Abstract: An example of a computing system is described herein. The computing system includes a plurality of network security devices. The computing system also includes a network switch configured to direct network traffic. The computing system further includes a controller coupled to the network switch. The controller is to instruct the network switch in directing network traffic to the plurality of network security devices.

Abstract: A security system for a network maintains security policies that each includes a risk level. The security system maintains groups, with each group being associated with a security policy. Assets of the network are assigned to groups according to the risk assessments of the assets. Security policy associated with a group is enforced against network traffic of an asset when the asset is assigned to the group.

Abstract: Example embodiments disclosed herein relate to perform a security action, (e.g., filtering) based on reputation and a signature match. A reputation is determined of a devices associated with a network packet or network packet stream. It is determined whether a signature matches the network packet or an associated flow of the network packet. The security action is determined based on the reputation and the match.

Abstract: According to an example, security and access control may include receiving traffic that is related to an application tier of a plurality of application tiers, and that is to be routed to another application tier or within the application tier. The attributes of the traffic related to the application tier may be analyzed, and based on the analysis, an application related to the traffic and a type of the traffic may be determined. The type of the traffic may be compared to a policy related to the application to determine whether the traffic is valid traffic or invalid traffic. Based on a determination that the traffic is valid traffic, the valid traffic may be forwarded to an intended destination. Further, based on a determination that the traffic is invalid traffic, the invalid traffic may be forwarded to a predetermined destination or blocked.

Abstract: Example embodiments disclosed herein relate to providing network security. A network security device parses an initial handshake or communication to establish an encrypted channel between two endpoints. The network security device validates a certificate chain between the two endpoints and determines a reputation for each of one or more signers of a respective one or more certificates of the certificate chain. The network security device determines a certificate reputation for the certificate chain.

Abstract: According to an example, configurable workload optimization may include selecting a performance optimized application workload from available performance optimized application workloads. A predetermined combination of removable workload optimized modules may be selected to implement the selected performance optimized application workload. Different combinations of the removable workload optimized modules may be usable to implement different ones of the available performance optimized application workloads. The predetermined combination of the removable workload optimized modules may be managed to implement the selected performance optimized application workload. Data flows directed to the predetermined combination of the removable workload optimized modules may be received.

Abstract: According to an example, configurable network security may include receiving data flows directed to end node modules of a server, and selecting data flows from the received data flows based on an analysis of attributes of the received data flows. The selected data flows may be less than the received data flows. A number of IPS data plane modules of the server that are available for inspection of the selected data flows may be determined. The selected data flows may be distributed between the IPS data plane modules based on the determined number of the IPS data plane modules. The distributed data flows may be inspected using the IPS data plane modules to identify malicious and benign data flows, and to determine whether to drop the malicious data flows, direct the malicious data flows to a predetermined destination, or forward the benign data flows to the end node modules.

Abstract: An example of a computing system is described herein. The computing system includes a network switch configured to direct network traffic. The computing system also includes a network device to receive the network traffic. The computing system further includes a controller coupled to the network switch. The controller is to monitor network traffic in the network switch and generate a policy to instruct the network switch in selecting a portion of the network traffic to direct to the network device.

Abstract: An example of a computing system is described herein. The computing system includes a plurality of network security devices. The computing system also includes a network switch configured to direct network traffic. The computing system further includes a controller coupled to the network switch. The controller is to instruct the network switch in directing network traffic to the plurality of network security devices.

Abstract: In one implementation, a risk assessment of an asset is compared to a risk level of a security policy and network traffic associated with the asset is assigned to a group associated with the security policy when the risk assessment achieves the risk level of the security policy.

Abstract: According to an example, configurable network security may include receiving data flows directed to end node modules of a server, and selecting data flows from the received data flows based on an analysis of attributes of the received data flows. The selected data flows may be less than the received data flows. A number of IPS data plane modules of the server that are available for inspection of the selected data flows may be determined. The selected data flows may be distributed between the IPS data plane modules based on the determined number of the IPS data plane modules. The distributed data flows may be inspected using the IPS data plane modules to identify malicious and benign data flows, and to determine whether to drop the malicious data flows, direct the malicious data flows to a predetermined destination, or forward the benign data flows to the end node modules.

Abstract: Example embodiments disclosed herein relate to providing network security. A network security device parses an initial handshake or communication to establish an encrypted channel between two endpoints. The network security device validates a certificate chain between the two endpoints and determines a reputation for each of one or more signers of a respective one or more certificates of the certificate chain. The network security device determines a certificate reputation for the certificate chain.

Abstract: According to an example, security and access control may include receiving traffic that is related to an application tier of a plurality of application tiers, and that is to be routed to another application tier or within the application tier. The attributes of the traffic related to the application tier may be analyzed, and based on the analysis, an application related to the traffic and a type of the traffic may be determined. The type of the traffic may be compared to a policy related to the application to determine whether the traffic is valid traffic or invalid traffic. Based on a determination that the traffic is valid traffic, the valid traffic may be forwarded to an intended destination. Further, based on a determination that the traffic is invalid traffic, the invalid traffic may be forwarded to a predetermined destination or blocked.

Abstract: According to an example, configurable workload optimization may include selecting a performance optimized application workload from available performance optimized application workloads. A predetermined combination of removable workload optimized modules may be selected to implement the selected performance optimized application workload. Different combinations of the removable workload optimized modules may be usable to implement different ones of the available performance optimized application workloads. The predetermined combination of the removable workload optimized modules may be managed to implement the selected performance optimized application workload. Data flows directed to the predetermined combination of the removable workload optimized modules may be received.

Abstract: Example embodiments disclosed herein relate to perform a security action, (e.g., filtering) based on reputation and a signature match. A reputation is determined of a devices associated with a network packet or network packet stream. It is determined whether a signature matches the network packet or an associated flow of the network packet. The security action is determined based on the reputation and the match.

Abstract: A process may include selecting from among entries in a primary connection table, an entry to be removed from a primary connection table in order to create space for another entry in the primary connection table. The process may further store in a secondary connection table an entry for the connection corresponding to the selected entry.