Abstract: Embodiment of the present invention provides a packet transmission method. The method includes: receiving an encrypted packet sent by a client by using a virtual private network (VPN) tunnel, wherein the encrypted packet is sent by the client after the client determines, according to a preset control policy, that the control policy comprises an Internet Protocol (IP) address and a port number that are the same as a destination IP address and a destination port number of a packet to be sent and encrypts the packet to be sent, and the control policy comprises information about an IP address and a port number of an intranet server that can exchange a packet with a security socket layer protocol (SSL) VPN server; decrypting the encrypted packet; and sending the decrypted packet to a corresponding intranet server, wherein a source IP address of the decrypted packet is an external network IP address.

Abstract: Secure communications on a network. An unauthenticated client on an network sends start packets to locate other clients. The unauthenticated client receives responses to the start packets from other clients on the network. The responses may be advertise packets that are from advertising clients that may be authenticated clients or other unauthenticated clients in authenticated mode. The unauthenticated client prioritizes the received packets so that authentication can be performed with the most desirable advertising client. Authentication packets are sent and received between the unauthenticated client and the advertising client in an attempt to authenticate.

Abstract: A computer-implemented method for synchronizing encryption of information is disclosed according to one aspect of the subject technology. The method comprises receiving a selection of one or more types of information by a user, wherein the one or more types of information are synchronized across a plurality of computing devices. The method also comprises generating an encryption status indicating that the one or more types of information selected by the user are to be encrypted, and sending the encryption status from a first one of the computing devices to a server, wherein the server distributes the encryption status to each of the other computing devices.

Abstract: A security model is provided in a transactional logging infrastructure that is arranged as a protected subsystem built on an underlying secure file system. Files in the underlying file system used by virtual log streams are protected from direct user writes, and are written-to only through the protected subsystem that is brokered by a machine-wide principal so that virtual log files sharing the same multiplexed physical log are kept secure from each other. Log file handles and user- and kernel-mode objects are exposed to log clients through interfaces using consistent security semantics for both dedicated and virtual logs. Log clients are agnostic of the underlying secure file system and can only manipulate file system containers—abstract objects that implement the physical log and used to virtualize the file system by normalizing input/output operations—by using the interfaces brokered by the principal in the protected subsystem.

Abstract: Various techniques for software license inventory and asset management are disclosed. A fingerprint may be generated and associated with various copies of software applications installed on a software licensee's computer systems. Upon generation, each fingerprint may be stored in a license information database system along with relevant license information for that copy of the software application. A software inventory tool may then be used to collect fingerprints on installed copies of software applications and provide these fingerprints to the license information database system to obtain the corresponding license information. The output of the software inventory tool may be used by a licensee to comply with software license agreements and/or efficiently allocate information technology resources. Methods and systems that provide and process secured, dynamic and persistent tagging of software deployments and usage are also disclosed.

Abstract: Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.

Abstract: An anti-virus system for enforcing a virus monitoring and scanning process, the anti-virus and firewall system comprises a master CPU card, a plurality of slave CPU cards and a programmable logic. The master CPU card is used for controlling the virus monitoring and scanning process and dividing the virus monitoring and scanning process into a plurality of sub-processes. The plurality of slave CPU cards are controlled by the master CPU card in a software level and a hardware level, each of the plurality of slave CPU cards receives and processes one of the plurality of sub-processes then sends back to the master CPU card. The programmable logic controlled by the master CPU card for monitoring and controlling said plurality of slave CPU cards at a hardware level.

Abstract: In accordance with the teachings herein, a wireless access point module having a plug and play feature and an auto-configuration engine may be used to provide substantial benefits to business owners, Internet service providers, and subscribers. The wireless access point module may have memory and a processor configured such that during “power-up” the processor reads instruction from memory and automatically creates a virtual private network (VPN) with a centralized access gateway via a network VPN server. In turn, the wireless access point module may utilize this VPN for subscriber communications.

Abstract: The invention provides an external in-line device (“Subnet Box”) placed between a network and an access point to achieve secure Wi-Fi communications without needing to modify the access point. The Subnet Box comprises an embedded token and will authenticate users based on pre-stored access rights. In at least one embodiment of the invention, the Subnet Box comprises: a first communications port for intercepting data packets communicated to and from a wired communications network; a second communications port for intercepting data packets communicated to and from a wireless access point, wherein the wireless access point is an edge device of the wired communications network; a database comprising a number of serial numbers each associated with a client token and a secret cryptographic key; and a processor for determining whether a computing device having a client token can access the wired communications network via the wireless access point.

Abstract: A device having an encryption module in communication with first and second communication ports may facilitate connecting to an access network, without requiring a non-secure hard drive to initiate the network access. The encryption module may define a normal mode and a bypass mode. In normal mode, data from the first port may be sent encrypted to the second port, for communicating securely in an encrypted environment. In bypass mode, data from the first port may be sent unencrypted to the second port. The data being sent may be intercepted and presented to the user for approval in a human readable format. The user may confirm that the data is appropriate for being sent unencrypted. This data may be sent unencrypted in response to a request for information (e.g., an assent to terms and conditions) from the access network, such as at a hotel or public wireless hotspot, for example.

Abstract: A network reputation system and its controlling method are provided. A credential and exchange component permits a user to generate credentials and exchange matching items with those persons having a social relationship with the user. A reputation evaluation component enables other users to make evaluations about an estimatee via the sharing of social network information. A query and response component receives a query from a person having a social relationship with the user for requesting an evaluation about the estimatee, and responds with an associated evaluation result to the person having a social relationship with the user, via the sharing of social network information and the evaluations made by the other users about the estimatee.

Abstract: Multiple levels of wireless network resource granting. A user who has an authorized key, e.g., an encryption key or a key indicating that they have paid for service, gets a first, better level of access to the network resources. One without the key is granted lesser access, e.g., less total bandwidth, less bandwidth speed, no access to files or the like.

Abstract: A method of granting access to resources includes the step of receiving a request from a node to access a resource. A scanning agent is generated to gather information about the node. A key is generated and embedded in the scanning agent. The scanning agent is transmitted to the node and gathers information regarding the node. The scanning agent encrypts the gathered information using the at least one generated key. The encrypted gathered information is received from the scanning agent and decrypted.

Abstract: A method and system for secure access to computer equipment. An embodiment includes a secure access controller connected to a link between a transceiver (such as a modem) and the computer equipment. Public and private keys are used by the secure access controller and a remote user. The keys are provided to the secure access controller by an authentication server. Once the transceiver establishes a communication link with the user, the access controller uses these keys to authenticate packets issued by the user to the computer equipment. If the packet is authenticated, the access controller passes the packet to the computer equipment. Otherwise, the packet is discarded. Another embodiment includes a secure access controller having a plurality of ports for connection to a plurality of different pieces of computer equipment. The secure access controller thus intermediates communications between the modem and the plurality of different pieces of computer equipment.

Abstract: Provided is a connection supporting apparatus for supporting to establish a VPN through an IKE between a client and a gateway, comprising, a mode judging unit receiving authentication information of the client employed in the IKE, and judging whether or not a key exchange mode of the client is a main mode based upon the authentication information, a VPN setting request transmitting unit transmitting a VPN setting request to the gateway when the key exchange mode of the client is the main mode, the VPN setting request containing a client IP address as an authentication ID and information as to a communication key to be used when the client executes the IKE; and a notifying unit notifying both the communication key and the IP address to the client when the notifying unit receives a response with respect to the VPN setting request from the gateway.

Abstract: A system including a first module and a second module. The first module includes a linear feedback shift register (LFSR) and a permutator circuit. The LFSR outputs a pseudo-random sequence of digital values based on a stored key value. The permutator circuit operates on successive groups of input bits using the pseudo-random sequence. For each of said successive groups, the permutator circuit: (a) selects a bit permutation based on a respective one of the digital values in the pseudo-random sequence, (b) permutes the bits of the group using the selected bit permutation to obtain a resultant group of bits, and (c) transmits the resultant group onto an output bus. The second module also includes an LFSR and a permutator circuit that operate to invert the permutations applied by the first module. In a two-dimensional embodiment, the first module and second module may include additional circuitry for scrambling bits between groups.

Abstract: A microchip for a computer configured to connect to a one network of computers, the microchip comprising: a first internal hardware-based firewall, the first internal hardware-based firewall configured to deny access to a portion of the microchip from the network; a general purpose microprocessor including at least two general purpose cores or general purpose processing units; a first core or processing unit is located inside of the first internal hardware-based firewall; a second core or processing unit is located outside of at the first internal hardware-based firewall; the second core or processing unit is separate from the first internal hardware-based firewall; and a memory component located inside of a second internal hardware-based firewall that is located between said memory component and a core or processing unit with which said memory component is associated. The microchip can also include a plurality of dies.

Abstract: A multi-user e-mail messaging system is described that is interfaced through the Internet and includes a first user group sharing a first server, which first server is interfaced to the Internet. In this system, after an e-mail message has been originated by an originating user of the first user group, the e-mail message is directed onto an e-mail enhancement path, and additional content is added to the e-mail message using the e-mail enhancement path to produce an enhanced e-mail message. Thereafter, the enhanced e-mail message from the e-mail enhancement path to the intended recipient. In one feature, the path taken by an incoming e-mail message is different from an outgoing path taken by an e-mail message sent from the first user group. The outgoing path defined to the intended recipient includes the enhancement path.

Abstract: A virtual local area network switching device and an associated computer system and method are provided to permit operation in accordance with a plurality of different security classifications. The computer system includes a computer, a virtual local area network switching device and a plurality of peripheral units having different security classifications. The virtual local area network switching device may include a computing device that includes the plurality of ports and that is configured to control communications with the peripheral units in accordance with the respective security classifications. The virtual local area network switching device may also include a memory device configured to store information associating the plurality of the ports with the security classification of the respective peripheral unit. The memory device may also store information associating each port with both a logical address and a physical address of the respective peripheral units.

Abstract: End-to-end authentication capability based on public-key certificates is combined with the Session Initiation Protocol (SIP) to allow a SIP node that receives a SIP request message to authenticate the sender of request. The SIP request message is sent with a digital signature generated with a private key of the sender and may include a certificate of the sender. The SIP request message my also be encrypted with a public key of the recipient. After receiving the SIP request, the receiving SIP node obtains a certificate of the sender and authenticates the sender based on the digital signature. The digital signature may be included in an Authorization header of the SIP request, or in a multipart message body constructed according to the S/MIME standard.

Abstract: Secure network communications between a source computer and a destination computer utilizing a firewall. The firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the outbound request. The remote endpoint and the local physical memory address are hashed to generate an index value corresponding to an entry in an internal state table of the firewall. When an inbound request is received, the firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the inbound request. The remote endpoint and the local physical memory address of the inbound request are hashed to generate an index value corresponding to an entry in the internal state table of the firewall. The firewall forwards the inbound request to the local endpoint if a matching entry is found in the internal state table at the index value.

Abstract: The flow of information to or from an application on a host machine is regulated by a trusted agent operating in conjunction with at least one security element, such as a firewall or a policy server. When a communication to or from the application is detected by the trusted agent, the trusted agent gathers information about the attempted communication, and formulates and sends a message based upon the gathered information to at least one security element. The security element makes a decision to permit or block at least part of the attempted communication based upon the message received from the trusted agent.

Abstract: A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the

Abstract: The present invention is related to an information processing system, a service providing apparatus and method, an information processing apparatus and method, a recording medium, and a program that are intended to simultaneously share content data in private virtual spaces. A home server 11 is arranged at user A's home. A portable user terminal 1 and so on can access the home server 11. A virtual home DB server 21 supplies the layout information about virtual home and so on to the portable user terminal 1. An authentication server 22 executes authentication processing on the portable user terminal 1. An inter-user-terminal communication relay server 23 executes the processing associated with the communication between a plurality of users. A user information holding server 24 stores the personal data of each user and the content data, which are shared with other users. The present invention is applicable to programs realizing realtime communication by use of the Internet.

Abstract: A VPN-based method for a mobile communication terminal to access data securely comprises: when a data security device is operating in the mobile communication terminal, the data security device allows the mobile communication terminal to access an intranet but inhibits the mobile communication terminal from accessing an external network; and when the data security device is not operating in the mobile communication terminal, a VPN server inhibits the mobile communication terminal from accessing the intranet. The data security device is disposed in the mobile communication terminal. The data security device cooperates with the VPN server to inhibit the user of the mobile communication terminal from sending protected files to the external network via a network when the data security device is deactivated and to inhibit applications running on the data security device from accessing networks outside the VPN resources to release the protected files to the external network.

Abstract: An apparatus, system, and method enable a new platform storage system to have access to an external storage system having data encrypted thereon by an existing platform storage system. Encryption information corresponding to the encrypted data in the external storage system is stored in a memory in the existing platform storage system. The encryption information stored in the memory of the existing platform storage system is transferred to an encryption table stored in the new platform storage system, so that the new platform storage system can read the encrypted data stored in the external storage system.

Abstract: Enhanced network data transmission security and individualized data transmission processing can be implemented by intermediaries in a communication path between two endpoint peers individually having the capability to identify and authenticate one or both of the endpoint peers. Communication session establishment, endpoint peer identity processing and authentication and data traffic encryption protocols are modified to allow intermediaries to track the communications between endpoint peers for a particular communication session and obtain information to authenticate the endpoint peers and identify data traffic transmitted between them. Intermediaries can use the identities of one or both of the endpoint peers to enforce identity based rules for processing data traffic between the endpoint peers for a communication session.

Abstract: A device may measure a first performance, associated with legitimate traffic without attack traffic, of a Session Initiation Protocol (SIP)-based protection device implementing authentication; measure a second performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication; and measure a third performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication and return routability filtering.

Abstract: A system for secure provision of key credential information is provided. The system comprises secure logic circuitry for being disposed in a host computer. The secure logic circuitry detects a message received from a remote computer connected to the host computer and indicative of a request for provision of the key credential information; generates a message for prompting a user for provision of the key credential information; receives the key credential information; and provides the key credential information to the remote computer absent processing using circuitry of the host computer. The system further comprises a secure user interface connected to the secure logic circuitry for receiving the key credential information from the user and providing the same to the secure logic circuitry.

Abstract: There is provided an IPsec setting server apparatus capable of preventing inconsistency of setting among communicating apparatuses. An IPsec processing section subjects a data communication packet received from an interface section to IPsec processing. An SPD is referred to from the IPsec processing section and records policies for applying the IPsec. An SAD is referred to from the IPsec processing section and records an SA necessary for subjecting an individual kind of communication to the IPsec processing. A request processing section receives a setting request message from the IPsec processing apparatus and returns a distribution message. IPsec policies necessary for determining a requested setting are stored in a distribution policy storage section. Information on respective kinds of SA communication requested to be set is stored in a management table.

Abstract: A method and apparatus for establishing a secured link between devices. In the establishing of the secured link, a coordinator respectively receives from the first and second devices first pairing information indicating that a first device is to establish a secured link and second pairing information indicating that a second device is to establish a secured link. The coordinator further receives via a first secured link established between the first device and the coordinator shared secured information. The shared secured information is shared between the first and second devices. The coordinator establishes a second secured link with the second device based on the shared secured information; and broadcasts partner notice information indicating that the first and second devices are partner devices. The broadcast partner notice information is then used to establish a third secured link.

Abstract: Methods and systems for enabling robust routing between protected enclaves over an unsecured network are provided herein. In one aspect, the present invention provides methods and systems for enabling routing among a plurality of protected enclaves, each supported by one or more secure gateways, over an unsecured network. Methods and systems according to the present invention achieve key routing requirements while presenting solutions that can be readily scaled to large network environments. In another aspect, the present invention provides methods and systems for implementing a Prefix Discovery Server (PDS) that enables the mapping of Plain Text (PT) networks to secure gateways, maintains current network routing information, and assists VPN gateways in determining routes to remote protected enclaves.

Abstract: An aggregation machine, including: a computer, an output device controlled by the computer, and networking hardware connecting the computer to a network, the computer programmed so that the aggregation apparatus: connects to a plurality of sites on the Internet; and authenticates itself with each of the plurality of sites; and retrieves information from each of the plurality of sites; and parses the information from each of the plurality of sites; and provides user-enabled content management to users, and subject to said content management, produces an aggregation of the parsed information; and renders the aggregation as output.

Abstract: Techniques for restricting Address Resolution Protocol (ARP) table updates to updates originating from authorized subsystems is disclosed. According to an embodiment, an instruction to update an ARP table is received. It is determined whether a command interface from which the instruction originated is authorized. If the command interface is authorized, then the ARP table is updated based on the instruction. According to an embodiment, a DHCP Server may be configured to send an instruction to update an ARP table upon receiving a DHCP message indicating a network layer address that is not bound with a data link layer address. The DHCP Server may send the instruction over an authorized command interface, or be in other ways authorized to update the ARP table.

Abstract: A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each of the at least one potential hijack AS.

Abstract: Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.

Abstract: A system for enabling a user to communicate on a virtual private network through a public communication network, the possibility of communicating on the private network depending on the availability to the user of at least one enabling credential sent to the user in encrypted form. The system includes at least one SIM type module available to the user and bearing an encryption mechanism and it is configured to decrypt the enabling credential at the user exploiting the encryption mechanism home by the SIM type module, the SIM type module being able to interact with at least one additional communication network to activate the encryption mechanism.

Abstract: In accordance with the teachings of the present invention, a method and apparatus is presented for securely negotiating a session key between a mobile node and a network node, such as a first hop IP router. A session key is encoded using asymmetric encryption. The encrypted session key is then communicated to the first hop IP router for later use. In accordance with another teaching of the present invention, the session key is then used by the mobile node and a first hop IP router to authenticate a message. Lastly, in accordance with the third teaching of the present invention, a standardized protocol is used to securely negotiate the session key between the mobile node and the first hop IP router.

Abstract: Conditional access to media content of primary security systems on a secondary networked environment. In one embodiment, a conditional access server is used to provide services to secondary CA clients (e.g., a bridge, a renderer, a storage, or their different combinations) through network connections. Containing data representing the subscriber, a conditional access server recovers entitlement data and/or decryption keys of a primary security system for the conditional access protected content, such as service keys and control words, and/or enforces conditional access to the content by secondary CA clients according to the authorization of the primary security system for the secondary CA clients. In one embodiment, a conditional access system provides delayed authorization for use so that the content can be recorded for later use when authorized and broadcasts rights for use on multiple secondary CA clients.

Abstract: An image processing device communicable with an information processing device, includes: a first management unit for managing at least one service provided by the image processing device based on a first protocol; a second management unit for managing the at least one service provided by the image processing device based on a second protocol; a reception unit for receiving a search request for searching for a service managed by the second management unit, the search request being transmitted from the information processing device based on the first protocol; and a transmission unit for transmitting, in response to the search request received by the reception unit, an address of a service satisfying the search request and managed by the second management unit to the information processing device.

Abstract: A communication access provider receives an access request from a separate service provider who provides a communication service to a customer. The communication access provider generates an authentication code that corresponds to an authorized action. The communication access provider receives an action request from the service provider indicating the authentication code and a requested action. The communication access provider determines if the action request is authentic based on the authentication code and if the requested action is authorized based on the corresponding authorized action. The communication access provider performs the requested action if the action request is authentic and if the requested action is authorized.

Abstract: A method for securing remote access to private networks includes a receiver intercepting from a data link layer a packet in a first plurality of packets destined for a first system on a private network. A filter intercepts from the data link layer a packet in a second plurality of packets transmitted from a second system on the private network, destined for an system on a second network. A transmitter in communication with the receiver and the filter performing a network address translation on at least one intercepted packet and transmitting the at least one intercepted packet to a destination.

Abstract: Embodiments for validating protected data paths for digital rights management of digital objects are disclosed. Some embodiments disclosed herein may comprise processes or apparatus for transferring data from one or more peripherals to one or more computers or digital data processing systems for the latter to process, store, and/or further transfer and/or for transferring data from the computers or digital data processing systems to the peripherals. Some embodiments disclosed herein may comprise processes or apparatus for interconnecting or communicating between two or more components connected to an interconnection medium within a single computer or digital data processing system.

Abstract: An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

Abstract: A system and method provides secure channels for communication in a virtual universe by employing a packet interception layer for incoming and outgoing data packets. A data path is defined and is sequentially encrypted with the public keys of servers in the path. Decryption and identification of the next server occurs in a sequential manner in which the path is known only to the sender.

Abstract: A method and apparatus for providing on-demand services to an organization. The services are provided by a hosting center. The apparatus comprises an on-premises connectivity agent at the organization, which receives requests or commands from computing platforms within the organization and concentrates all communication to and from the hosting center. The on-premises connectivity agent embeds or otherwise introduces organization metadata to the messages. The apparatus further comprises a hosted connectivity agent associated with the hosting center. The apparatus may further comprise a central connectivity component for routing communication between the on-premises connectivity agent and the hosted connectivity agent, in accordance with the metadata. Communication between the on-premises connectivity agent and the central connectivity component flows through a secure channel and comprises only communications related to the organization.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: This invention has as its object to attain strong security and to implement network solutions with high convenience and simplicity with low cost upon providing Web services. To this end, an information processing apparatus according to this invention has the following arrangement.

Abstract: An apparatus and method for providing data packet security in a wireless sensor network including a plurality of sensor nodes. The apparatus includes a memory unit for storing a plurality of node characteristic information and a plurality of settable security status information, each of the node characteristic information corresponding to at least one of the settable security status information; and a control unit for examining the node characteristic information of the control unit, if a data packet generation request is made, detecting the security status information corresponding to the examined node characteristic information from the memory unit, and generating data packets including the detected security status information.

Abstract: A network extension device comprising a CPU, memory, protected I/O connectable to local controls and peripherals, external communications port, a trusted device connected to the CPU such that it can provide attestation of the network extension device's trusted operation to a connected known external network, and a protected interface connected to at least one network extension module that includes a local network communications port. Optionally, a traffic encryption module may be provided, and the trusted device's attestation may include a check of its operation. Also, a method comprising connecting the network extension device to an external network, performing an operating mode check, causing the network extension device to operate in a mode and perform a security check that correspond to the result, causing the trusted device to attest trusted operation to the external network and thereafter causing the CPU to function fully and permitting access to the external network.