Abstract: Example methods and systems for identity firewall with context information tracking are described. In one example, a first computer system may detect establishment of a connection with a virtualized computing instance, and track context information associated with the connection. The context information may include (a) first identity information that is associated with a prior connection between the client device and a second computer system, and (b) second identity information that is associated with the connection with the virtualized computing instance. Further, the first computer system may obtain a first identity firewall policy associated with the first identity information. In response to detecting a packet associated with a flow originating from, or destined for, the virtualized computing instance, the first computer system may allow or block forwarding of the packet based on the first identity firewall policy.

Abstract: Example methods and systems for malicious process termination are described. In one example, a computer system may detect a first instance of a malicious network activity associated with a first virtualized computing instance. Termination of a first process implemented by the first virtualized computing instance may be triggered, the first instance of the malicious network activity being associated with the first process. The computer system may obtain event information associated with the first process and/or the first instance of the malicious network activity, and trigger termination of a second process implemented by a second virtualized computing instance based on the event information. Examples of the present disclosure may be implemented to leverage the detection of the first instance of the malicious network activity to terminate both the first process and the second process, and to block a second instance of a malicious network activity associated with the second process.

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: Some embodiments provide a method of preventing network spread of malware files. At a first host computer, the method detects an attempt to establish a file-transfer connection between a first compute machine executing on the first host computer and a second compute machine executing on a second host computer, the file transfer connection for transferring a particular file stored by the first compute machine. The method delays establishment of the file-transfer connection in order to perform an analysis of the particular file to determine whether the particular file contains malware. When the file is determined to contain malware, the method prevents the file-transfer connection from being established between the first and the second compute machines to prevent the file from being transferred.

Abstract: Some embodiments provide a method of preventing network spread of malware files. At an edge device that provides a connection between a datacenter and an external network, the method receives, from the external network, a file that is destined to a particular machine executing in the datacenter. The method determines whether the file is a known file that has been previously assessed to contain malware. Based on a determination that the file is an unknown file, the method performs an analysis on the file to determine whether the file contains malware. The file cannot be opened by any machines during the analysis. When the file is determined to be a file that does not contain malware, the method allows the file to be downloaded to the particular machine.

Abstract: Some embodiments provide a method of preventing network spread of malware files. At a host computer executing in a datacenter, the method receives a request from a particular compute machine executing on the host computer to open a file that was downloaded to the host computer for the particular machine. The method determines whether the file is a known file that has been previously assessed to contain malware. Based on a determination that the file is unknown, the method allows the particular compute machine to open the file while also (i) creating a record to identify the file as a file that is currently being analyzed to assess whether the file contains malware, and (ii) distributing the record to other host computers in the datacenter to ensure that the file cannot be opened on the other host computers until it has been analyzed to confirm that the file does not contain malware.

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Systems, methods and computer software are disclosed for providing network address translation with a tunnel identifier (TEID) in a cellular network. A HetNet Gateway (HNG) allocates at least a portion of a unique TEID for a user equipment (UE). The HNG receives a packet having a source field in the packet header including an Internet Protocol (IP) address. The HNG replaces the IP address in a source field of the packet header of the packet with the unique TEID for the UE and forwards the packet using the unique TEID to a packet gateway (PGW).

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Systems, methods and computer software are disclosed for supporting idle mode signaling reduction (ISR) core offload. In one embodiment a method includes providing an eNodeB co-located with a NodeB, and a User Equipment (UE) with ISR enabled; activating ISR when the UE goes idle and is switching between different Radio Access Technologies (RATs), and wherein UE connections are maintained with a Serving GPRS Support Node (SGSN) and a Mobility Management Entity (MME).

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: A method and computer readable medium for providing accelerated lookup for ESP IPsec tunnels is presented. In one embodiment a method includes receiving an IP packet at a network stack; performing IPsec policy lookup of the IP packet to identify an ESP tunnel IP, thereby ensuring an inner IP is routable at an other end of the tunnel without installing a route for the inner IP at the network stack; performing a route lookup for the tunnel IP; and sending the IP packet across the ESP tunnel.

Abstract: Systems, methods and computer software are disclosed for providing a Diameter multifold message. In one embodiment a method is disclosed, comprising: providing a multifold-command Attribute Value Pair (AVP), the multifold-command AVP including an AVP code, a set of VMP flags, an AVP length and a vendor ID; including the AVP in a Capabilities Exchange Request (CER) command for a Diameter stack supporting multiplexing of commands in one message; and using the AVP to combine messages from multiple applications running on a single Diameter node and multiple commands from a single application.

Abstract: Systems, methods and computer software are disclosed for providing multi-User Equipment (UE) and multi-message support in tunnel management messages. In one embodiment, a method is disclosed, comprising: determining, for a first node and a second node using GPRS Tunneling Protocol (GTP) tunneling support for UE management, if the first node and the second node support multi-UE messaging; when the first node and the second node support multi-UE messaging, then switching to multi-UE multi-messaging mode wherein a chain of messages are formed; and when at least one of the first node and second node do not support multi-UE messaging, then using conventional tunnel management messaging.

Abstract: Systems, methods and computer software are disclosed for supporting idle mode signaling reduction (ISR) core offload. In one embodiment a method includes providing an eNodeB co-located with a NodeB, and a User Equipment (UE) with ISR enabled; activating ISR when the UE goes idle and is switching between different Radio Access Technologies (RATs), and wherein UE connections are maintained with a Serving GPRS Support Node (SGSN) and a Mobility Management Entity (MME).

Abstract: Systems, methods and computer software are disclosed for providing core High Availability (HA) for a wireless network. In one embodiment, a method is disclosed, comprising: providing a first node, a second node and a third node; allocating a set of locally generated Tunnel Endpoint Identifiers (TEIDs) for UEs anchored on the second node; detecting, by a first node, a second node having a connectivity issue; and migrating a User Equipment (UE) connected to the second node to a third node which is accessible; using the set of locally generated TEIDs to identify the UE migration.

Abstract: Systems, methods and computer software are disclosed for providing network address translation with a tunnel identifier (TEID) in a cellular network. A HetNet Gateway (HNG) allocates at least a portion of a unique TEID for a user equipment (UE). The HNG receives a packet having a source field in the packet header including an Internet Protocol (IP) address. The HNG replaces the IP address in a source field of the packet header of the packet with the unique TEID for the UE and forwards the packet using the unique TEID to a packet gateway (PGW).

Abstract: Method and system for transmitting same data by at least two different ports of a network device coupled to a computing device or to at least two different destinations coupled to a same port of the network device is provided. The computing device sends a single command for sending the same data to the network device. The network device obtains the same data from the computing device via one direct memory access (DMA) operation; and then sends only one notification for transmitting the same data via at least two different ports or to two different destinations via the same port.