Abstract: In one embodiment, a load balancer receives a message from a tunnel termination gateway (TTG) associated with a mobile device. The load balancer may receive messages from a plurality of TTGs. A gateway node in a plurality of gateway nodes in which to send the message is determined. The load balancer then assigns a NSAPI for use by the gateway node. For example, the NSAPI may be associated with a tunnel that is generated between the TTG and GGSN. The load balancer ensures that the assigned NSAPI is not currently in use at the gateway node. Thus, no overlapping of NSAPIs may occur even though the load balancer is processing messages from multiple TTGs for multiple gateway nodes.

Abstract: In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address.

Abstract: In one embodiment, a security gateway receives an IPSec Initiation (IPSec INIT) request from a client. The security gateway may communicate with a AAA server to authenticate the client. After authentication, the security gateway intercepts a URR Discovery request from the client. The security gateway determines registration information for a response to the registration request. The registration information may be information on where the client can locate a D-GANC. A response is generated using the determined information and sent to the client. The response to the discovery request is performed without communicating with a P-GANC. Accordingly, a security gateway is used to authenticate the client and also to respond to the discovery request. This does not require that a P-GANC function be deployed in a network. Thus, cost and processing power may be saved.

Abstract: In one embodiment, while being connected to the network, a security issue may be detected and associated with the device. The device may be placed on a blacklist for the security issue. The blacklist is a list that is used to deny service for the device when it attempts to connect. Thus, the device is disconnected from the network. Identification information for the device is added to the blacklist at the authentication server. If the device attempts to reconnect to the network, the request is received at the authentication server. The authentication server can then check the blacklist and deny the request for access to the network if the identification information is on the blacklist. This denial is determined without sending the request to the HLR. Accordingly, the HLR is protected in that requests from a device that may be considered a security issue are not sent to the HLR.

Abstract: In one embodiment, techniques for authorizing a mobile device are provided. A registration request is received for the mobile device. The registration request may include location identifier information. For example, a cell ID may be provided. Static location information is then determined based on the location identifier information. The static location information may be spatial coordinates. The registration request is then authorized based on the static location information. For example, a cell ID may be received and then spatial coordinates may be determined based on the cell ID. The registration request is then authorized based on the spatial coordinates. A response to the registration request is then sent.

Abstract: An Unlicensed Mobile Access (UMA) network architecture. In a specific embodiment, the network architecture includes a mobile station and an access point in communication with the mobile station. A UMA Controller (UNC) communicates with the access point. A Service GateWay (SGW) communicates with the UMA controller. The SGW includes functionality to route user-plane packets in the UMA. In a more specific embodiment, the functionality includes UNC user-plane functionality offloaded from the UNC to the SGW; Serving GPRS Support Node (SGSN) user-plane functionality; access-authentication functionality sufficient to enable the SGW to enable the SGW to bypass a legacy SGSN control plane; and/or Radio Network Controller (RNC) user-plane functionality sufficient to enable communications between the SGW and the RNC.

Abstract: A system for enhancing functionality of a network. In a specific embodiment, the system employs strategic communications between a network controller and a security gateway. The strategic communications occur via a feedback communications channel between the network controller and the security gateway. The feedback communications channel facilitates transferring security information, such as International Mobile Subscriber Identity (IMSI) and other information, between the network controller and the security gateway. The security information may facilitate enabling the SGW to make intelligent decisions as to how to treat a client communications session. In the specific embodiment, the feedback communications channel includes an intervening Authentication, Authorization, and Accounting (AAA) server that is coupled between the UMA and the network controller.

Abstract: Techniques and systems for server farm load balancing and resource allocation are disclosed. In one embodiment, a method of load balancing can include: arranging servers into service groups; receiving an access request with information related to a differentiation between the service groups; selecting one of the service groups based on a mapping comparison to the information; and selecting one of the servers within the selected service group based on a hardware utilization comparison. The servers can include GPRS (General Packet Radio Service) Gateway Support Node (GGSN) or Remote Authentication Dial In User Service (RADIUS) servers, for example. The information can include an Access Point Name (APN) or Calling Station ID, for example.

Abstract: A system for efficiently reauthenticating a client of a network. In a specific embodiment, the system includes an authentication server and a Security GateWay (SGW) in communication with the client. The SGW includes reauthentication information associated with the client. In a more specific embodiment, the authentication server includes an Authentication, Authorization, and Accounting (AAA) server. The SGW further includes one or more routines for employing the reauthentication information to reauthenticate the client. The AAA server performs initial authentication of the client to enable client access to the network, which yields the reauthentication information. The reauthentication information includes one or more keys and/or counters, such as an authorization key, an encryption key, and a master key, which is/are predetermined by the AAA server.

Abstract: According to one embodiment of the present invention, there is provided a method for providing security in a network environment that includes receiving a flow that propagates through an access gateway. The flow is initiated by an end user associated with the flow and propagates through a network. The method also includes receiving accounting information indicative of the termination of the flow. In response, tearing down of the communication associated with the flow is initiated.

Abstract: Techniques for distributing control plane traffic, from an end node in a packet switched network to a cluster of service gateway nodes that host subscriber-aware application servers, include receiving a control plane message for supporting data plane traffic from a particular subscriber. A particular service gateway node is determined among the cluster of service gateway nodes based on policy-based routing (PBR) for the data plane traffic from the particular subscriber. A message based on the control plane message is sent to a control plane process on the particular service gateway node. Thereby, data plane traffic and control plane traffic from the same subscriber are directed to the same gateway node, or otherwise related gateway nodes, of the cluster of service gateway nodes. This approach allows currently-available, hardware-accelerated PBR to be used with clusters of subscriber-aware service gateways that must also monitor control plane traffic from the same subscriber.