Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.

Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.

Abstract: A policy management server manages a segmentation policy and policy constraints. The segmentation policy comprises a set of segmentation rules that each permit connections between specified groups of workloads that provide or consume network-based services. The policy constraints comprise a set of constraint rules that determine compliance of the segmentation rules. A workflow process may be initiated to resolve non-compliant rules by enabling an administrator to approve or deny the rule. In a large enterprise managing significant numbers of workloads, the policy constraints may be employed to ensure that overly permissive segmentation rules are not being created. This facilitates creation of a robust and narrowly tailored segmentation policy that reduces exposure of the enterprise to network-based security threats.

Abstract: A policy management server enables selective enforcement of a segmentation policy. The policy management server manages a segmentation policy that specifies a set of segmentation rules specifying permitted communications between workloads. The policy management server separately manages an enforcement policy that controls whether or not the segmentation policy is enforced for different services provided by the workloads. For services that are enforced, the policy management server distributes instructions to distributed enforcement modules that configure traffic filters to block traffic pertaining to enforced services that does not meet the segmentation rules. For non-enforced services, the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy.

Abstract: Apparatus configured to obtain a hash of a file to be transmitted to a second apparatus and an indication of a file creator of the file; retrieve an identifier associated with the file creator; store the hash of the file, associated with the identifier of the file creator, in an immutable ledger; obtain the hash of the file from the second apparatus; verify that the hash of the file is stored in the immutable ledger; retrieve, from the immutable ledger, one or more assertions associated with the file; retrieve, from the immutable ledger, the associated identifier of the file creator using the hash of the file; and transmit, to the second apparatus: a confirmation that the file is from the file creator; and at least one of the one or more assertions associated with the file.

Abstract: A method of identifying and authenticating a network user includes receiving a first network layer packet from a first user entity. The first network layer packet may include first unique identification information unique to the first user entity and independent of a first network address associated with the first network layer packet. The method further includes verifying, at a network layer of a network, that the first network layer packet is from the first user entity based on the first unique identification information.

Abstract: An air flow deflector comprising (a) a deflector body having an outer surface, the deflector body providing an air passage extending through an inlet, a throat and an outlet, the size of the inlet is greater that the size of the throat; (b) a pair of channels provided between the inlet and the outlet and each of the pair of channels having a venturi profile; and (c) an outlet portion of the air flow deflector provided between the throat and the outlet to provide a gradual transition between the throat and the outlet; wherein the air flow deflector increases an air flow velocity of air entering said inlet.