Abstract: A system includes an enterprise network including an internal management system communicatively coupled thereon, the enterprise network includes security and the internal management system is disposed behind the security; a cloud system external to the enterprise network and communicatively coupled to the enterprise network, at least one user associated with the enterprise network is configured to communicate through the cloud system for cloud-based services, and the cloud system is configured to log data associated with the at least one user for the cloud-based services; and an external service bridge located in the enterprise network behind the security, the external service bridge is configured to securely communicate with the cloud system to receive the log data and to communicate with the internal management system to provide the log data thereto.

Abstract: A network device may limit the rate at which control messages are forwarded to a destination device when forwarding traffic pursuant to dynamic flow capture (DFC). In one implementation, a system may receive filtering criteria associated with DFC of network traffic and passively filter incoming traffic based on the filtering criteria to obtain traffic that matches the filtering criteria. The system may transmit a rate limited version of control messages associated with the filtered traffic to a control device.

Abstract: State information is synchronized between a plurality of routing engines in a multi-chassis router according to a synchronization gradient. An example multi-chassis router is described that includes a primary routing engine and a standby routing engine in each chassis. According to the synchronization gradient, the primary routing engine of a control node updates state information on the standby routing engine of the control node prior to updating the primary routing engines of the other chassis. The primary routing engines of the other chassis update state information in respective standby routing engines prior to updating state information in consumers. If a primary routing engine fails, the corresponding standby routing engine assumes control of the primary routing engine's duties. Upon assuming control, a standby routing engine resumes updating state information without having to resend state information or interrupt packet forwarding.

Abstract: A network device comprises a service card (e.g., a dynamic flow capture (DFC) service card) executing a communication protocol to receive, from one or more control sources, flow capture information specifying at least one destination and criteria for matching one or more packet flows. The network device includes a network interface card to receive a packet from a network, a packet replication module to replicate the packet, and a control unit to provide the replicated packet from the interface card to the DFC service card. The network device includes a filter cache that caches flow capture information recently received from the CSs. The network device may provide real-time intercept and relaying of specified network-based communications. Moreover, the techniques described herein allow CSs to tap packet flows with little delay after specifying flow capture information, e.g., within 50 milliseconds, even under high-volume networks.

Abstract: A network device comprises a service card (e.g., a dynamic flow capture (DFC) service card) executing a communication protocol to receive, from one or more control sources, flow capture information specifying at least one destination and criteria for matching one or more packet flows. The network device includes a network interface card to receive a packet from a network, a packet replication module to replicate the packet, and a control unit to provide the replicated packet from the interface card to the DFC service card. The network device includes a filter cache that caches flow capture information recently received from the control sources. The network device may provide real-time intercept and relaying of specified network-based communications. Moreover, the techniques described herein allow control sources to tap packet flows with little delay after specifying flow capture information, e.g., within 50 milliseconds, even under high-volume networks.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. Management of tunnels, such as data tunnels, between enterprises and processing nodes for a security service is facilitate by the use of virtual gateway nodes and migration failover to minimize traffic impacts when a tunnel is migrated from one processing node to another processing node.

Abstract: State information is synchronized between a plurality of routing engines in a multi-chassis router according to a synchronization gradient. An example multi-chassis router is described that includes a primary routing engine and a standby routing engine in each chassis. According to the synchronization gradient, the primary routing engine of a control node updates state information on the standby routing engine of the control node prior to updating the primary routing engines of the other chassis. The primary routing engines of the other chassis update state information in respective standby routing engines prior to updating state information in consumers. If a primary routing engine fails, the corresponding standby routing engine assumes control of the primary routing engine's duties. Upon assuming control, a standby routing engine resumes updating state information without having to resend state information or interrupt packet forwarding.

Abstract: A network device comprises a service card (e.g., a lawful intercept (LI) service card) executing a communication protocol to receive, from one or more sources (e.g., law enforcement agents), intercept information specifying at least one destination and criteria for matching one or more packet flows. The network device further includes a network interface card to receive a packet from a network, and a control unit to provide the packet from the interface card to the LI service card. The LI service card executes a flow match detection module that, when the packet matches the criteria of the intercept information, forwards the packet to the destination specified by the intercept information. The network device may provide real-time intercept and relaying of specified network-based communications. Moreover, the techniques described herein allow LEAs to tap packet flows with little delay after specifying intercept information, e.g., within 50 milliseconds, even under high-volume networks.

Abstract: State information is synchronized between a plurality of routing engines in a multi-chassis router according to a synchronization gradient. An example multi-chassis router is described that includes a primary routing engine and a standby routing engine in each chassis. According to the synchronization gradient, the primary routing engine of a control node updates state information on the standby routing engine of the control node prior to updating the primary routing engines of the other chassis. The primary routing engines of the other chassis update state information in respective standby routing engines prior to updating state information in consumers. If a primary routing engine fails, the corresponding standby routing engine assumes control of the primary routing engine's duties. Upon assuming control, a standby routing engine resumes updating state information without having to resend state information or interrupt packet forwarding.

Abstract: A network device comprises a service card (e.g., a dynamic flow capture (DFC) service card) executing a communication protocol to receive, from one or more control sources, flow capture information specifying at least one destination and criteria for matching one or more packet flows. The network device includes a network interface card to receive a packet from a network, a packet replication module to replicate the packet, and a control unit to provide the replicated packet from the interface card to the DFC service card. The network device includes a filter cache that caches flow capture information recently received from the CSs. The network device may provide real-time intercept and relaying of specified network-based communications. Moreover, the techniques described herein allow CSs to tap packet flows with little delay after specifying flow capture information, e.g., within 50 milliseconds, even under high-volume networks.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. Management of tunnels, such as data tunnels, between enterprises and processing nodes for a security service is facilitate by the use of virtual gateway nodes and migration failover to minimize traffic impacts when a tunnel is migrated from one processing node to another processing node.

Abstract: Techniques are described for managing timeouts of filter criteria in a packet flow capture applications. The techniques allow for handling large amounts of timeouts used when monitoring a high volume of packet flows, without placing extreme demands on the operating system for managing the timeouts. The timeout data structure may be a circular array having a plurality of elements. The timeout array represents a span of time and the elements represent sequential units of time. Each element contains one or more pointers. The pointer may point to an entry in the filter table, or may be a null pointer. A timer thread periodically checks the timeout array to determine whether any timeouts occur at the current time. The timer thread checks the element of the array corresponding to the current time by computing an index into the array based on the current time.