Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: The invention provides a method of and system for networked security, involving multiple clients and servers. Rather than relying on single server based authentication and/or single stream based data transmission, the invention breaks apart information before if leaves the User's computer so that intercepting any single electronic message does not provide the hacker with sufficient information to gain access. The invention splits the values (i.e. password, User name, card number for authorization; encrypted text for encryption, etc.) at the point of sender/external authorization client. These split values are encrypted with different keys and transmitted to multiple external authorization servers. The invention can be applied to any secure transmission, storage or authentication of data over a data network.

Abstract: A method and system for secure messaging between a wireless device and an application gateway provides for connecting a device to an application mapping layer via a secure socket and exchanging encryption keys for effecting asymmetric encryption between the device and the application gateway. The encryption has a first set of keys for encrypting messages to the device and decryption a second set of keys for decrypting messages from the device. Accordingly, the present patent disclosure provides an entire solution from end-to-end. Combining a variety of security patterns and technologies in a specific manner to provide a highly secure form of protecting data in a messaging style format between two endpoints on a network. The present patent disclosure provides an optimized strength of encryption on the paths from application mapping layer to wireless device and vice versa. And is able to change in nature to suit the dynamic nature of the payload sizes and transmission rates in the mobile market.

Abstract: A method includes receiving a data message, from a first embedded node, in a first end point device. The first data message is addressed to a second embedded node. The method also includes encrypting the first data message to produce an encrypted data message, where the encryption is transparent to the first embedded node. The method further includes transmitting the encrypted data message to a second end point device. An apparatus includes a plurality of embedded node ports each configured to communicate with an embedded node. The apparatus also includes an encrypted communications link port configured to communicate with an end point device. The apparatus further includes a controller connected to communicate with the embedded node ports and the encrypted communications link port. In addition, the apparatus includes a storage connected to be read from and written to by the controller.

Abstract: An IPSec front-end may be configured to encrypt, decrypt and authenticate packets on behalf of a host on an insecure network and a peer on a secure network. For example, the IPSec front-end may receive internet protocol (IP) packets from the host and encrypt the data and format the data as an internet protocol security (IPsec) packet for transmission to the peer. When the peer responds with an IPSec packet, the IPSec front-end may decrypt the data and format the data as an IP packet. The IPSec front-end may be software executing on a Linux server.

Abstract: To display pieces of data provided by different servers in one page, a providing apparatus provides a page to a client terminal, the page including data retrieved from a server. The providing apparatus includes a) a page return unit for, upon receipt of a page retrieval request from the client terminal, returning a page including code to the client terminal, the code to be executed on the client terminal, the code causing the client terminal to transmit a data transmission instruction to the server, the data transmission instruction instructing the server to transmit the data to the providing apparatus, b) a data reception unit for receiving the data transmitted by the server, the server having received the data transmission instruction from the client terminal, and c) a transfer unit for transferring the data received from the server, to the client terminal.

Abstract: A system and method for verifying and/or geolocating network nodes in a network in attenuated environments for cyber and network security applications are disclosed. The system involves an origination network node, a destination network node, and at least one router network node. The origination network node is configured for transmitting a data packet downstream to the destination network node through at least one router network node. The data packet contains a header portion and a payload data portion. At least one of the network nodes is an enabled network node. The enabled network node(s) is configured to verify any of the network nodes that are located upstream from the enabled network node(s) by analyzing the header portion and/or the payload data portion of the data packet.

Abstract: A technique for content management using group rights is described. The technique facilitates a flexible management for a group of content files mainly by effecting a change of group memberships for subsets of the group and a partial update of the content files. As one aspect, a content file manager (20) is provided to create content files associated with group rights. A device (21) is also provided to process such content files. One method aspect comprises assigning a plurality of content items to a new group whose identifier is associated with a new group rights object; determining if any of the content items has been previously distributed; and for each previously-distributed content item, creating an update content file including the group identifier of the new group and excluding the previously-distributed content item itself.

Abstract: Methods, systems, and apparatus, including computer program products, featuring receiving at a first security device a packet. The first security device determines that the packet is associated with a flow assigned to a distinct second security device. The first security device sends the packet to the second security device. After the second security device performs security processing using the packet, the first security device receives from the second security device a message regarding the packet. The first security device transmits the packet.

Abstract: A method is provided, including (a) upon a standard small form-factor pluggable (SFP) module being inserted into an SFP jack on a network host device, determining if the SFP module is a legacy device or a smart device, (b) upon determining that the SFP module is a legacy device, receiving a magic code from the SFP module and determining if the magic code is a valid magic code, and (c) upon determining that the SFP module is a smart device, performing a smart authentication process with the SFP module. Associated apparatuses and additional methods are also provided.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout component includes a service interface that performs primary control by one system, and backup control by a different system.

Abstract: A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each, of the at least one potential hijack AS.

Abstract: Encryption of message content of an e-mail sent by way of a webmail service may be performed in response to activation of a user interface element. The message content may be encrypted using a symmetric key. A public key of a recipient of the e-mail is received from a backend service and employed to encrypt the symmetric key. The encrypted symmetric key and encrypted message content are sent to a recipient by way of the webmail service. Decryption of the encrypted message content may be performed in response to activation of another user interface element. A private key of the recipient is received from the backend service and employed to decrypt the encrypted symmetric key. The symmetric key is thereafter employed to decrypt the encrypted message content.

Abstract: A secure, open-air communication system utilizes a plurality of “decoy” data signals to hide one or more true data signals. The true data signal(s) are channel hopped with the plurality of decoy data signals to form a multi-channel “scrambled” output signal that is thereafter transmitted in an open-air communication system. The greater the number of decoy signals, the greater the security provided to the open-air system. Further security may be provided by encrypting both the true and decoy signals prior to scrambling and/or by utilizing a spatially diverse set of transmitters and receivers. Without the knowledge of the channel assignment(s) for the true signal(s), an eavesdropper may be able to intercept (and, with time, perhaps descramble) the open-air transmitted signals, will not be able to distinguish the true data from the decoys without also knowing the channel assignment(s).

Abstract: In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may require the use of keys. Keys are stored and retrieved from a non-volatile key storage in a way that assures subsystems that need the keys have access to the keys. The keys retrieved from the non-volatile key storage are stored in a shared memory in the requesting subsystem, which allows any applications that requires access to the keys to directly access the keys in the shared memory.

Abstract: For establishing a VPN connection in the call-back type, a VPN server establishes an always-on connection through a unique protocol different from the electronic mail delivery system. A client generates a client authentication data used for the client authentication implemented by the VPN server, and establishes the relay server through the unique protocol to transmit the client authentication data. The relay server device relays the client authentication data to the VPN server through the unique protocol. The VPN server implements the client authentication based on the relayed data. The VPN server establishes the VPN connection with the client based on the result of the authentication.

Abstract: Some embodiments of the invention are directed to increasing security and lowering risk of attack in connecting automatically to networks by enabling client devices to verify the identity of the networks by, for example, confirming the identity of networks and network components such as wireless access points. In some embodiments, a client device may maintain a data store of characteristics of a network—including, for example, characteristics of a wireless access point or other portion of the network and/or characteristics of a connection previously established with the wireless access point and/or network. Stored characteristics may include characteristics other than those minimally necessary to identify a wireless access point and/or wireless network.

Abstract: Systems, methods and a computer program product for facilitating multi-level communications within a computer system provide for generating while using a first network component a network data packet including a code within a field other than a payload field. The code corresponds with a coded communication within a library of coded communications. The network data packet is transmitted from the first network component to a designated second network component connected to the first network component that reads the code and selects the coded communication from the library of coded communications that corresponds with the code. The selected coded communication is then transmitted from the designated second network component to an intended recipient. The systems, methods and computer program product are applicable within the context of generalized computer systems, as well as restricted access computer systems.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout component includes a service interface that performs primary control by one system, and backup control by a different system.

Abstract: A task list server supports secure asynchronous communications between both a workstation and one or more machines. The task list server stores requests and responses initiated by either side and establishes secure communication channels used to forward the data between parties. The communication between workstation and machine may be delayed by hours or even days, depending on the work schedule and network access of both the workstation operator and machine. The machine may process requests in order from highest priority to lowest priority and from oldest to newest. Public key encryption may be used to establish secure channels between the task list server and the workstation or the one or more machines using a combination of certificate authorities including both manufacturers and owner/operators.

Abstract: A system and method for securing data for redirecting and transporting over a wireless network are generally described herein. In accordance with some embodiments, when it is determined that an electronic message that is protected with a first encryption algorithm is to be transported over a wireless network to a wireless device, the electronic message is converted to a data structure that is recognizable by the wireless device and the data structure is encrypted with a second encryption algorithm using a random session key. The second encryption algorithm has a stronger security than the first encryption algorithm. The random session key is encrypted with a public key and packets that comprise the encrypted data structure and the encrypted random session key are transmitted to the wireless device over the wireless network.

Abstract: A data security manager in a multi-nodal environment enforces processing constraints stored as security relationships that control how different pieces of a multi-nodal application (called execution units) are allowed to execute to insure data security. The security manager preferably checks the security relationships for security violations when new execution units start execution, when data moves to or from an execution unit, and when an execution unit requests external services. Where the security manager determines there is a security violation based on the security relationships, the security manager may move, delay or kill an execution unit to maintain data security.

Abstract: Technologies for establishing and managing a connection with a power line communication network include establishing a communication connection between an electronic device and a security server. A default device encryption key associated with the electronic device is changed to correspond with a new device encryption key of the security server. Thereafter, the electronic device may only join a power line communication network of a particular security server using a network membership key, which is encrypted with the device encryption key that the particular security server associates to the electronic device. The electronic device contains a circuit interrupt to interrupt a circuit of the electronic device if the electronic device is not able to successfully decrypt the network membership key.

Abstract: A cloud storage system includes a plurality of cloud storage modules for storing and managing data and a data encryption processing device. The data encryption processing device includes a priority manager for managing priorities on encrypting data of a plurality of cloud storage modules by using information on whether encryption processing for each of the plurality of the cloud storage modules is supported; and an encryption requester for selecting at least one cloud storage module on the basis of the priorities managed by the priority manager when receiving request of a data encryption, and performing, by the selected at least one cloud storage module, encryption after delivering the data to the selected cloud storage module.

Abstract: A method includes synchronizing a first gateway with information from a second gateway. The second gateway operates in a primary role with at least one primary network address. The second gateway communicates with at least one wireless device that uses at least one encryption key during at least one secure communication session. The information includes the at least one encryption key. The method also includes detecting a switchover event at the first gateway. The method further includes, in response to detecting the switchover event, switching the first gateway to the primary role, communicating using the at least one primary network address, and maintaining the at least one secure communication session at the first gateway after the first gateway switches to the primary role.

Abstract: Approaches for combining different information to be transmitted into different slices of a data packet and/or encrypting the slices using different cryptographic schemes for secure transmission of the information are disclosed. In some implementations, first information and second information may be received. A first data slice representing a portion of the first information may be generated based on a first cryptographic scheme. A second data slice representing a portion of the second information may be generated based on a second cryptographic scheme different than the first cryptographic scheme. A first header may be generated such that the first header may specify the first cryptographic scheme for the first data slice and the second cryptographic scheme for the second data slice. A first data packet may be generated such that the first data packet may include the first header, the first data slice, and the second data slice.

Abstract: Deep packet inspection is performed on packets in a network intrusion prevention system. A processing priority may be assigned to a packet based on characteristics such as the protocol type of the packet. Higher-priority packets may be processed before lower-priority packets or otherwise given preferential processing treatment. Deep packet inspection may be performed on the packet, and the processing priority of the packet may be changed based on the amount of time required to complete inspection of the packet. For example, the processing priority of the packet may be lowered if inspection of the packet takes longer than a predetermined time threshold. Furthermore, inspection of such packets may be suspended and either terminated or resumed at a subsequent time.

Abstract: In an input/output virtualization-enabled computing environment, a device, method, and system for securely handling virtual function driver communications with a physical function driver of a computing device includes maintaining communication profiles for virtual function drivers and applying the communication profiles to communications from the virtual function drivers to the physical function driver, to determine whether the communications present a security and/or performance condition. The device, method and system may disable a virtual function driver if a security and/or performance condition is detected.

Abstract: Methods and apparatus for ensuring protection of transferred content. In one embodiment, content is transferred while enabling a network operator (e.g., MSO) to control and change rights and restrictions at any time, and irrespective of subsequent transfers. This is accomplished in one implementation by providing a premises device configured to receive content in a first encryption format and encodes using a first codec, with an ability to transcrypt and/or transcode the content into an encryption format and encoding format compatible with a device which requests the content therefrom (e.g., from PowerKey/MPEG-2 content to DRM/MPEG-4 content). The premises device uses the same content key to encrypt the content as is used by the requesting device to decrypt the content.

Abstract: Methods and systems for enabling content to be securely and conveniently distributed to authorized users are provided. More particularly, content is maintained in encrypted form on sending and receiving devices, and during transport. In addition, policies related to the use of, access to, and distribution of content can be enforced. Features are also provided for controlling the release of information related to users. The distribution and control of contents can be performed in association with a client application that presents content and that manages keys.

Abstract: A wireless mesh network includes a plurality of nodes to which a device key is assigned. The device key belongs to one of a plurality of groups. In a root node, a correspondence relationship between the nodes and the device key thereof, and a correspondence relationship between past join nodes and a device key thereof, are stored. When a new node in the wireless mesh network is detected as a past join node, the device key assigned to the past join node is assigned to the new node again. When the new node is not the past join node, a new device key is assigned to the new node. A cipher text is generated by encrypting a message using device keys assigned to the nodes and the new node. If the number of groups to which the device keys belong is fewer, a size of the cipher text is smaller.

Abstract: A method and apparatus to authenticate limited processing-power systems (LPPS) using elliptic cryptography within a well known elliptic curve E, over a well known finite field F ((E(F)). The apparatus comprises a random number generator to choose a random value b, of a similar order of magnitude to the order of E(F). The apparatus further comprises a challenge calculator to calculate a value C=bP and send the challenge to the LPPS, where P is a point on the elliptic curve E(F) which was used as a basis for generating a private key, a, for the LPPS. The apparatus further comprising an RFID reader to receive a challenge response, R=aC=abP from the LPPS, and a crypto calculator to calculate bQ, based on a public key, Q, of the LPPS. The apparatus further comprising a comparison logic to authenticate the LPPS if bQ=aC=abP.

Abstract: The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

Abstract: The current invention discloses a method and apparatus to detect and mitigate network intrusion by collecting a first log of wireless network traffic in the vicinity of an area and a second log of network traffic from a switch port connected to the area; pre-processing the logs; and then detecting the presence of unauthorized access points (APs) by attempting to identify matching patterns in the pre-processed first and second logs.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: A general purpose distributed encrypted file system generates a block key on a client machine. The client machine encrypts a file using the block key. Then, the client encrypts the block key on the first client machine with a public key of a keystore associated with a user and associates the encrypted block key with the encrypted data block as crypto metadata. The client machine caches the encrypted data block and the crypto metadata and sends the encrypted data block and the crypto metadata to a network file system server. When the client machine receives a return code from the network file system server indicating successful writes of the encrypted data block and the crypto metadata, the client machine clears the cached encrypted data block and the crypto metadata.

Abstract: Methods and systems for load balancing and failover among gateway devices are disclosed. One method provides for assigning communication transaction handling to a gateway. The method includes receiving a request for a license from a computing device at a control gateway within a group of gateway devices including a plurality of gateway devices configured to support communication of cryptographically split data. The method also includes assigning communications from the computing device to one of the plurality of gateway devices based on a load balancing algorithm, and routing the communication request to the assigned gateway device.

Abstract: Methods, apparatus, systems and computer program products are described and claimed that provide for automatically and positively determining that an associate accessing a business domain/application using an application-specific associate identifier is the same associate that is accessing another business domain/application using another application-specific associate identifier. Once the positive determination of same associate is made, a federated identifier key is generated and applied to all of the platforms in which the associate can be positively identified, so as to globally identify the associates across multiple enterprise-wide domains/applications. As such, the present invention eliminates the need to manually analyze associate data to determine if an associate interfacing with one domain/application is the same associate interfacing with another domain/application.

Abstract: An information handling system including a receiver for inbound data destined for delivery to a network node, an encryption recognition engine operable to identify whether the inbound data received by the receiver is encrypted and an encryption policy application engine operable to apply encryption policy to the inbound data on the basis of encryption properties identified by the encryption recognition engine in the inbound data. The system may further include an encryption engine operable to selectively encrypt the inbound data on the basis of the encryption policy as applied by the encryption policy application engine and a packet delivery engine operable to deliver the inbound data to its destination.

Abstract: A method of sending protected data from a sender unit to a receiver unit via an intermediate unit. The intermediate unit stores information associated with a certificate belonging to the receiver unit, and information associated with a certificate belonging to the intermediate unit, which has previously been signed by the receiver unit. The intermediate unit receives a request from the sender unit to send protected data to the receiver unit, and so it sends a response to the sender unit. The response includes the information associated with the certificate belonging to the receiver unit, which allows the sender unit to verify that the intermediate unit is authorized to receive data on behalf of the receiver unit. The intermediate unit then receives data from the sender unit that is protected using the information associated with the certificate belonging to the receiver unit for subsequent forwarding to the receiver unit.

Abstract: A system encrypts a name of content stored in a node of a hierarchical structure. A content receiving node encrypts a name of a predetermined node among names of nodes included in a content name, such as by using a hash function, and transmits the encrypted content name to receive the stored content. A relay node receives the content name including the encrypted name of the node and decrypts the encrypted name of the node, such as by using a reference table. The relay node uses the decrypted node name to relay the content request to the content storage node. Since the content name is encrypted, content routing may be performed without disclosing information associated with a hierarchical structure in which the content is stored.

Abstract: Consumers may utilize computing devices to assist in the purchase and/or loyalty process, and in particular, the consumer may utilize a PDA to facilitate the purchase and/or loyalty process. During the purchase and/or loyalty process, the consumer may need to insure that any content downloaded or used in association with the PDA is secure in how it is collected, assembled, and delivered to the PDA device. This system and method secures the data from its source to when it is actually viewed or used by the authorized user. The exemplary system and method may establish a PDA portal link to the web site for collecting specified information for a user and transmitting the information to the remote device. To receive the information, the PDA contacts the portal and establishes a connection, authenticates itself to the network and allows the user to complete secured transactions or transmissions over the network.

Abstract: A method includes identifying a suspect node of a network. The method also includes initiating formation of a sub-network of the network by identifying neighbor nodes of the suspect node and sending an invitation message to a first neighbor node to invite the first neighbor node to the sub-network. The invitation message is encrypted using a first encryption key associated with the first neighbor node. The invitation message is not sent to a second node that is identified as a neighbor node only by the suspect node. The sub-network is configured to enable first communications between members of the sub-network. The first communications are communicated in a manner that is secured against access by the suspect node. Subsequent to formation of the sub-network, second communications between the suspect node and a device of the network are routed to or through at least one of the members of the sub-network.

Abstract: An apparatus for relaying a hashed message from a first node to a second node, comprising an inlet interface for receiving a message from the first node, a hash number calculator for hashing the message from the inlet interface, an outlet interface for sending the hashed message to the second node, a first one-way data link for unidirectional transfer from the inlet interface to the hash number calculator, and a second one-way data link for unidirectional transfer from the hash number calculator to the outlet interface, is provided. The apparatus provides a secure mechanism and communication channel for relaying hashed acknowledgment messages from a receive node to a send node to inform the status of data transfer from the send node to the receive node across a one-way data link. The apparatus may be further implemented with the capability of comparing hashed messages from the two nodes.

Abstract: As provided herein, when using an untrusted network connection, a secure online environment can be created for a remote machine by connecting to a trusted computer with a trusted network connection. A proxy server is installed on a first computing device and shared encryption keys are generated for the first device and a portable storage device. A connection is initiated between a second computing device (e.g., remote device), connected to an untrusted network, and the first computing device, comprising initiating a proxy server protocol from the portable storage device (e.g., attached to the second device), using the second computing device. A secure connection between the first and second devices is created using the encryption keys.

Abstract: An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender's email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.

Abstract: A key setting method executed by a node transmitting and receiving a packet through multi-hop communication in an ad-hoc network among ad-hoc networks, includes receiving a packet encrypted using a key specific to a gateway and simultaneously reported from the gateway in the ad-hoc network; detecting a connection with a mobile terminal capable of communicating with a server retaining a key specific to a gateway in each ad-hoc network among the ad-hoc networks; transmitting to the server, via the mobile terminal and when a connection with the mobile terminal is detected, the encrypted packet received; receiving from the server and via the mobile terminal, a key specific to a gateway in the ad-hoc network and for decrypting the encrypted packet transmitted; and setting the received key specific to the gateway in the ad-hoc network as the key for encrypting the packet.

Abstract: A computer network (10) comprises a private network (20). At least one interface (40) is connected to the private network (20) and configured to encrypt, with a first encryption key, data that is leaving the private network (20). A compliance check apparatus (70) includes at least one interface (60) that is connected to the compliance check apparatus (70) and that is configured to decrypt data encrypted with the first encryption key that is entering the compliance check apparatus (70). The compliance check apparatus (70) is configured to check that the decrypted data complies with a first condition. At least one further interface (80) is connected to the compliance check apparatus (70) and is configured to encrypt with a second encryption key checked, decrypted data that is leaving the compliance check apparatus (70). In example embodiments of the invention, a corresponding work-flow is provided for data entering the private network (20).

Abstract: A system and method for protecting data communications in a system including a load-balancer connected to a cluster of security network components, e.g. firewall node. The load-balancer transfers one or more of the data streams respectively to the security components. The security network components transmit control information to the load-balancer and the control information includes an instruction regarding balancing load of the data streams between said components; The load-balancer balances load based on the control information. Preferably, network address translation (NAT) is performed by the load-balancer based on the control information or NAT is performed by the security network component and the control information includes information regarding an expected connection based on NAT.