specific virtual machine object instance that is associated with a designated client IP address. An incoming packet is received that is associated with a new connection. The incoming packet has a packet source IP address, a packet source port number, a packet destination IP address, and a packet destination port number. A client specific virtual machine object instance is selected that is associated with the designated client IP address when the packet source IP address matches the designated client IP address.

Abstract: Disclosed is a system and method for distributing connections among a plurality of servers at an Internet site. All connections are made to a single IP address and a local director selects the server from among the plurality of servers which is to receive the connection. Thus, the DNS server is not relied upon to distribute connections, and the connection distribution scheme is not avoided when DNS is bypassed. In one embodiment, a session distribution scheme is implemented such that connections are distributed to the server in the group of servers which has the fewest connections of the group. In other embodiments, other session distribution schemes which route connections based on the predicted response times of the servers or according to a round robin scheme are used.

Abstract: A system and method are disclosed for redirecting a connection from a first server having a first server IP address. Incoming SYN packets sent from a client are intercepted. The SYN packets have a destination IP address corresponding to the connection and the SYN packets are sent from the client for the purpose of establishing the connection, which is supported by the first server. The number of incoming SYN packets sent from the client to the first server is monitored and it is determined whether the number of unanswered SYN packets sent by the client to the first server exceeds a ditched connection threshold number of unanswered SYN packets. The destination IP address of intercepted incoming SYN packets is changed for the connection received after determining that the number of unanswered SYN requests sent by the client to the first server exceeds a ditched connection threshold number of unanswered SYN requests to the destination IP address of a second server.

Abstract: A system and method are disclosed for simulating a plurality of TCP connections directed toward an Internet site under test. The method includes activating a producer thread process. The producer thread process includes randomly determining an IP address and requesting a TCP layer process to make a TCP connection to the randomly determined IP address. The producer thread process does not block or wait for the TCP connection to be established. A consumer thread process is activated upon the occurrence of an event on the TCP connection. The consumer thread process includes retrieving information from the TCP connection and recording statistics related to the information.

Abstract: A system and method are disclosed for redirecting a connection from a first server having a first server IP address. Incoming SYN packets sent from a client are intercepted. The SYN packets have a destination IP address corresponding to the connection and the SYN packets are sent from the client for the purpose of establishing the connection, which is supported by the first server. The number of incoming SYN packets sent from the client to the first server is monitored and it is determined whether the number of unanswered SYN packets sent by the client to the first server exceeds a ditched connection threshold number of unanswered SYN packets. The destination IP address of intercepted incoming SYN packets is changed for the connection received after determining that the number of unanswered SYN requests sent by the client to the first server exceeds a ditched connection threshold number of unanswered SYN requests to the destination IP address of a second server.

Abstract: Disclosed is a system and method for handling a plurality of connection requests made for a plurality of virtual machines with a single physical machine. A system and method are disclosed for distributing virtual connections among a plurality of physical machines some or all of which are configured to handle connections for more than one virtual machine. In one embodiment, a packet translation system for handling connections from clients on an external network to a plurality of IP addresses with a server having a server IP address and a server port number includes a client interface to the external network. The client interface is operative to receive and send packets to and from a remote client. A server interface is operative to receive and send packets to and from the server and the server is operative to establish a connection with the remote client.