Abstract: Example methods and systems for implementing an process-aware identity firewall are described. In one example, a computer system may detect a request for a virtualized computing instance to access a resource. The computer system may obtain (a) identity information identifying a user or a user device associated with the virtualized computing instance and (b) process information associated with a process that initiates the request to access the resource. The computer system may map the identity information, the network event information and the process information to an identity firewall rule that includes at least (a) a first parameter that is mappable to the identity information, (b) a second parameter that is mappable to the network event information and (c) a third parameter that is mappable to the process information. The identity firewall rule may be applied to allow or block the request to access the resource.

Abstract: In an example, a method may include maintaining a virtual machine (VM) object storing a security policy of a VM running on a first host computing system. Further, the method may include attaching the VM object to the VM. In response to detecting a trigger event, the method may include identifying a second host computing system that is in compliance with the security policy in the VM object. Furthermore, the method may include executing a management operation to migrate or clone the VM along with the attached VM object from the first host computing system to the second host computing system.

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Securely persisting transient data between virtual machine restarts or VM migrations involves terminating, by a first virtual machine (VM) during a shutdown process for the first VM, execution of user-space processes on the first VM, writing, by a first agent executing on the first VM, protected data from transient memory of the first VM to a virtual disk accessible by the first VM and shutting down the first VM. The process also involves initiating a startup process of a second VM, the second VM mounting the virtual disk; and executing, at the second VM and prior to execution of user-space processes, a second agent, the second agent being configured to: read the protected data from the virtual disk into transient memory of the second VM; and delete the protected data from the virtual disk.

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Example methods and systems for identity firewall with context information tracking are described. In one example, a first computer system may detect establishment of a connection with a virtualized computing instance, and track context information associated with the connection. The context information may include (a) first identity information that is associated with a prior connection between the client device and a second computer system, and (b) second identity information that is associated with the connection with the virtualized computing instance. Further, the first computer system may obtain a first identity firewall policy associated with the first identity information. In response to detecting a packet associated with a flow originating from, or destined for, the virtualized computing instance, the first computer system may allow or block forwarding of the packet based on the first identity firewall policy.

Abstract: Example methods and systems for malicious process termination are described. In one example, a computer system may detect a first instance of a malicious network activity associated with a first virtualized computing instance. Termination of a first process implemented by the first virtualized computing instance may be triggered, the first instance of the malicious network activity being associated with the first process. The computer system may obtain event information associated with the first process and/or the first instance of the malicious network activity, and trigger termination of a second process implemented by a second virtualized computing instance based on the event information. Examples of the present disclosure may be implemented to leverage the detection of the first instance of the malicious network activity to terminate both the first process and the second process, and to block a second instance of a malicious network activity associated with the second process.

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: Some embodiments provide a method of preventing network spread of malware files. At a host computer executing in a datacenter, the method receives a request from a particular compute machine executing on the host computer to open a file that was downloaded to the host computer for the particular machine. The method determines whether the file is a known file that has been previously assessed to contain malware. Based on a determination that the file is unknown, the method allows the particular compute machine to open the file while also (i) creating a record to identify the file as a file that is currently being analyzed to assess whether the file contains malware, and (ii) distributing the record to other host computers in the datacenter to ensure that the file cannot be opened on the other host computers until it has been analyzed to confirm that the file does not contain malware.

Abstract: Some embodiments provide a method of preventing network spread of malware files. At a first host computer, the method detects an attempt to establish a file-transfer connection between a first compute machine executing on the first host computer and a second compute machine executing on a second host computer, the file transfer connection for transferring a particular file stored by the first compute machine. The method delays establishment of the file-transfer connection in order to perform an analysis of the particular file to determine whether the particular file contains malware. When the file is determined to contain malware, the method prevents the file-transfer connection from being established between the first and the second compute machines to prevent the file from being transferred.

Abstract: Some embodiments provide a method of preventing network spread of malware files. At an edge device that provides a connection between a datacenter and an external network, the method receives, from the external network, a file that is destined to a particular machine executing in the datacenter. The method determines whether the file is a known file that has been previously assessed to contain malware. Based on a determination that the file is an unknown file, the method performs an analysis on the file to determine whether the file contains malware. The file cannot be opened by any machines during the analysis. When the file is determined to be a file that does not contain malware, the method allows the file to be downloaded to the particular machine.

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Systems, methods and computer software are disclosed for providing network address translation with a tunnel identifier (TEID) in a cellular network. A HetNet Gateway (HNG) allocates at least a portion of a unique TEID for a user equipment (UE). The HNG receives a packet having a source field in the packet header including an Internet Protocol (IP) address. The HNG replaces the IP address in a source field of the packet header of the packet with the unique TEID for the UE and forwards the packet using the unique TEID to a packet gateway (PGW).

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Systems, methods and computer software are disclosed for supporting idle mode signaling reduction (ISR) core offload. In one embodiment a method includes providing an eNodeB co-located with a NodeB, and a User Equipment (UE) with ISR enabled; activating ISR when the UE goes idle and is switching between different Radio Access Technologies (RATs), and wherein UE connections are maintained with a Serving GPRS Support Node (SGSN) and a Mobility Management Entity (MME).

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: A method and computer readable medium for providing accelerated lookup for ESP IPsec tunnels is presented. In one embodiment a method includes receiving an IP packet at a network stack; performing IPsec policy lookup of the IP packet to identify an ESP tunnel IP, thereby ensuring an inner IP is routable at an other end of the tunnel without installing a route for the inner IP at the network stack; performing a route lookup for the tunnel IP; and sending the IP packet across the ESP tunnel.

Abstract: Systems, methods and computer software are disclosed for providing a Diameter multifold message. In one embodiment a method is disclosed, comprising: providing a multifold-command Attribute Value Pair (AVP), the multifold-command AVP including an AVP code, a set of VMP flags, an AVP length and a vendor ID; including the AVP in a Capabilities Exchange Request (CER) command for a Diameter stack supporting multiplexing of commands in one message; and using the AVP to combine messages from multiple applications running on a single Diameter node and multiple commands from a single application.

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.