Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: Network DNA may be determined for a computer network that taxonomically classifies the computer network. Network DNA may include derived network DNA components and raw network DNA components. Raw network DNA components may be acquired from local or remote sources. Derived network DNA components may be generated according to derived network DNA component specifications. Derived network DNA component specifications may reference raw network DNA components. Network DNA determined for the computer network may include a network species component capable of indicating network species classifications for computer networks. Network species classifications may include enterprise network, home network and public place network. Network species classifications may be determined as a function of network security, network management and network addressing. One or more network DNA stores may be configured to store network DNA for computer networks.

Abstract: Architecture for facilitating access of remote system software functionality by a host machine for the redirection of incoming and/or outgoing host traffic through the remote system for protection services to the host machine. The host machine can gain the benefits of effective protection software such as firewall, intrusion protection software, and anti-malware services, of the remote machine. The host machine can choose to exercise traffic redirection when there is a risk of being compromised, and then revert back to direct communications when the risk has been averted. The host machine takes advantage of the resources available on the remote machine in substantially realtime with minimal disruption to the host and/or the remote machine operations. This facilitates widespread and temporary protection of network systems for a more secure working environment and improved customer experience.

Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: A framework and method are disclosed for supporting changed addresses by mobile network nodes. Such support is provided through enhancements to the mobile network nodes and utilizes DNS servers, Dynamic Host Configuration Protocol (DHCP), and virtual private network (VPN) servers—or their functional equivalents—to dynamically assign a current network address to a mobile node, provide the current network address to an authoritative name server, and thereafter have correspondent nodes update their addresses for the mobile node based upon an address provided by the authoritative name server. A mobile node registers all of its name-to-address mappings with its authoritative DNS server using a time to live of zero. Furthermore, when a mobile node moves outside its home security domain, the mobile node initiates a virtual private network connection to a virtual private server for a security domain.

Abstract: A framework and method are disclosed for supporting changed addresses by mobile network nodes. Such support is provided through enhancements to the mobile network nodes and utilizes DNS servers, Dynamic Host Configuration Protocol (DHCP), and virtual private network (VPN) servers—or their functional equivalents—to dynamically assign a current network address to a mobile node, provide the current network address to an authoritative name server, and thereafter have correspondent nodes update their addresses for the mobile node based upon an address provided by the authoritative name server. A mobile node registers all of its name-to-address mappings with its authoritative DNS server using a time to live of zero. Furthermore, when a mobile node moves outside its home security domain, the mobile node initiates a virtual private network connection to a virtual private server for a security domain.

Abstract: Among other things, one or more systems and/or methods for a network aware firewall are disclosed. A method comprises accessing a first network connection from a client computer system and determining whether the first network connection is a first network type or a second network type. The method further comprises dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is the first network type or the second network type.

Abstract: A computer-readable medium bearing computer-executable instructions which, when executed on a computer, carry out a method for handling a request for an operating system service is presented. The method comprises receiving a request for execution of an operating system service. The corresponding operating system service is then identified. A unique service identifier that corresponds to the requested operating system service is obtained. A service thread is generated, the thread being associated with an executing process. Storage associated with the service thread is initialized with the unique service identifier. Thereafter, the execution of the service thread is initiated.

Abstract: A dynamic risk management system for operating systems that provides monitoring, detection, assessment, and follow-up action to reduce the risk whenever it rises. The system enables an operating system to protect itself automatically in dynamic environments. The risk management system monitors a diverse set of attributes of the system which determines the security state of the system and is indicative of the risk the system is under. Based on a specification of risk levels for the various attributes and for their combinations, the risk management system determines whether one or more actions are required to alleviate the overall risk to the system.

Abstract: A dynamic risk management system for operating systems that provides monitoring, detection, assessment, and follow-up action to reduce the risk whenever it rises. The system enables an operating system to protect itself automatically in dynamic environments. The risk management system monitors a diverse set of attributes of the system which determines the security state of the system and is indicative of the risk the system is under. Based on a specification of risk levels for the various attributes and for their combinations, the risk management system determines whether one or more actions are required to alleviate the overall risk to the system.

Abstract: A system and method for a network aware firewall is disclosed. The method includes accessing a first network connection from a client computer system and determining whether the first network connection is public or private. The method further includes dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is public or private.

Abstract: An application program is disclosed for execution on a computing device capable of supporting network communications via multiple differing communication modes. The application includes a set of user interface elements facilitating easy user selection of one of a set of communication modes supported by the computing device. Thereafter, the selected communication mode is utilized to support communications for the application. The application program also includes an interface to a transport layer component. The interface initiates binding a network interface to an endpoint opened by the application in accordance with the designation of the communication mode. Furthermore, the interface passes transmission requests to the interface identifying the endpoint. Therefore the interface facilitates forcing use of the designated network interface to complete the transmission requests of the application.

Abstract: A system and method that allows a user to concurrently connect to multiple wireless networks with a single network interface card is presented. The networks may be infrastructure (“IS”) networks and ad hoc (“AH”) networks. A driver is inserted into a device's networking stack and exposes a plurality of virtual wireless network adapters, one for each network. The adapters are enabled and disabled in accordance with which network is presently activated. Packets for a network are queued when the network is not enabled. The wireless driver controls the switching of the network card. In one embodiment where multiple wireless cards are switching in and out of AH networks, the method converges the switching times for the cards in an AH network to ensure concurrent connectivity in the AH network for at least a brief time period every switching cycle of the wireless cards.

Abstract: A method and system for selectively excluding a program from a security policy is provided. The security system receives from a user an indication of a program with a problem that is to be excluded from the security policy. When the program executes and a security enforcement event occurs, the security system does not apply the security policy. If the problem appears to be resolved as a result of excluding the program from the security policy, then the user may assume that the security policy is the cause of the problem.

Abstract: Presented is a system and a method for load balancing multiple globally-dispersed servers based on client-centric performance criteria. The infrastructure of the system includes load balancing domain name servers (DNS-LBs) deployed in close physical proximity to the Internet service providers' points of presence. The DNS-LBs are then able to monitor the performance of the servers from a location close to the clients, which allows the DNS-LBs to select a server that will yield the best performance from that location for the client. A second level of the infrastructure utilizes domain name servers (DNS-Bs) that are deployed on the Internet backbones and regional provides. The authoritative domain name servers (DNS-As) for the servers to be load balanced refer all name queries to these DNS-Bs. The DNS-Bs then refer the queries to one of the DNS-LBs based on a mapping of the DNS-ISP address to its physically proximate DNS-LB.

Abstract: Criteria-driven methods and a framework are disclosed that facilitate configuration/selection of one or more wireless network interfaces/networks for carrying out wireless communications on a computing device. The wireless network interface selection and coexistence driver architecture described herein facilitates automated selection of a particular mode of network access based upon status information provided by a set of network interface drivers associated with particular network interfaces and wireless technologies. Furthermore, a criteria-driven interface/network selection framework is described that is potentially invoked in a variety of situations including, but not limited to, when an application is invoked or to select another interface/network to avoid detected interference.

Abstract: A computer system having secured network services is presented. The computer system comprises a processor, a memory, and a network action processing module. The network action processing module processes network actions from one or more network services executing on the computer system. The computer system is further configured to execute at least network service performing network actions in conjunction with the network action processing module. Upon receiving a network action from a network service, the network action processing module determines whether the network action is a valid network action according to a network action control list. If the network action is determined to not be a valid network action, the network action is blocked. Alternatively, if the network action is determined to be a valid network action, the network action is permitted to be completed.

Abstract: Presented is a system and method for providing centralized address management of static IP addresses through the dynamic host control protocol. Static or permanent IP addresses are those addresses assigned by DHCP having an infinite lease time. The assignment of such static IP addresses follows the conventional DHCP mechanism for the assignment of other IP addresses. However, the centralized reclamation of a statically or permanently assigned IP address by a network administrator through the DHCP server presents novel aspects of the invention heretofore unknown. Specifically, through the system and method of the present invention, the DHCP server is capable of reclaiming at any point in time, a statically or permanently assigned IP address by transmitting a DHCP RECLAIM command to the DHCP client, or through its relay agent. In the normal situation, the DHCP client acknowledges the RECLAIM command, allowing the IP address to be placed in the FREE state.

Abstract: In a method for controlling access to a network by a wireless client and a network, an access point on the network receives a request for a network address broadcast by the wireless client. The request is passed to an address server, which assigns a temporary address to the wireless client and provides the address of the access point. The wireless client then initiates a secure link with the access point based on the network address assigned by the address server and the address of the access point. If the secure link is not established before the temporary address expires, then wireless client is denied access to the network.

Abstract: A power management scheme for use in a wireless device reduces the power consumption of the network interface module of the wireless device by selectively putting the network interface module into a low-power state for an idle time. The length of the idle time is calculated such that the amount of delayed traffic data accumulated is expected to be less than or equal to a pre-selected threshold when the network interface module is put in the low-power state for the calculated idle time. The amount of delayed traffic data as a function of the idle time is modeled using average inter-arrival and service rates that are derived from traffic statistics data.