Abstract: Disclosed herein are systems, methods, and computer-readable media for enabling multi-factor authentication (MFA) for an Internet Of Things (IoT) device. In one aspect, a method includes receiving a network connection request from the IoT device to connect to a network. In one aspect, the method includes fetching authentication information for the device in response to the request. In one aspect, the method includes authenticating the device to the network. In one aspect, the method includes in response to the authentication of the device to the network, establishing a network connection between the IoT device and the network. In one aspect, the method includes applying the MFA policy. In one aspect, the method includes after successful compliance with the MFA policy establishing a session between the device and the application over the network.

Abstract: A method of transmitting an encrypted data packet includes, with a processor, in response to receiving the encrypted data packet, executing an extended Berkeley packet filter (eBPF) application at an express data path (XDP) hook point located within a kernel space, determining whether the encrypted data packet is to be processed via a trusted application (TA) within a trusted execution environment (TEE) based on an analysis by the eBPF application, and identifying application intelligence data defining packet forwarding decisions based on a manner in which the encrypted data packet is processed.

Abstract: In one embodiment, a method herein comprises: establishing, by a process, a virtual private network connection (VPN connection) with a particular VPN gateway; requesting, by the process, observability monitoring through the particular VPN gateway, wherein requesting results in a controller being informed about the particular VPN gateway and a domain of the particular VPN gateway; receiving, by the process, test specifics from the controller based on the particular VPN gateway and the domain of the particular VPN gateway; and executing, by the process, one or more tests to the particular VPN gateway based on the test specifics.

Abstract: The present invention provides a system, method and apparatus for authenticating calls that is a robust Anti-vishing solution. The present invention can identify Caller ID spoofing, verify dialed number to detect man-in-the middle and verify called party against dialed digits to detect impersonation. This solution can handle calls coming from any phone any where with little impact on user experience. Two separate solutions are tailored for smart phones (communication devices capable of running application software) and traditional phones to reduce the impact to user experience while providing robust verification.

Abstract: A source network address and port translation (NAPT) mechanism is described that reduces or eliminates the need to log any NAT translations. As described herein, a mapping between a subscriber's private address to a public address and port range is determined algorithmically. Given a particular mapping rule, as specified by the service provider, a subscriber is repeatedly and deterministically mapped to the same public network address and a specific port range for that network address. Once the public address and port range for a subscriber are computed, the particular ports for each session for that subscriber are allocated dynamically within the computed NAT port range on per session basis.

Abstract: A node is configured to receive, from a second node, a request to establish a session; perform, in response to the request, a network address translation (NAT) operation to establish the session, the NAT operation causing a first port block to be allocated to the session, the first port block including a first set of ports via which traffic, associated with the session, is transported; determine that the set of ports are no longer available for the session; determine whether a quantity of times that the first port block has been allocated to the session is greater than a threshold; and retain the first port block, for the session, when the quantity of times that the first port block has been allocated to the session is not greater than the threshold.

Abstract: A network device may receive a request from a local device to establish a connection with a another device. The request may include an internal network identifier of the local device. The network device may evaluate a plurality of external network identifiers, associated with the network device based on selected criteria. The network device may also, or alternatively, evaluate the external network identifiers by identifying an external network identifier that is already mapped to, or paired with, the internal network identifier. The network device may select an external network identifier, of the plurality of external network identifiers, based on the evaluation and establish the connection requested by the local device using the internal network identifier and the external network identifier.

Abstract: A node is configured to receive, from a second node, a request to establish a session; perform, in response to the request, a network address translation (NAT) operation to establish the session, the NAT operation causing a first port block to be allocated to the session, the first port block including a first set of ports via which traffic, associated with the session, is transported; determine that the set of ports are no longer available for the session; determine whether a quantity of times that the first port block has been allocated to the session is greater than a threshold; and retain the first port block, for the session, when the quantity of times that the first port block has been allocated to the session is not greater than the threshold.

Abstract: The present invention provides a system, method and apparatus for authenticating calls that is a robust Anti-vishing solution. The present invention can identify Caller ID spoofing, verify dialed number to detect man-in-the middle and verify called party against dialed digits to detect impersonation. This solution can handle calls coming from any phone any where with little impact on user experience. Two separate solutions are tailored for smart phones (communication devices capable of running application software) and traditional phones to reduce the impact to user experience while providing robust verification.

Abstract: A source network address and port translation (NAPT) mechanism is described that reduces or eliminates the need to log any NAT translations. As described herein, a mapping between a subscriber's private address to a public address and port range is determined algorithmically. Given a particular mapping rule, as specified by the service provider, a subscriber is repeatedly and deterministically mapped to the same public network address and a specific port range for that network address. Once the public address and port range for a subscriber are computed, the particular ports for each session for that subscriber are allocated dynamically within the computed NAT port range on per session basis.

Abstract: A node is configured to receive, from a second node, a request to establish a session; perform, in response to the request, a network address translation (NAT) operation to establish the session, the NAT operation causing a first port block to be allocated to the session, the first port block including a first set of ports via which traffic, associated with the session, is transported; determine that the set of ports are no longer available for the session; determine whether a quantity of times that the first port block has been allocated to the session is greater than a threshold; and retain the first port block, for the session, when the quantity of times that the first port block has been allocated to the session is not greater than the threshold.

Abstract: The present invention provides a system, method and apparatus for authenticating calls that is a robust Anti-vishing solution. The present invention can identify Caller ID spoofing, verify dialed number to detect man-in-the middle and verify called party against dialed digits to detect impersonation. This solution can handle calls coming from any phone any where with little impact on user experience. Two separate solutions are tailored for smart phones (communication devices capable of running application software) and traditional phones to reduce the impact to user experience while providing robust verification.

Abstract: A network device may receive a request from a local device to establish a connection with a another device. The request may include an internal network identifier of the local device. The network device may evaluate a plurality of external network identifiers, associated with the network device based on selected criteria. The network device may also, or alternatively, evaluate the external network identifiers by identifying an external network identifier that is already mapped to, or paired with, the internal network identifier. The network device may select an external network identifier, of the plurality of external network identifiers, based on the evaluation and establish the connection requested by the local device using the internal network identifier and the external network identifier.

Abstract: A network device may receive a request from a local device to establish a connection with a another device. The request may include an internal network identifier of the local device. The network device may evaluate a plurality of external network identifiers, associated with the network device based on selected criteria. The network device may also, or alternatively, evaluate the external network identifiers by identifying an external network identifier that is already mapped to, or paired with, the internal network identifier. The network device may select an external network identifier, of the plurality of external network identifiers, based on the evaluation and establish the connection requested by the local device using the internal network identifier and the external network identifier.

Abstract: A network device may receive a packet from a user device; allocate a first port range to the user device; measure a period of time after allocating the first port range; and allocate a second port range to the user device when the measured period of time is equal to a particular period of time. The first port range may be associated with a first Internet Protocol (IP) address.

Abstract: Techniques are described for providing secure network address translation (NAT) in a NAT device that provides endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF) operations.

Abstract: The present invention provides a system, method and apparatus for authenticating calls that is a robust Anti-vishing solution. The present invention can identify Caller ID spoofing, verify dialed number to detect man-in-the middle and verify called party against dialed digits to detect impersonation. This solution can handle calls coming from any phone any where with little impact on user experience. Two separate solutions are tailored for smart phones (communication devices capable of running application software) and traditional phones to reduce the impact to user experience while providing robust verification.