Abstract: Multi-tenant cloud-based firewall systems and methods are described. The firewall systems and methods can operate overlaid with existing branch office firewalls or routers as well as eliminate the need for physical firewalls. The firewall systems and methods can protect users at user level control, regardless of location, device, etc., over all ports and protocols (not only ports 80/443) while providing administrators a single unified policy for Internet access and integrated reporting and visibility. The firewall systems and methods can eliminate dedicated hardware at user locations, providing a software-based cloud solution.

Abstract: A method implemented by a cloud-based system includes steps of, responsive to connecting to a user device with a user associated with a first tenant of a plurality of tenants, obtaining security policies for the user that are configured for the tenant, wherein the security policies for the user are the same regardless of connection type, location of the user, and device type and operating system of the user device; stream scanning traffic between the user device and the Internet based on the security policies, wherein the security policies are for firewall and intrusion prevention functions; and one of allowing and blocking the traffic based on the stream scanning.

Abstract: Cloud-based Intrusion Prevention Systems (IPS) include receiving traffic associated with a user of a plurality of users, wherein each user is associated with a customer of a plurality of customers for a cloud-based security system, and wherein the traffic is between the user and the Internet; analyzing the traffic based on a set of signatures including stream-based signatures and security patterns; blocking the traffic responsive to a match of a signature of the set of signatures; and performing one or more of providing an alert based on the blocking and updating a log based on the blocking.

Abstract: Cloud-based Intrusion Prevention Systems (IPS) include receiving traffic associated with a user of a plurality of users, wherein each user is associated with a customer of a plurality of customers for a cloud-based security system, and wherein the traffic is between the user and the Internet; analyzing the traffic based on a set of signatures including stream-based signatures and security patterns; blocking the traffic responsive to a match of a signature of the set of signatures; and performing one or more of providing an alert based on the blocking and updating a log based on the blocking.

Abstract: Multi-tenant cloud-based firewall systems and methods are described. The firewall systems and methods can operate overlaid with existing branch office firewalls or routers as well as eliminate the need for physical firewalls. The firewall systems and methods can protect users at user level control, regardless of location, device, etc., over all ports and protocols (not only ports 80/443) while providing administrators a single unified policy for Internet access and integrated reporting and visibility. The firewall systems and methods can eliminate dedicated hardware at user locations, providing a software-based cloud solution.

Abstract: A multi-tenant cloud-based firewall method from a client, performed by a cloud node, includes receiving a packet from the client, wherein the client is located externally from the cloud node; checking if a firewall session exists for the packet, and if so, processing the packet on a fast path where a lookup is performed to find the firewall session; if no firewall session exists, creating the firewall session; and processing the packet according to the firewall session and one or more rules. The cloud node can perform the method without a corresponding appliance or hardware on premises, at a location associated with the client, for providing a firewall.

Abstract: Systems and methods of detecting Domain Name System (DNS) tunnels for monitoring thereof include obtaining data related to DNS traffic between DNS nameservers and clients; determining a score for each DNS nameserver based on the data to characterize DNS queries over a period of time for each DNS nameserver, wherein the score incorporates all DNS queries associated with the associated DNS nameserver over the period of time; determining one or more DNS nameservers likely operating DNS tunnels based on the score; and performing one or more actions on the one or more DNS nameservers related to the DNS tunnels.

Abstract: Systems and methods of detecting Domain Name System (DNS) tunnels for monitoring thereof include obtaining data related to DNS traffic between DNS nameservers and clients; determining a score for each DNS nameserver based on the data to characterize DNS queries over a period of time for each DNS nameserver, wherein the score incorporates all DNS queries associated with the associated DNS nameserver over the period of time; determining one or more DNS nameservers likely operating DNS tunnels based on the score; and performing one or more actions on the one or more DNS nameservers related to the DNS tunnels.

Abstract: The present disclosure discloses a method and network device for control plane protection for various tables using storm prevention entries. Specifically, the disclosed system receives a first packet, and creates an inactive entry in a table. The system then forwards the first packet from a first processor to a second processor for processing. Also, the system associates the inactive entry with a timestamp indicating when the first packet is forwarded to the second processor, and determines a configured interval (CI) associated with the table. Further, the system compares a difference between a current timestamp and the timestamp associated with the inactive entry against the CI upon receiving a second packet. If the difference is longer than the CI, the system associates the inactive entry with the current timestamp, and forwards the second packet to the second processor for processing. Otherwise, the system discards the second packet.

Abstract: A multi-tenant cloud-based firewall method from a client, performed by a cloud node, includes receiving a packet from the client, wherein the client is located externally from the cloud node; checking if a firewall session exists for the packet, and if so, processing the packet on a fast path where a lookup is performed to find the firewall session; if no firewall session exists, creating the firewall session; and processing the packet according to the firewall session and one or more rules. The cloud node can perform the method without a corresponding appliance or hardware on premises, at a location associated with the client, for providing a firewall.

Abstract: The present disclosure discloses a method and network device for a rate limiting mechanism based on device load/capacity or traffic content. Specifically, the system receives a request from a network node, and determines whether a ratio between a current load and a capacity exceeds a threshold. If so, the system determines a wait time period based on current load/capacity ratio, and responds to the network node with a message including the wait time period. Moreover, the system can inspect content of the request to determine a message type, and whether the message type indicates that the request is associated with dependent messages. If so, the system responds to the request with a busy message including the wait time period. Further, the system rejects new session requests if the number of concurrent sessions currently connected to the network device approaches the number of sessions associated with a regression point.

Abstract: According to one embodiment, a method comprises an operation of determining whether an ingress control message is locally terminated control traffic on a digital device prior to the ingress control message being forwarded to a hardware processor of the digital device for processing. A priority is assigned to the ingress control message based on information within the ingress control message, if the ingress control message is determined to be locally terminated control logic.

Abstract: According to one embodiment, a method comprises an operation of determining whether an ingress control message is locally terminated control traffic on a digital device prior to the ingress control message being forwarded to a hardware processor of the digital device for processing. A priority is assigned to the ingress control message based on information within the ingress control message, if the ingress control message is determined to be locally terminated control logic.

Abstract: A method includes subsequent to a client associating with a first access node and the client being communicatively coupled with a first controller through the first access node: storing information on one or more of: active broadcast sessions for the client or active multicast sessions for the client. The method further includes subsequent to the client associating with a second access node and the client being communicatively coupled with a second controller through the second access node: the second controller establishing one or more of: the active broadcast sessions for the client or the active multicast sessions for the client using the information.

Abstract: According to one embodiment, a method comprises an operation of determining whether an ingress control message is locally terminated control traffic on a digital device prior to the ingress control message being forwarded to a hardware processor of the digital device for processing. A priority is assigned to the ingress control message based on information within the ingress control message, if the ingress control message is determined to be locally terminated control logic.

Abstract: The present disclosure discloses a method and network device for maintaining captive portal user authentication. Specifically, the disclosed system determines an association status between a client and an access point in a wireless network, as well as whether to remove an entry corresponding to the client from a network layer (L3) cache based on the association status. If it is determined that the entry is to be removed, the disclosed system removes the entry corresponding to the client from the network layer (L3) cache. Note that, the association status can be determined based on one or more of an indication by a station management process at the network device, and a detection of radio link activities.

Abstract: The present disclosure discloses a method and network device for an enhanced serialization mechanism. Specifically, the disclosed system receives a plurality of packets from a plurality of transport layer flows corresponding to a security association. Also, the system designates one processor of a plurality of processors to be associated with the security association. Moreover, the system assigns a sequence number to each packet, and transmits the plurality of packets from the plurality of transport layer flows such that packets within the same transport layer flow are transmitted in order of their sequence numbers. However, at least two packets from two different transport layer flows may be transmitted out of incremental order of their sequence number.

Abstract: The present disclosure discloses a method and network device for home VLAN identification for roaming mobile clients. Specifically, the disclosed method and system detects that the mobile client has roamed away from a first network to a second network, maintains a mapping between a virtual local area network (VLAN) corresponding to the mobile client and a tunnel corresponding to a foreign agent in the second network, and forwards packets to or from the mobile client on the VLAN based on the mapping between the VLAN and the tunnel via which the packets are received. Therefore, the disclosed method and system allows for identification of home VLANs for roaming mobile clients without merging VLAN policy configurations at the home agent and the foreign agent.

Abstract: A first data set is derived from a second data set. The first data set is stored in a database of derived data sets. The second data set is updated without updating the first data set, such that the first data set and the second data are inconsistent. The first data set is deleted or updated during batch processing of the database of the derived data sets.

Abstract: The present disclosure discloses a method and network device for control plane protection for various tables using storm prevention entries. Specifically, the disclosed system receives a first packet, and creates an inactive entry in a table. The system then forwards the first packet from a first processor to a second processor for processing. Also, the system associates the inactive entry with a timestamp indicating when the first packet is forwarded to the second processor, and determines a configured interval (CI) associated with the table. Further, the system compares a difference between a current timestamp and the timestamp associated with the inactive entry against the CI upon receiving a second packet. If the difference is longer than the CI, the system associates the inactive entry with the current timestamp, and forwards the second packet to the second processor for processing. Otherwise, the system discards the second packet.