Abstract: A system and method for integrating line-rate application recognition in a switch ASIC. Switching platforms can be built using this feature with a conventional control plane processor rather than a more expensive specialized processor. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine analyzes packets using signature matching state machine and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract: A system and method for efficient matching regular expression patterns across multiple packets. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine is enabled to perform cross-packet signature matching using signature matching state machines and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract: Methods and apparatus are provided for performing authentication and decryption operations. A record including multiple encrypted blocks is received. An encrypted block in the record is extracted and decrypted first in order to obtain context information for performing authentication operations. Each remaining block is then decrypted and authenticated by using the available context information. Authentication operations can be performed without having to wait for the decryption of all of the blocks in the record.

Abstract: A system and method for efficient matching regular expression patterns across multiple packets. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine is enabled to perform cross-packet signature matching using signature matching state machines and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract: A system and method for integrating line-rate application recognition in a switch ASIC. Switching platforms can be built using this feature with a conventional control plane processor rather than a more expensive specialized processor. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine analyzes packets using signature matching state machine and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract: Methods and apparatus are provided for performing authentication and decryption operations in a cryptography accelerator system. Input data passed to a cryptography accelerator from a host such a CPU includes information for a cryptography accelerator to determine where to write the processed data. In one example, processed data is formatted as packet payloads in a network buffer. Checksum information is precalculated and an offset for a header is maintained.

Abstract: Methods and apparatus are provided for performing authentication and decryption operations. A record including multiple encrypted blocks is received. An encrypted block in the record is extracted and decrypted first in order to obtain context information for performing authentication operations. Each remaining block is then decrypted and authenticated by using the available context information. Authentication operations can be performed without having to wait for the decryption of all of the blocks in the record.

Abstract: Methods and apparatus are provided for performing authentication and decryption operations. A record including multiple encrypted blocks is received. An encrypted block in the record is extracted and decrypted first in order to obtain context information for performing authentication operations. Each remaining block is then decrypted and authenticated by using the available context information. Authentication operations can be performed without having to wait for the decryption of all of the blocks in the record.

Abstract: Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Abstract: Methods and apparatus are provided for a cryptography accelerator to efficiently perform authentication and encryption operations. A data sequence is received at a cryptography accelerator. An encrypted authentication code and an encrypted data sequence is provided efficiently upon performing single pass authentication and encryption operations on the data sequence.

Abstract: A method and system for enabling a secure electronic network communications asset is provided. A computational engine networked with an electronic communications is configured to comprise a network endpoint. One, two or a group of particular applications or network services enabled by that endpoint are identified as an addressable secure asset. Policies are established and implemented to limit interactivity between the secure asset and any communications interface to which the asset is connected. The endpoint is configured to be accessible by one or more specific user groups under possibly unique sets policies assigned to each user group. Any network endpoint must be a member of one at least user group in order to access the secure asset and must abide by the policies imposed by the secure asset onto the including user group.

Abstract: Methods and apparatus are provided for performing authentication and decryption operations. A record including multiple encrypted blocks is received. An encrypted block in the record is extracted and decrypted first in order to obtain context information for performing authentication operations. Each remaining block is then decrypted and authenticated by using the available context information. Authentication operations can be performed without having to wait for the decryption of all of the blocks in the record.

Abstract: Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Abstract: Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Abstract: The invention provides a method and system for enabling in-line communications channels between a plurality of computational systems and a switch, and/or a plurality of switches and a router. In a first version of the invention an in-line system receives uplinks of aggregated data from a plurality of switches and applies policies to the each aggregated data stream prior to transmission of the aggregated data streams from the in-line system to the router. At least one computational system provides a user identification associated with a user profile to the in-line system. The user profile informs indicates to the in-line system of the constraints imposed upon and activities permitted to the computational system originating the user identification.

Abstract: Methods and apparatus are provided for performing authentication and decryption operations. A record including multiple encrypted blocks is received. An encrypted block in the record is extracted and decrypted first in order to obtain context information for performing authentication operations. Each remaining block is then decrypted and authenticated by using the available context information. Authentication operations can be performed without having to wait for the decryption of all of the blocks in the record.

Abstract: A method and system for detecting a pattern derived from or related to a data signature in data packets is provided. An intrusion detection module accepts a data packet and compares all or portions of the data packet with a set of data patterns. One or more data patterns may be related to, or indicate the existence of, or derived from a virus or other data structure, software code, software program, portions of content of a data packet, a universal resource locater, and/or a traffic classification indicator.

Abstract: Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Abstract: Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Abstract: An apparatus provides an integrated single chip solution to solve a multitude of WLAN problems, and especially Switching/Bridging, and Security. In accordance with an aspect of the invention, the apparatus is able to terminate secured tunneled IPSec and L2TP with IPSec traffic. In accordance with a further aspect of the invention, the architecture can handle both tunneled and non-tunneled traffic at line rate, and manage both types of traffic in a unified fashion. The architecture is such that it not only resolves the problems pertinent to WLAN, it is also scalable and useful for building a number of useful networking products that fulfill enterprise security and all possible combinations of wired and wireless networking needs.