Abstract: Techniques for preserving privacy while still allowing secure access to private resources. Among other things, the techniques may include receiving a request to provide a remote device with access to a private resource. In some instances, the request may be redirected to an identity provider service to authenticate the user of the remote device to maintain anonymity of an identity of the user. The techniques may also include receiving an indication of an entitlement-set provided by the identity provider service, the indication of the entitlement-set indicative of whether the user is entitled to access the resource without revealing the identity of the user. The techniques may also include at least one of authorizing the remote device to access the resource or refraining from authorizing the remote device to access the resource based at least in part on the indication of the entitlement-set.

Abstract: An apparatus configured to perform resilient data plane processing using multiple network streams may comprise a memory and a processor communicatively coupled to one another. The processor may be configured to establish a connection with the data aggregator, and request access to one or more resources from a data aggregator. Further, the processor may be configured to receive a first data stream and a second data stream from the data aggregator, combine a version of the first data stream and a version of the second data stream into a local data stream, and present the local data stream.

Abstract: Techniques for auto tuning keepalive packets intervals to an optimal interval are described. A remote secure session between a client device and a server over a network is established. A determination is made to identify an optimal keepalive interval for sending packets to keep the remote secure session alive over the network, the optimal keepalive interval defining an amount of time between sending of packets that keep a connection open through middleboxes in the network. Keepalive test probes are transmitted by the client device and to the server at different time intervals. An optimal keepalive interval is determined based at least in part on the keepalive test probes transmitted at the different intervals. The client device transmits information indicating the optimal keepalive interval to the server. Finally, the client device transmits keepalive packets according to the optimal keepalive interval.

Abstract: Techniques for a computing resource network to send a packet through a processing flow (e.g., a service chain) according to an order of processing workloads (e.g., services) included in the processing flow, configured as an optimized service chain. In some examples, the computing resource network may include a policy evaluation engine configured to determine the best probabilistic outcome of an order of routing between the services that results in the lowest computational costs based on the probability that a given packet will be terminated/modified at one of the earlier processing workloads in the service chain, a prediction engine configured to determine the order of the processing workloads included in the processing flow based on a policy and/or telemetry data associated with the processing workloads, and/or an intelligent routing engine configured to route a packet between the one or more processing workloads included in a processing flow according to the order.

Abstract: Techniques and systems described herein relate to monitoring executions of computer instructions on computing devices based on learning and generating a control flow directed graph. The techniques and systems include determining a learned control flow directed graph for executable code of an application by observing executions of transitions during an observation period and determining destinations of indirect transfers based on the learned control flow directed graph. Next a disassembly of the executable code is determined based on the learned control flow directed graph, the destinations of the transfers, and the executable code.

Abstract: Techniques for migrating on-premises and/or cloud-based workloads to follow a network session as it potentially migrates, due to multipathing techniques, across multiple edge and/or cloud datacenters. The techniques may include determining, by a controller of a network, that a traffic flow between an endpoint device and a workload has migrated to a different path of a multipath flow such that the traffic flow terminates at a different termination point than the workload. Based at least in part on determining that the traffic flow has migrated, the controller may cause a migration of a state of the workload to a location associated with the different termination point. That is, the controller may cause the workload to be migrated in its current state, which may be specific to the endpoint device, to follow the traffic flow.

Abstract: Techniques for tunneling Layer 2 ethernet frames over a connection tunnel using the MASQUE protocol are described herein. The MASQUE protocol may be extended to include a new entity, configured to proxy ethernet frames using a MASQUE proxy connection, and an associated CONNECT method, CONNECT-ETH. Using the extended MASQUE protocol, an Ethernet over MASQUE (EoMASQUE) tunnel may then be established between various networks that are remote from one another and connected to the internet. An EoMASQUE tunnel, established between separate remote client premises, and/or between a remote client premise and an enterprise premise, may tunnel ethernet packets between the endpoints. Additionally, a first EoMASQUE tunnel, established between a first client router provisioned in a first remote client premise and an EoMASQUE proxy node, and a second EoMASQUE tunnel, established between a second client premise and the EoMASQUE proxy node, may tunnel ethernet packets between the first and second client premise.

Abstract: This disclosure describes techniques and mechanisms for defining dynamic security compliance in networks to proactively prevent security policy violations from being added and/or made, retroactively and continuously identify security policy violations based on data from the changing threat landscape, and provide auto-remediation of non-compliant security policies. The techniques enable automated security policies and provide improved network security against a dynamic threat landscape.

Abstract: Techniques for utilizing a deception service to deploy deceptions at scale in a network, such as, for example, a client network. The deception service may be configured to generate a small number (e.g., 5, 10, 15, etc.) of deceptions of hosts and/or services associated with the network (or emulations of the hosts/services and/or emulations of protocols associated with the hosts/services) and deploy them to a number of deception host computing devices that cover all of the components and/or technologies found in the network. The deception service may map a large number (e.g., 1000, 100,000, 1,000,000, etc.) of IP addresses available in the network to the deceptions, making it appear as though a large number of deceptions exist, when in reality the IP addresses map back to a small number of deceptions. The deception service may assign/unassign IP addresses to and/or from deceptions and/or actual hosts in the network as needed.

Abstract: Techniques for utilizing a portion of a communication session identifier (e.g., a Session-ID, an SPI, a CID, a DCID, and/or the like) to indicate a target routing device (e.g., a VPN and/or ZTNA termination device) for establishing control plane session(s) and/or data plane session(s) at wire-speed in a networked computing environment. The routing device(s) of a networked computing environment may generate a communication session identifier and send the communication session identifier to the client device, such that subsequent packets send from the client device may be forwarded to the proper routing device indicated by the communication session identifier for establishment of one or more data plane sessions. Additionally, data plane sessions may be established using a Resumed Handshake rather than a full handshake that is typically required, as Session Resumption utilizes the assigned communication session identifier for mapping.

Abstract: Techniques for determining a preferred HTTP protocol for communication between a client device and a server over a network are described. A first type of HTTP probe is transmitted over a network from a client device to a server. A second type of HTTP probe is transmitted over a network from the client device to the server. If either the first type of HTTP probe response or the second type of HTTP probe response, the type of the HTTP probe response received is the preferred communication protocol. If the first type of HTTP probe response and the second type of HTTP probe response is received, a type of HTTP probe response received first is the preferred communication protocol. The client device communicates with the server over the network using the preferred communication protocol.

Abstract: Techniques for migrating on-premises and/or cloud-based workloads to follow a network session as it potentially migrates, due to multipathing techniques, across multiple edge and/or cloud datacenters. The techniques may include determining, by a controller of a network, that a traffic flow between an endpoint device and a workload has migrated to a different path of a multipath flow such that the traffic flow terminates at a different termination point than the workload. Based at least in part on determining that the traffic flow has migrated, the controller may cause a migration of a state of the workload to a location associated with the different termination point. That is, the controller may cause the workload to be migrated in its current state, which may be specific to the endpoint device, to follow the traffic flow.

Abstract: An apparatus configured to perform resilient data plane processing using multiple network streams may comprise a memory and a processor communicatively coupled to one another. The processor may be configured to establish a connection with the data aggregator, and request access to one or more resources from a data aggregator. Further, the processor may be configured to receive a first data stream and a second data stream from the data aggregator, combine a version of the first data stream and a version of the second data stream into a local data stream, and present the local data stream.

Abstract: This disclosure describes techniques for enforcing conditional access to network services. In an example method, a first computing device detects a second device operating in a per-flow authorization mode. The first device receives a first request from a second computing device to communicate with a third computing device using a first network flow and determines that the first flow is authorized (e.g., because of an active past authentication and/or the third device's authentication exemption). Data associated with the first request is transmitted to the third device. The first device then receives a second request to communicate with a fourth computing device using a second network flow and determines that the second flow is not authorized (e.g., because it is not associated with an active past authentication and/or the fourth device is not exempt from authentication). Data associated with the second request is not transmitted to the fourth device.

Abstract: Profile-based association method for enterprise networks may be provided. A computing device may configure a first profile and a second profile. Next, the client device may be configured with a set of network profiles associated with a plurality of networks. A user of the client device may be queried for a profile choice for one of the plurality of networks. Then the client device may associate with the one of the plurality of networks according to the profile choice provide by the user.

Abstract: Techniques for binding communication flows to unique addresses and/or ports, and configuring networking devices internal to a network to apply policy without the need to further introspect a given stream. Further, by creating mappings of unique addresses and/or ports to flows, the network devices are able to enforce policy without needing to coordinate with an edge node of the network at which the communication session terminates. Further, the techniques may include providing an SDN controller with a mapping between a unique address/port and a network flow, determining flow-specific policy to enforce on the flow, and programming one or more network devices to enforce the flow-specific policy in the network using the unique address/port.

Abstract: In one embodiment, an illustrative method herein may comprise: obtaining, by a device, one or more independent telemetry streams, wherein each of the one or more independent telemetry streams is uniquely identifiable by a span identifier; translating, by the device, each of the one or more independent telemetry streams into a corresponding QUIC protocol stream; mapping, by the device, the span identifier of each of the one or more independent telemetry streams to a respective stream identifier that uniquely identifies a QUIC channel of a multiplexed QUIC protocol stream; and communicating, by the device, the multiplexed QUIC protocol stream containing each of the one or more independent telemetry streams on its corresponding QUIC channel to cause a retrieving device to determine the span identifier of each of the one or more independent telemetry streams based on their respective stream identifier.

Abstract: Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

Abstract: Techniques for syncing authentication and/or authorization tokens, cookies, and related metadata across different browser instances to enable disparate applications to share a single authentication/authorization ceremony. The techniques may include receiving a policy indicating multiple enterprise-managed applications that are capable of sharing tokens or cookies for user authentication. The techniques may also include receiving a token or a cookie indicating that a user is authenticated to access a first application of the multiple enterprise-managed applications. Based at least in part on the policy, the token or the cookie may be provided to a browser such that a second application of the multiple enterprise-managed applications refrains from causing the user to authenticate for access to the second application.