Abstract: The invention detects a denial of service attack at a node by monitoring the number of discarded packets in relationship to the number of inbound packets. When an attack is detected, relevant inbound packet information is collected during the attack to help characterize the attack and at least to pinpoint the source of the last hop to the attacked node.

Abstract: The invention detects a denial of service attack at a node by monitoring the number of discarded packets in relationship to the number of inbound packets. When an attack is detected, relevant inbound packet information is collected during the attack to help characterize the attack and at least to pinpoint the source of the last hop to the attacked node.

Abstract: The invention determines if a security association (SA) extends end-to-end between a source node originating a connection and a destination node. In such a case, there will be no ambiguities in routing due to network address translation, and the SA is allowed. In the preferred embodiment, both end nodes of a security connection test themselves and the remote node for gateway status to determine if any ambiguities might exist in network routing due to the presence of a network address translator.

Abstract: The invention prevents server overload and possible server crippling due to a flooding of connectionless datagrams caused by intentional attack or otherwise. In response to a datagram from a host for a specified port, the number of datagrams already queued to the port from the host is determined. If this number exceeds a first threshold, the datagram is discarded. In the preferred embodiment, the threshold is determined by multiplying a percentage P by the number of available queue slots remaining for the port.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: The present invention may provide the ability to determine the actions triggered by a network security policy given a set of conditions. Embodiments of the invention involve testing the security policy at specified times, documenting and analyzing the test results for compliance, recording the results for auditing purposes, writing events to warn of non-compliance findings, and dynamically taking defensive action to prevent security breaches as the result of non-compliance findings.

Abstract: Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify source applications that are served by a NAPT. If an arriving packet encapsulates an encrypted packet and has passed through an NAPT en route to the destination host, the encapsulated packet is decrypted to obtain an original source port number and original packet protocol from the decrypted packet. A source port mapping table (SPMT) is searched for an association between the NAPT source address, the original source port, and the original packet protocol associated with the NAPT source address and port number. If an incorrect association is found, the packet is rejected as representing an illegal duplicate source; that is, a second packet from a different host served by a NAPT that is USING the same SOURCE port and protocol.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing. These services may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device. Filtering may be provided using sensitivity levels and suspicion levels. Generic attack signatures describe relatively broad classes of intrusions. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.

Abstract: The invention prevents server overload and possible server crippling due to a flooding of connect requests caused by intentional attack or otherwise. In response to a connection request from a host for a specified port, the number of connections to the port that are assigned to the host are determined. If this number exceeds a first threshold, the request is denied. It is possible to override this denial if a quality of service parameter pertaining to the host permits such an override. However, if the number of available connections to the port is less than a second threshold, the connection request is denied in any event.

Abstract: Improvements in intrusion detection are disclosed by providing integrated intrusion detection services. Preferably, these services are integrated into a system or server that is the potential target of attack. Stack-based security processing is leveraged for access to cleartext data within the layers of the protocol stack. Layer-specific attacks may therefore be processed efficiently. Evaluation of incoming traffic for an intrusion is preferably performed only after an error condition of some type has been detected. This approach reduces the overhead of intrusion detection by reducing the number of packets to be inspected, and at the same time allows more efficient packet inspection through use of context-specific information that may be used to direct the inspection to particular candidate attacks. Generic attack class capability is also disclosed. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.

Abstract: An authenticated network user is verified as entitled to access a network node or server on the network node, before the user is presented with any opportunity to access the system. An initial exchange of conventional protocol messages occurs between the user and the node to establish initial communications. This is done without presenting to the user any opportunity to logon or to access an application. The network node requests the transmission of an authenticated user certificate from the user and the network node verifies from the user certificate that the user represented by the user certificate is entitled to access the node. If the user as identified by the certificate is not entitled to access, the initial connection is dropped and the user is denied any further access opportunity.

Abstract: Ipsec rules are searched in order from rules containing the most specificity to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. Dynamic rules are searched only if a placeholder is the first matching rule in the static table. For connection oriented protocols, security rule binding information is stored in association with the connection. This allows the searching of the rules to be performed only when a connection is first established. If a static or dynamic rule is changed during a connection, a search is repeated. For selected connectionless protocols, packets are treated as if they were part of a simulated connection. A pseudo-connection memory block is allocated with the creation of each socket and Ipsec security binding information is stored in the pseudo-connection memory block on a first packet.

Abstract: Ipsec rules are searched in order from rules containing the most specificity to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. Dynamic rules are searched only if a placeholder is the first matching rule in the static table. Sets of dynamic rules are partitioned into separate groups. Within each group there is no rule order dependence. Each such group is searched with an enhanced search mechanism, such as a search tree. For connection oriented protocols, security rule binding information is stored in association with the connection. This allows the searching of the rules to be performed only when a connection is first established. If a static or dynamic rule is changed during a connection, a search is repeated. For selected connectionless protocols, packets are treated as if they were part of a simulated connection.

Abstract: IPSec rules are searched in an improved manner to reduce processing overhead. For selected connectionless protocols, packets are treated as if they were part of a simulated connection. A pseudo-connection memory block is allocated with the creation of each socket and IPSec security binding information is stored in the pseudo-connection memory block on a first packet. Thereafter, as long as the source address and port in incoming packets on the same socket or destination address and port in outgoing packets on the same socket remain the same, the packets are treated as part of a simulated connection. The security rules are not searched again until the simulated connection terminates or the static rule table is modified. In the preferred embodiment, security binding is made only to the static rule or placeholder.

Abstract: Ipsec rules are searched in order from rules containing the most specificity of attributes to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. The placeholders in the static table immediately precede and point to an associated set of dynamic rules. Dynamic rules are searched only if a placeholder is found to be the first matching rule in the static table. Sets of dynamic rules are partitioned into separate groups. Within each group there is no rule order dependence. Each such group is searched with an enhanced search mechanism, such as a search tree. Searching is further improved by searching at layers higher than the IP layer.

Abstract: Methods, systems (apparatus) and computer program products are provided which control access to a shared resource in a data processing system by predicting utilization of the shared resource based upon historical utilization of the shared resource. Users of the shared resource are then notified of a potential shortage of the shared resource if the prediction predicts that the shared resource will be over-utilized. The prediction may utilize a linear extrapolation to predict future utilization of the share resource. Furthermore, the interval between predictions of the future utilization may be based on time, number of utilization events or a combination of the two.

Abstract: Management of the processing of relatively large data objects in a communications stack having multiple layers improves the performance in a communications system in preparing relatively large data objects for transmission across a communications network. This reduces or eliminates data movement and copying during segmentation of the relatively large data objects into relatively small data objects, and appendage of headers to the relatively small data object segments during processing in the communications stack. A shared storage manager creates and controls multiple tokens representing multiple images of portions of the relatively large data objects to enable separate scheduling of the multiple images from the same storage unit or buffer to be passed from one layer in a communications stack to the next lower layer in the communications stack. The large data object is segmented into a plurality of relatively small data object segments at one or more of the layers in the communications stack.