Abstract: Techniques and architecture are described for protecting non-http and TCP/UDP applications in a zero trust network access (ZTNA)/web virtual private network (VPN) environment by establishing a secure communication channel between a native application and an application server providing an application service. More particularly, the present disclosure describes techniques and architecture that leverage the firewall wherein a thin client on a client device enables a client desktop, establishes a secure channel from a native application, e.g., the client desktop, to the firewall, and acts as a proxy.

Abstract: This disclosure describes methods to distribute intrusion detection in a network across multiple devices in the network, such as across routing/switching or other infrastructure devices. For example, as a packet is routed through a network infrastructure, an overlay mechanism may be utilized to indicate which of a total set of intrusion detection rules have been applied to the packet. Each infrastructure device may evaluate which rules have already been applied to the packet, using a result of the evaluation to determine where to route the packet in the network infrastructure for application of additional intrusion detection rules. Additionally, each infrastructure device may record a result of its application of the portion of intrusion detection rules directly into the packet.

Abstract: Techniques are described for providing data such as, for example, keys, connection identifiers, and hashes to network devices using a secure database in order to facilitate client devices remaining connected or reconnecting with network sites when the client device moves among networks and to prevent replay attacks. For example, a method may include receiving, by a network device of a first network, encrypted traffic destined for a network site via the first network from a client device. The method may also include retrieving, by the network device from a database, data related to a previously established connection via a second network of the client device to the network site. In configurations, the data is received by the database from a proxy on the client device. The method may further include based at least in part on the data, passing, by the network device, the encrypted traffic to the network site.

Abstract: A system includes a virtual private network (VPN) gateway and a client device. The VPN gateway receives a domain name system response through a physical coding sublayer. The VPN gateway fetches a fully qualified domain name corresponding to the domain name system response, and fetches one or more access control list rules from an access control list table for a specific user account. The VPN gateway installs an Internet protocol (IP) address in the access control list table for each access control list rule and handles requested data traffic to the IP address. The client device creates a virtual tunnel interface route with a port of a transmission control protocol (TCP) listener device and parses the domain name system response. The client device updates a domain name system cache with the fully qualified domain name and the IP address and sends unencrypted network traffic over the virtual tunnel interface route.

Abstract: This disclosure describes methods to distribute intrusion detection in a network across multiple devices in the network, such as across routing/switching or other infrastructure devices. For example, as a packet is routed through a network infrastructure, an overlay mechanism may be utilized to indicate which of a total set of intrusion detection rules have been applied to the packet. Each infrastructure device may evaluate which rules have already been applied to the packet, using a result of the evaluation to determine where to route the packet in the network infrastructure for application of additional intrusion detection rules. Additionally, each infrastructure device may record a result of its application of the portion of intrusion detection rules directly into the packet.

Abstract: A system includes a virtual private network (VPN) gateway and a client device. The VPN gateway receives a domain name system response through a physical coding sublayer. The VPN gateway fetches a fully qualified domain name corresponding to the domain name system response, and fetches one or more access control list rules from an access control list table for a specific user account. The VPN gateway installs an Internet protocol (IP) address in the access control list table for each access control list rule and handles requested data traffic to the IP address. The client device creates a virtual tunnel interface route with a port of a transmission control protocol (TCP) listener device and parses the domain name system response. The client device updates a domain name system cache with the fully qualified domain name and the IP address and sends unencrypted network traffic over the virtual tunnel interface route.

Abstract: Domains can also be used to control access to physical memory space. Data in a physical memory space that has been used by a process sometimes endures after the process stops using the physical memory space (e.g., the process terminates). In addition, a virtual memory manager may allow processes of different applications to access a same memory space. To prevent exposure of sensitive/confidential data, physical memory spaces can be designated for a specific domain or domains when the physical memory spaces are allocated.

Abstract: When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed.

Abstract: Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied.

Abstract: Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.

Abstract: Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.

Abstract: Domains can also be used to control access to physical memory space. Data in a physical memory space that has been used by a process sometimes endures after the process stops using the physical memory space (e.g., the process terminates). In addition, a virtual memory manager may allow processes of different applications to access a same memory space. To prevent exposure of sensitive/confidential data, physical memory spaces can be designated for a specific domain or domains when the physical memory spaces are allocated.

Abstract: Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied.

Abstract: When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed.

Abstract: A computer implemented method, apparatus, and computer program product for managing privileges on a data processing system. The process initiates a privilege monitor. All other entities in the data processing system are prevented from assigning privileges. The privilege monitor is the only entity authorized to assign privileges. The process monitors for requests for privileges. In response to detecting a request from a user for a privilege, the process selectively assigns the privilege to the user through the privilege monitor.

Abstract: A computer implemented method, apparatus, and computer program product for using a virtual file system to encrypt files. The process registers a plurality of file systems on a data processing system with the virtual file system. The virtual file system is enabled to encrypt files without intervention from any file system in the plurality of file systems. The virtual file system identifies whether a file on a given file system is an encrypted file using a map file associated with the given file system. In response to identifying the file as an encrypted file, the virtual file system encrypts all data written to the file in accordance with encryption specifications in the map file.

Abstract: A computer implemented method, apparatus, and computer program product for managing privileges on a data processing system. The process initiates a privilege monitor. All other entities in the data processing system are prevented from assigning privileges. The privilege monitor is the only entity authorized to assign privileges. The process monitors for requests for privileges. In response to detecting a request from a user for a privilege, the process selectively assigns the privilege to the user through the privilege monitor.

Abstract: A computer implemented method, apparatus, and computer program product for using a virtual file system to encrypt files. The process registers a plurality of file systems on a data processing system with the virtual file system. The virtual file system is enabled to encrypt files without intervention from any file system in the plurality of file systems. The virtual file system identifies whether a file on a given file system is an encrypted file using a map file associated with the given file system. In response to identifying the file as an encrypted file, the virtual file system encrypts all data written to the file in accordance with encryption specifications in the map file.