Abstract: The technology discloses a computer-implemented policy manager device for a cloud-based security system that manages cloud-based unified functions of packet-level and protocol-level access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic. Packet-level access control inspects packet headers for malformation, protocol-level access control performs deep packet inspection for malicious signatures, threat detection determines whether traffic in an HTTP/S stream as directed to a threat destination, and activity contextualization recognizes whether an activity in an HTTP/S stream accessing a cloud-based application is a compromising activity.

Abstract: The technology discloses processing incoming access requests of packets through cloud-based components that perform (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, including a packet and stream router conveying each incoming access request of packets through all of components (a)-(d) that apply, at least until one of the components sets a restrictive state on at least one object corresponding to the incoming access request or until all of the components that apply have passed the incoming access request.

Abstract: The technology discloses a method applied by a policy manager to a cloud-based security system that unifies functions of access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic, with a data manager coupled to the policy manager storing a superset of fields used to specify security policies across the cloud-based unified functions, including common fields shared by two or more of the functions.

Abstract: Disclosed is a unified security system of cloud-based components configured for (a) packet-level and (b) protocol-level access control and traffic inspection, (c) threat detection and (d) activity contextualization. Packet-level inspects and classifies headers in requests or responses, sets a first restrictive state or passes the request or response. Protocol-level performs deep packet inspection for malicious signatures then sets a second state or passes. Threat detection, when the request or response is an HTTP/S stream, classifies as directed to a threat destination or not, then sets a third state or passes the request or response and activity contextualization, when the request is an HTTP/S stream seeking access to a cloud-based application, recognizes, processes and classifies content-containing activity as compromising or not, then sets a fourth state or passes.

Abstract: Disclosed is a unified security system of cloud-based components configured for (a) packet-level and (b) protocol-level access control and traffic inspection, (c) threat detection and (d) activity contextualization. Packet-level inspects and classifies headers in requests or responses, sets a first restrictive state or passes the request or response. Protocol-level performs deep packet inspection for malicious signatures then sets a second state or passes. Threat detection, when the request or response is an HTTP/S stream, classifies as directed to a threat destination or not, then sets a third state or passes the request or response and activity contextualization, when the request is an HTTP/S stream seeking access to a cloud-based application, recognizes, processes and classifies content-containing activity as compromising or not, then sets a fourth state or passes.

Abstract: The technology discloses processing incoming access requests of packets through cloud-based components that perform (a) packet-level access control and traffic inspection, (b) protocol-level access control and traffic inspection, (c) threat detection, and (d) activity contextualization, including a packet and stream router conveying each incoming access request of packets through all of components (a)-(d) that apply, at least until one of the components sets a restrictive state on at least one object corresponding to the incoming access request or until all of the components that apply have passed the incoming access request.

Abstract: The technology discloses a method applied by a policy manager to a cloud-based security system that unifies functions of access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic, with a data manager coupled to the policy manager storing a superset of fields used to specify security policies across the cloud-based unified functions, including common fields shared by two or more of the functions.

Abstract: The technology discloses a computer-implemented policy manager device for a cloud-based security system that manages cloud-based unified functions of packet-level and protocol-level access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic. Packet-level access control inspects packet headers for malformation, protocol-level access control performs deep packet inspection for malicious signatures, threat detection determines whether traffic in an HTTP/S stream as directed to a threat destination, and activity contextualization recognizes whether an activity in an HTTP/S stream accessing a cloud-based application is a compromising activity.

Abstract: The technology discloses a computer-implemented policy manager device for a cloud-based security system that unifies functions of packet-level and protocol-level access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic. The device includes a data manager for a superset of fields that specify security policies across the cloud-based unified functions, including common fields shared by two or more of the unified functions, means for receiving and storing policy specifications in a common format for values of the common fields as applied to each of the unified functions, whereby a user interacting with the means for receiving can specify security policies governing the cloud-based unified functions of access control and traffic inspection, threat detection and activity contextualization on inspectable and non-inspectable traffic.

Abstract: A system of network proxies distributes data to multiple servers. Each network proxy is associated with a server. A network proxy intercepts a client request for data. If the network proxy determines that the request can be served using a copy of data stored on the local server, rather than the data stored on a remote server, it diverts the request to the local server. If the network proxy determines that the request cannot be served using a data from the local server, the network proxy diverts the request to a remote server storing the primary copy of the data. A server map specifies the locations of the primary copies of data. When a primary copy of data is updated on one of the servers, the associated network proxy propagates the updated data to the other servers. The servers can provide data from files, e-mail services, databases, or multimedia services.

Abstract: A data access request from an application for access to a data resource is received from a first application. The data access request is analyzed to identify application-specific behavior indicating a type of data access for the data resource. The WAN acceleration functionality of a first device is configured for network traffic optimization based on the type of data access for the data resource. The analysis of the data access request may be based on attributes of the data access request, the data resource, and/or an access control restriction. The network traffic optimization may be adapted to optimize network traffic to a first portion of the data resource that is different than a second portion of the data resource associated with the data access request or to a second data resource separate from the data resource associated with the data access request.

Abstract: In a system where transactions are accelerated with asynchronous writes that require acknowledgements, with pre-acknowledging writes at a source of the writes, a destination-side transaction accelerator includes a queue for queue writes to a destination, at least some of the writes being pre-acknowledged by a source-side transaction accelerator prior to the write completing at the destination, a memory for storing a status of a destination-side queue and possibly other determinants, and logic for signaling to the source-side transaction accelerator with instructions to alter pre-acknowledgement rules to hold off on and pursue pre-acknowledgements based on the destination-side queue status. The rules can take into account adjusting the flow of pre-acknowledged requests or pre-acknowledgements at the sender-side transaction accelerator based at least on the computed logical length.

Abstract: A system of network proxies distributes data to multiple servers. Each network proxy is associated with a server. A network proxy intercepts a client request for data. If the network proxy determines that the request can be served using a copy of data stored on the local server, rather than the data stored on a remote server, it diverts the request to the local server. If the network proxy determines that the request cannot be served using a data from the local server, the network proxy diverts the request to a remote server storing the primary copy of the data. A server map specifies the locations of the primary copies of data. When a primary copy of data is updated on one of the servers, the associated network proxy propagates the updated data to the other servers. The servers can provide data from files, e-mail services, databases, or multimedia services.

Abstract: A data access request from an application for access to a data resource is received from a first application. The data access request is analyzed to identify application-specific behavior indicating a type of data access for the data resource. The WAN acceleration functionality of a first device is configured for network traffic optimization based on the type of data access for the data resource. The analysis of the data access request may be based on attributes of the data access request, the data resource, and/or an access control restriction. The network traffic optimization may be adapted to optimize network traffic to a first portion of the data resource that is different than a second portion of the data resource associated with the data access request or to a second data resource separate from the data resource associated with the data access request.

Abstract: In a system where transactions are accelerated with asynchronous writes that require acknowledgements, with pre-acknowledging writes at a source of the writes, a destination-side transaction accelerator includes a queue for queue writes to a destination, at least some of the writes being pre-acknowledged by a source-side transaction accelerator prior to the write completing at the destination, a memory for storing a status of a destination-side queue and possibly other determinants, and logic for signaling to the source-side transaction accelerator with instructions to alter pre-acknowledgement rules to hold off on and pursue pre-acknowledgements based on the destination-side queue status. The rules can take into account adjusting the flow of pre-acknowledged requests or pre-acknowledgements at the sender-side transaction accelerator based at least on the computed logical length.

Abstract: A system of network proxies distributes data to multiple servers. Each network proxy is associated with a server. A network proxy intercepts a client request for data. If the network proxy determines that the request can be served using a copy of data stored on the local server, rather than the data stored on a remote server, it diverts the request to the local server. If the network proxy determines that the request cannot be served using a data from the local server, the network proxy diverts the request to a remote server storing the primary copy of the data. A server map specifies the locations of the primary copies of data. When a primary copy of data is updated on one of the servers, the associated network proxy propagates the updated data to the other servers. The servers can provide data from files, e-mail services, databases, or multimedia services.

Abstract: Systems and methods, including computer program products, providing high-availability in server systems. In one implementation, a server system is cluster of two or more autonomous server nodes, each running one or more virtual servers. When a node fails, its virtual servers are migrated to one or more other nodes. Connectivity between nodes and clients is based on virtual IP addresses, where each virtual server has one or more virtual IP addresses. Virtual servers can be assigned failover priorities, and, in failover, higher priority virtual servers can be migrated before lower priority ones. Load balancing can be provided by distributing virtual servers from a failed node to multiple different nodes. When a port within a node fails, the node can reassign virtual IP addresses from the failed port to other ports on the node until no good ports remain and only then migrate virtual servers to another node or nodes.

Abstract: Systems and methods, including computer program products, providing high-availability in server systems. In one implementation, a server system is cluster of two or more autonomous server nodes, each running one or more virtual servers. When a node fails, its virtual servers are migrated to one or more other nodes. Connectivity between nodes and clients is based on virtual IP addresses, where each virtual server has one or more virtual IP addresses. Virtual servers can be assigned failover priorities, and, in failover, higher priority virtual servers can be migrated before lower priority ones. Load balancing can be provided by distributing virtual servers from a failed node to multiple different nodes. When a port within a node fails, the node can reassign virtual IP addresses from the failed port to other ports on the node until no good ports remain and only then migrate virtual servers to another node or nodes.