Abstract: A computer program product for transmitting data flow in a network between two resources using a processing circuit to perform a method which includes obtaining a data record from a first resource, storing the data record and an associated data record identifier in a first memory, transmitting the data record from a first network to a second network, storing the data record and an associated data record identifier in a second memory, determining by an inline service provider whether the data record is suitable for transmission from a first resource to a second resource; based on determining that the data record is suitable for transmission by the inline service provider transmitting only the data record identifier stored in the second memory to the first switch and retrieving the data record stored in the first memory associated with the data record identifier for transmission to the second resource.

Abstract: A first client encryption initiation is intercepted from a client. The first client encryption initiation is intended for a server. Based on the first client encryption initiation, a second client encryption initiation is initiated with the server. Receiving a server response from the server responsive to the initiated second client encryption initiation. A first secure connection is negotiated with the client. The first secure connection is based on the intercepted first client encryption initiation and based on the server response. A session key to perform secure communication with the client is obtained from the first secure connection. A second secure connection is established with the server. The second secure connection is based on the server response and the session key.

Abstract: In response to receiving an unknown first session identifier from a client for a first communication session between the client and a server, a Man in the Middle (MitM) computer requests a second session identifier from the server for a second communication session between the server and the MitM computer. The MitM computer generates a third session identifier for a third communication session between the MitM computer and the client. The MitM computer generates a fourth communication session between the server and the client using a combination of the second communication session and the third communication session. In response to receiving an invalid session identifier from the client for a fifth communication session between the client and the server, the MitM computer transmits an instruction, to the client, to flush a session cache in the client to force a full TLS handshake between the client and the server.

Abstract: A method for monitoring encrypted communication sessions between computing devices includes intercepting messages of a handshaking procedure between a client and a server device, the handshaking procedure establishing an encrypted communication session between the client and server. The method further includes determining, from the messages, a session context for the encrypted session and an identifier associated with the session context. The method further includes storing the session context in a database indexed by the identifier. The method further includes intercepting, subsequent to the storing, second messages of a second handshaking procedure between the client and a second server device, the where second handshaking procedure resumes the encrypted communication session after an interruption.

Abstract: Methods, systems, and computer program products for enabling network services in a multi-tenant IaaS environment are provided. A service portal is deployed in the IaaS environment. In one embodiment, tenant packet associated with a first tenant of the IaaS environment is received by the service portal. The tenant packet is analyzed to identify one or more services to which to transmit the tenant packet. The tenant packet is distributed to the identified services for processing. A processed tenant packet is received from one or more of the identified services. The processed tenant packet is transmitted to a destination.

Abstract: Embodiments pertain to facilitation of live migration of a virtual machine in a network system. During live migration, a first appliance is cloned and state information directed to a first network flow is obtained. The state information is utilized by the cloned appliance to re-direct operations associated with the first network flow. At such time as the first network flow is terminated, the cloned is removed.

Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for transforming a Channel ID communication, the method comprising: generating, by a SSL/TLS inspector, a secret; receiving, from a client, a Channel ID communication comprising a public key value; deriving, by the SSL/TLS inspector, a random seed value for a private key using the secret and the public key value of the Channel ID communication; generating, by the SSL/TLS inspector, a new private key based upon the random seed value; deriving, by the SSL/TLS inspector, a new public key based upon the new private key; generating, by the SSL/TLS inspector, a transformed Channel ID communication based upon the new private key and the new public key; and forwarding, by the SSL/TLS inspector, the transformed Channel ID communication to a server.

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives a session ID from the TLS server, the inspector generates and issues to the client a session ticket that includes the original session ID and other session context information. In this manner, the inspector converts the Session ID-based connection to a Session Ticket-based connection. The session ticket is encrypted by the inspector to secure the session information. When the TLS client presents the session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session ID from it directly. The inspector then uses the original session ID to resume the TLS session.

Abstract: A network-based appliance includes a mechanism to provide TLS inspection with session resumption, but without requiring that a session cache be maintained. To this end, the inspector is configured to cause the TLS client to participate in maintaining the session context, in effect on behalf of the TLS inspector. In operation, when the inspector first receives the session ticket from the TLS server, and in lieu of caching it, the inspector generates and issues to the client a composited ticket that includes the original ticket and session context information that contains the session key. The composited ticket is encrypted by the inspector to secure the session information. When the TLS client presents the composited session ticket to resume the TLS connection, the inspector decrypts the ticket and retrieves the session context from it directly. The inspector then uses the original session ticket to resume the TLS session.

Abstract: Embodiment pertain to facilitation of live migration of a virtual machine in a network system. The network system includes a first host, a second host, a first appliance for providing service to the first host, a second appliance for providing service to the second host, and a third appliance. At least one virtual machine is disposed on the first host and has an ongoing first network flow. The first appliance has generated state information about the first network flow. During the migration of the at least one virtual machine to the second host, the third appliance obtains a copy of the state information about the first network flow; and the third appliance takes over from the first appliance to serve the first network flow during the migration of the at least one virtual machine, until the first network flow is terminated.

Abstract: An intelligent network management device including an analytic unit, conducting an analysis according to received packets in order to determine whether a given event is occurred; and a processing unit, generating and sending a control instruction to a SDN controller to change configurations of a SDN switch when the analytic unit determined the given event has been occurred.

Abstract: Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for transforming a Channel ID communication, the method comprising: generating, by a SSL/TLS inspector, a secret; receiving, from a client, a Channel ID communication comprising a public key value; deriving, by the SSL/TLS inspector, a random seed value for a private key using the secret and the public key value of the Channel ID communication; generating, by the SSL/TLS inspector, a new private key based upon the random seed value; deriving, by the SSL/TLS inspector, a new public key based upon the new private key; generating, by the SSL/TLS inspector, a transformed Channel ID communication based upon the new private key and the new public key; and forwarding, by the SSL/TLS inspector, the transformed Channel ID communication to a server.

Abstract: A computer program product for transmitting data flow in a network between two resources using a processing circuit to perform a method which includes obtaining a data record from a first resource, storing the data record and an associated data record identifier in a first memory, transmitting the data record from a first network to a second network, storing the data record and an associated data record identifier in a second memory, determining by an inline service provider whether the data record is suitable for transmission from a first resource to a second resource; based on determining that the data record is suitable for transmission by the inline service provider transmitting only the data record identifier stored in the second memory to the first switch and retrieving the data record stored in the first memory associated with the data record identifier for transmission to the second resource.

Abstract: An intelligent network management device including an analytic unit, conducting an analysis according to received packets in order to determine whether a given event is occurred; and a processing unit, generating and sending a control instruction to a SDN controller to change configurations of a SDN switch when the analytic unit determined the given event has been occurred.

Abstract: Methods and systems for high-availability data processing include detecting, at a first data processing system, a change in link state between the first data processing system and a second data processing system. A link state between the first data processing system and a third data processing system is changed responsive to the detection in accordance with a first high availability policy stored at the first data processing system. An identifier of the first data processing system is changed in accordance with the first high availability policy to conform to a second high availability policy stored at the first data processing system. The detection, change of the link state, and change of the identifier are repeated in accordance with the second high availability policy.

Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.

Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.

Abstract: A method of translating network attributes of packets in a multi-tenant environment, and an appliance and a program product implementing the method. The method comprises the following steps: receiving a packet from a multi-tenant environment; referring to the information of tenants, translating a selected network attribute of the packet into a unique identity representing the packet in the multi-tenant environment; and forwarding the translated packet including the unique identity.

Abstract: In response to receiving an unknown first session identifier from a client for a first communication session between the client and a server, a Man in the Middle (MitM) computer requests a second session identifier from the server for a second communication session between the server and the MitM computer. The MitM computer generates a third session identifier for a third communication session between the MitM computer and the client. The MitM computer generates a fourth communication session between the server and the client using a combination of the second communication session and the third communication session. In response to receiving an invalid session identifier from the client for a fifth communication session between the client and the server, the MitM computer transmits an instruction, to the client, to flush a session cache in the client to force a full TLS handshake between the client and the server.