Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities.

Abstract: A method for multicast load balancing in a wireless network having a plurality of access points. The method includes setting a maximum Internet protocol multicast bandwidth for the access points, receiving an admissions control request from a client at one of the access points, and determining whether the admissions control request from the client is for an admitted or unadmitted multicast stream at the access point. The access point is responsive to the admissions control request for the admitted multicast stream by servicing the admitted multicast stream and to the admissions control request for the unadmitted multicast stream by servicing the unadmitted multicast stream where the bandwidth required for the unadmitted multicast stream, plus that portion of the access point bandwidth currently used for all existing downlink multicast streams, does not exceed the maximum internet protocol multicast bandwidth for the access point.

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract: In an example embodiment, there is described herein a location based detection technique that determines whether multiple requests from different addresses, such as a Layer 2 MAC (Media Access Control) address and/or layer 3 IP (Internet Protocol) address are being sent form a single device. In particular embodiments, if the device sends more than a predefined threshold number of requests, those requests can be ignored and/or denied.

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device (IdP), to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the IdP. The IdP uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract: Presented herein are object filtering techniques that optimize the communication of information over an infrastructure that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. In the object filtering techniques, a single information publisher can share that information in an associated object graph with many different consumers over the infrastructure without sharing the entire object graph.

Abstract: In an example embodiment, an apparatus comprising a transceiver configured to send and receive data and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising at least one service advertisement and a signature. The logic is configured to validate the response by confirming the signature.

Abstract: Methods and systems for use in a wireless client that includes one or more wireless network interfaces for communicating with at least one access point wherein the method enables the wireless client to validate the authenticity and integrity of received management frames. The method includes receiving a protected wireless network management frame from an access point verifying a message integrity check (MIC) appended to the protected wireless network management frame. One or more security policies are then conditionally applied based on a failure to verify the MIC.

Abstract: Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: In an example embodiment, an apparatus comprising a transceiver configured to send and receive data and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising at least one service advertisement and a signature. The logic is configured to validate the response by confirming the signature.

Abstract: In one embodiment, a method includes sending by an endpoint a request for information about available services to a network device; receiving by the endpoint a message from the network device, the message including information associated with a first service provider; determining by the endpoint whether the first address is certified by a trusted third party as being associated with the first service provider; if the first address is certified by the trusted third party, communicating by the endpoint with the first service provider using the information; and, in response to communicating with the first service provider using the information, receiving by the endpoint access to a service from the first service provider through the network device.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device (IdP), to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the IdP. The IdP uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server.

Abstract: A system that enables network authorization status to be conveyed to the device requesting network services within or outside the scope of an authentication exchange is provided. The authorization status notification or information can be automatically generated or otherwise triggered by a request from the user or device. For instance, a query can be employed to solicit device authorization status related to a particular service or group of services. Additionally, authorization status notification can be automatically triggered based upon a change in the device authorization state.

Abstract: A method for multicast load balancing in a wireless network having a plurality of access points. The method includes setting a maximum Internet protocol multicast bandwidth for the access points, receiving an admissions control request from a client at one of the access points, and determining whether the admissions control request from the client is for an admitted or unadmitted multicast stream at the access point. The access point is responsive to the admissions control request for the admitted multicast stream by servicing the admitted multicast stream and to the admissions control request for the unadmitted multicast stream by servicing the unadmitted multicast stream where the bandwidth required for the unadmitted multicast stream, plus that portion of the access point bandwidth currently used for all existing downlink multicast streams, does not exceed the maximum internet protocol multicast bandwidth for the access point.

Abstract: A method for multicast load balancing in a wireless network having a plurality of access points. The method includes setting a maximum Internet protocol multicast bandwidth for the access points, receiving an admissions control request from a client at one of the access points, and determining whether the admissions control request from the client is for an admitted or unadmitted multicast stream at the access point. The access point is responsive to the admissions control request for the admitted multicast stream by servicing the admitted multicast stream and to the admissions control request for the unadmitted multicast stream by servicing the unadmitted multicast stream where the bandwidth required for the unadmitted multicast stream, plus that portion of the access point bandwidth currently used for all existing downlink multicast streams, does not exceed the maximum internet protocol multicast bandwidth for the access point.

Abstract: A mesh access point that includes an access point profile storing one ore more parameters in non-volatile memory, and a method of using the mesh access point having the access point profile to select and carry out mutual authentication on a wireless mesh network to establish itself to the mesh network using information in the access point profile, and further to provide services to wireless clients according to information in the access point profile. Access point profiles can be pre-configured/configured/updated suitably in order to adapt the mesh access point in a mesh network according to its capabilities and requirements.

Abstract: Authentication in a mesh network controlled by a central controller, including using standard IEEE 802.11i mechanisms between a potential child mesh access point (AP) as supplicant and the controller as authenticator. Each mesh AP in the mesh network has a secure tunnel to a controller using a protocol for controlling the mesh AP, including AP capabilities, and a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information in the controller.