Abstract: There is disclosed in one example a network gateway device, including: a hardware platform including a processor and a memory; a network interface, including network interface hardware; and instructions encoded within the memory to instruct the processor to: receive from an endpoint device, via the network interface, a signed security posture data structure, the signed security posture data structure including information about a security posture of the endpoint device; cryptographically verify the signed security posture data structure; and according to the signed security posture data structure, assign a network security policy to the endpoint device.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: A system for controlling accesses to network enabled devices includes a network interface over which a hub communicates with network enabled devices, a processor, and a multilayer access control layer. The access control layer includes instructions that, when executed by the processor, cause the processor to detect, at the hub, a request representing an attempt by an application executing on a remote host device to access a network enabled device communicatively coupled to the hub, characterize the request according to a user of the remote host device, the application making the attempt, and the network enabled device, and determine whether to allow or deny the request based upon the characterization and a plurality of rules. The rules may include definitions of access rights, with respect to the network enabled device, for users, applications, commands or queries made by applications, remote host devices, and network domains.

Abstract: Methods, systems, and media for dynamically separating Internet of Things (IoT) devices in a network are provided. In accordance with some embodiments of the disclosed subject matter, a method for dynamically separating IoT devices in a network is provided, the method comprising: detecting a first IoT device in the network; monitoring network communication of the first IoT device; determining device information of the first IoT device based on the monitored network communication; and causing the first IoT device to communicate on a first subnet of a plurality of subnets in the network based on the device information.

Abstract: There is disclosed in one example a gateway apparatus, including: a hardware platform including a processor and a memory; and instructions stored within the memory to instruct the processor to: provide a domain name system (DNS) server, the DNS server to provide an encrypted DNS service, and to cache resolved domain names; receive an outgoing network packet; determine a destination address of the outgoing network packet; and upon determining that the destination address was not cached, apply a security policy.

Abstract: Methods, apparatus, systems and articles of manufacture for communicating encrypted data via a virtual private network are disclosed. An example computer system disclosed herein includes a memory including instructions that, when executed, cause one or more processors to establish a first tunnel and a second tunnel between a VPN client and a VPN server. The instructions further cause the one or more processors to access a request message to be sent via the VPN and determine, in response to a payload being formatted using a first protocol, whether a packet associated with the request message includes an encrypted server name indication (SNI). The instructions further cause the one or more processors to, in response to the packet including the encrypted SNI, encrypt the header of the request message to form an encrypted header, create an encrypted message including the encrypted header and the payload of the request message, and transmit the encrypted message through the first tunnel.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify encrypted handshakes. An example apparatus includes a message copier to clone a client introductory message, the client introductory message is included in a first handshake for network communication between a client and a server, a connection establisher to initiate a second handshake between the apparatus and the server based on the cloned client introductory message, and a decrypter to, in response to the second handshake, decrypt a certificate sent by the server.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor, a memory, and a network interface; and instructions encoded within the memory to instruct the processor to: receive an incoming packet via the network interface; extract from the incoming packet a source port and a source internet protocol (IP) address; correlate the source port and source IP to a device identifier (ID); receive a network policy for the device ID; and apply the network policy to the incoming packet.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; an operating system including a native internet protocol (IP) stack; and a security agent, including instructions encoded within the memory to instruct the processor to: establish a split virtual private network (VPN) tunnel with a remote VPN service; receive outgoing network traffic; direct a first portion of the outgoing traffic to the VPN tunnel, including determining that the first portion includes an outgoing domain name service (DNS) request; and direct a second portion of the outgoing traffic to the native IP stack.

Abstract: Example methods, apparatus, systems and articles of manufacture to implement cooperative mitigation of distributed denial of service attacks originating in local networks are disclosed. An example network element disclosed herein is to detect a first distributed denial of service attack associated with first network traffic received by an Internet service provider network, the first network traffic originating from a first device connected to a local network. The disclosed example network element is also to implement a threat signaling client to transmit first information describing the first distributed denial of service attack to a threat signaling server implemented by a local network router of the local network, and receive second information from the threat signaling server of the local network, the second information to provide a notification when the first network traffic associated with the first distributed denial of service attack has been mitigated.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify application permission safety.

Abstract: There is disclosed in one example a home router, including: a hardware platform including a processor and a memory; a local area network (LAN) interface; a data store including rules for domain name-based services; and instructions encoded within the memory to instruct the processor to: provision a certificate and key pair to provide domain name system (DNS) over hypertext transfer protocol secure (DoH) or DNS over transport layer security (DoT) services; receive on the LAN interface an encrypted DNS request; decrypt the DNS request; query the data store according to the DNS request; receive a rule for the DNS request; and execute the rule.

Abstract: There is disclosed in one example an enrollment over secure transport (EST)-capable gateway device, including: a hardware platform including a processor and a memory; a first network interface to communicatively couple to an external network, including an external DNS server; a second network interface to communicatively couple to a home network; a caching DNS server including a local DNS cache, and logic to provide DNS services to the home network; and an EST proxy to authenticate to a local endpoint on the home network, provision a DNS server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint.

Abstract: Various embodiments are described for dynamic value stream management. A computing environment is directed to receive a stream of metrics from station computing devices each positioned at a station in a manufacturing process, where individual ones of the station computing devices have a sensor configured to generate metrics. The computing environment may determine an optimal allocation of resources for each of the stations in the manufacturing process based at least in part on the metrics. If a cycle time of a station falls below a threshold, personnel from another satisfactorily-performing station may be reassigned to the station based on cross-training metrics. A recommended action for the stations may be determined and presented in a display device.

Abstract: Example methods, apparatus, systems and articles of manufacture to implement cooperative mitigation of distributed denial of service attacks originating in local networks are disclosed. An example local network router disclosed herein includes a mitigator to mitigate a distributed denial of service attack detected by an Internet service provider, the distributed denial of service attack associated with network traffic originating from a first device connected to a local network. The example local network router also includes a threat signaling server to identify the first device based on first information received from a threat signaling client of the Internet service provider, the first information describing the distributed denial of service attack. The example threat signaling server is also to transmit second information to notify the threat signaling client of the Internet service provider when the network traffic associated with the distributed denial of service attack has been mitigated.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify application permission safety.

Abstract: A system for controlling accesses to network enabled devices includes a network interface over which a hub communicates with network enabled devices, a processor, and a multilayer access control layer. The access control layer includes instructions that, when executed by the processor, cause the processor to detect, at the hub, a request representing an attempt by an application executing on a remote host device to access a network enabled device communicatively coupled to the hub, characterize the request according to a user of the remote host device, the application making the attempt, and the network enabled device, and determine whether to allow or deny the request based upon the characterization and a plurality of rules. The rules may include definitions of access rights, with respect to the network enabled device, for users, applications, commands or queries made by applications, remote host devices, and network domains.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to establish a connection with a router, obtain identification for the router, communicate the identification of the router to a network element, receive a hash of at least a portion of a certificate for the router, and disconnect the connection and establish a new connection with the router, where the hash is used to authenticate network services received from the router during the new connection. In an example, the hash is part of a subject public key infrastructure (SPKI) pin set.

Abstract: A system for controlling accesses to network enabled devices includes a network interface over which a hub communicates with network enabled devices, a processor, and a multilayer access control layer. The access control layer includes instructions that, when executed by the processor, cause the processor to detect, at the hub, a request representing an attempt by an application executing on a remote host device to access a network enabled device communicatively coupled to the hub, characterize the request according to a user of the remote host device, the application making the attempt, and the network enabled device, and determine whether to allow or deny the request based upon the characterization and a plurality of rules. The rules may include definitions of access rights, with respect to the network enabled device, for users, applications, commands or queries made by applications, remote host devices, and network domains.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify encrypted handshakes. An example apparatus includes a message copier to clone a client introductory message, the client introductory message is included in a first handshake for network communication between a client and a server, a connection establisher to initiate a second handshake between the apparatus and the server based on the cloned client introductory message, and a decrypter to, in response to the second handshake, decrypt a certificate sent by the server.