Abstract: A plurality of policies to be enforced in a network environment via a plurality of devices are determined. A topology of the plurality of devices within the network environment is also determined. For each policy of the plurality of policies, a device of the plurality of devices is selected as the location at which to enforce the policy of the plurality of policies. Selecting the device for each policy of the plurality of policies includes correlating the policy of the plurality of policies with another of the plurality of policies and correlating the policy of the plurality of policies with the topology.

Abstract: In one example, a network element in a first network receives a network packet including a first security group identifier. The network element identifies the first security group identifier, determines that the first security group identifier is hierarchically correlated with a second security group identifier, and inserts the second security group identifier into the network packet. The network element forwards the network packet including the second security group identifier.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. A network element connected to the client device obtains an authentication message including a first network address from the client device. The network element provides the authentication device to an identity server via a Network Address Translation (NAT) device, which translates the first network address to a second network address. The network element also provides a first message including the first network address to the policy server to request an identity-based policy for network communications of the client device. The network element implements the identity-based policy authorized by the policy server.

Abstract: In one example embodiment, a network appliance is configured to process packets in a network. The network appliance obtains a mapping of a domain name to a security group tag having associated therewith one or more security policies. The network appliance receives a network packet having an Internet Protocol address. The network appliance determines a particular domain name associated with the Internet Protocol address of the packet. Based on the mapping of the domain name to the security group tag and the particular domain name, the network appliance determines whether the network packet is associated with the security group tag. The network appliance applies the one or more security policies to the network packet based on the security group tag when the particular domain name of the network packet matches the domain name.

Abstract: A device obtains access to an application resource from a remote application server based on an authenticated device identifier. The device sends a request to access the application resource provided by the remote application server. The device receives a first message from the remote application server directing the device to send an authentication message to a device identity server. The authentication message requests an authenticated device identity for the device. The device attaches metadata associated with the device to the authentication message and sends the authentication message with the attached metadata to the device identity server. The device receives the authenticated device identity from the device identity server and sends the authenticated device identity to the remote application. The device obtains access to the application resource from the remote application server based on the authenticated device identity.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. A network element connected to the client device obtains an authentication message including a first network address from the client device. The network element provides the authentication device to an identity server via a Network Address Translation (NAT) device, which translates the first network address to a second network address. The network element also provides a first message including the first network address to the policy server to request an identity-based policy for network communications of the client device. The network element implements the identity-based policy authorized by the policy server.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. The policy server receives a first message from a network element connected to the client device. The first message requests an identity-based policy for the client device, and includes a first network address. The policy server receives a second message from an identity server. The second message includes information indicating an identity role and a second network address. The policy server receives a third message from a NAT device. The third message includes a NAT mapping that correlates the first network address with the second network address. After the policy server determines the identity-based policy based on a combination of the first message, the second message, and the third message, the policy server implements the identity-based policy in the network element.

Abstract: In one example, a network element in a first network receives a network packet including a first security group identifier. The network element identifies the first security group identifier, determines that the first security group identifier is hierarchically correlated with a second security group identifier, and inserts the second security group identifier into the network packet. The network element forwards the network packet including the second security group identifier.

Abstract: A device obtains access to an application resource from a remote application server based on an authenticated device identifier. The device sends a request to access the application resource provided by the remote application server. The device receives a first message from the remote application server directing the device to send an authentication message to a device identity server. The authentication message requests an authenticated device identity for the device. The device attaches metadata associated with the device to the authentication message and sends the authentication message with the attached metadata to the device identity server. The device receives the authenticated device identity from the device identity server and sends the authenticated device identity to the remote application. The device obtains access to the application resource from the remote application server based on the authenticated device identity.

Abstract: A policy server correlates information from several messages associated with a client device to implement an identity-based network access policy. The policy server receives a first message from a network element connected to the client device. The first message requests an identity-based policy for the client device, and includes a first network address. The policy server receives a second message from an identity server. The second message includes information indicating an identity role and a second network address. The policy server receives a third message from a NAT device. The third message includes a NAT mapping that correlates the first network address with the second network address. After the policy server determines the identity-based policy based on a combination of the first message, the second message, and the third message, the policy server implements the identity-based policy in the network element.

Abstract: A data processing apparatus in a network receives packet flows that are communicated between a first network node and a second network node, and comprises a clock and latency analysis logic configured for receiving a first data segment that has been communicated from the first node and forwarding the first data segment to the second node; storing a first time value of the clock in association with a first timestamp value obtained from the first data segment; receiving a second data segment that has been communicated from the second node and forwarding the second data segment to the first node; retrieving the first time value based on the first timestamp value; determining a second time value of the clock; and determining a first latency value by computing a difference of the second time value and the first time value. Thus end-to-end packet latency is determined by passively observing timestamp values.

Abstract: A data compression method and system is disclosed. In one embodiment, the data compression method includes receiving a data packet. Also, the method includes compressing the data packet using a confirmed compression history, wherein the confirmed compression history includes previously acknowledged data packets. Further, the method includes sending a compressed data packet to a downstream device. Moreover, the method includes detecting a delivery acknowledgement associated with the compressed data packet. Continuing, the method includes updating the confirmed compression history by incorporating the data packet information into the confirmed compression history based upon receipt of the delivery acknowledgement.

Abstract: A network node, for example a router, is configured for assigning network parameters for an identified flow of data packets associated with an application service, based on detecting quality of service parameters specified by XML tags within a message between an application server configured for providing the application service and a destination device configured for receiving the application service. The router includes an XML parser configured for parsing XML tags specifying prescribed user-selectable quality of service attributes for a corresponding application service, and an application resource configured for interpreting the prescribed user-selectable quality of service attributes for the application service. The application resource also is configured for assigning the selected network parameters, for transfer of the identified flow of data packets, based on the interpretation of the prescribed user-selectable quality of service attributes for the specified application service.

Abstract: An integrated network switch having multiple network switch ports for outputting data frames also includes a dequeuing system for selectively supplying a data frame for output according to a specified priority by an output switch port. The dequeuing system includes, for each network switch port, a plurality of priority queues configured for holding assigned data frames based on respective priorities assigned by switching logic. A weighted round robin scheduler supplies the assigned data frames held in the priority queues to the output switch port according to a prescribed weighted round robin scheduling. In addition, the dequeuing system uses token bucket filters for selectively passing the assigned data frames to the respective priority queues in a manner that ensures that a given data frame having a large size does not interfere with bandwidth reserved for high-priority packets requiring guaranteed quality of service.