Abstract: In order that even a wireless terminal whose an unique ID is not registered in the filter list can use simply the access point without a prior setting task by user, a communication device includes access point means, filtering disabling means, unique ID registration means and filtering enabling means. The access point means connects a wireless terminal with at least one of a lower network and an upper network. The filtering disabling means disables a filtering which prevents connecting with an unregistered wireless terminal whose an unique ID is not registered in a filter list. The unique ID registration means acquires the unique ID of the wireless terminal and registers the acquired unique ID in the filter list, upon a state where the filtering is disabling, if a connection request is received from the wireless terminal. The filtering enabling means enables the filtering after the unique ID of the wireless terminal is registered in the filter list.

Abstract: Embodiments of the disclosure can include systems and methods for secure remote transfers. The onsite monitoring system secure file transfer solution can allow for transferring operational data by an onsite system behind a firewall to a central monitoring and diagnostic infrastructure by sending asynchronous, concurrent, parallel files over a port using a previously opened connection. The asynchronous TLS tunneling based remote desktop protocol solution is uni-directional because the communication ports are typically open outbound only.

Abstract: An information processing apparatus includes a first receiving unit, a registering unit, a requiring unit, a second receiving unit, and a transmitting unit. The first receiving unit receives a reservation and setting process executable time information, the reservation being a reservation for transmission of a management setting, the setting process executable time representing a period of time during which the second information processing apparatus may process the management setting. The registering unit registers the reservation and the information regarding the period of time. The requiring unit requires, in a case where a time at which a communication from a second information processing apparatus was received corresponds to the information regarding the period of time, a first information processing apparatus to transmit the management setting. The second receiving unit receives the management setting. The transmitting unit transmits to the second information processing apparatus the management setting.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: Methods and apparatuses that enroll a wireless device into an enterprise service with a management server addressed in a management profile are described. The enrollment may grant a control of configurations of the wireless device to the management server via the management profile. In response to receiving a notification from the management server, a trust of the notification may be verified against the management profile. If the trust is verified, a network session may be established with the management server. The network session may be secured via a certificate in the management profile. Management operations may be performed for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established.

Abstract: Network activity detectors, such as firewalls, communicate with one another to form a Unified Threat Management System. A first network activity detector sends a request for configuration settings to a second network activity detector. The second network activity detector sends a set of configuration settings in response to the request. The configuration settings include information for detecting digital security threats and/or for responding to detected digital security threats. In this way, configuration settings are propagated from one network activity detector to another so that network activity detectors within a UTMS system are configured consistently, e.g., have up-to-date information for detecting and/or responding to digital security threats.

Abstract: In one embodiment, a first instruction prescribing a setting for a feature is defined. A second instruction prescribing a first action is defined. A third instruction prescribing a second action is defined. It is determined whether the feature is present in a computing device, and if present, whether the feature is set to the setting. The first action is initiated if the feature is present and not set to the setting. The second action is initiated if the feature is not present.

Abstract: The communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web.

Abstract: The disclosure is related to monitoring data traffic of user equipment through a monitoring node. A monitoring node may receive a data packet from user equipment registered for a monitoring service through a secure channel. The monitoring node may perform a monitoring operation on the received data packet and determine whether the received data packet is a malicious packet or a non-malicious packet. When the received data packet is a non-malicious packet, the monitoring node may transmit the data packet to a destination through a communication network.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: A computer or microchip including a system BIOS located in flash memory which is located in a portion of the computer or microchip protected by an inner hardware-based access barrier or firewall, a central controller of the computer or microchip having a connection by a secure control bus with other parts of the computer or microchip, and a volatile random access memory located in a portion of the computer or microchip that has a connection for a network. The secure control bus is isolated from input from the network, and provides and ensures direct preemptive control by the central controller over the volatile random access memory, the control including transmission to or erasure of data and/or code in the volatile random access memory and control of a connection between the central controller, the volatile random access memory and at least one microprocessor having a connection for the network.

Abstract: A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.

Abstract: A network security appliance uses a switch to switch packets between cores configured for fast path processing and slow path processing. The switch duplicates packets for delivery to the slow path processing cores, eliminating the need for the fast path processing cores to expend processor resources on packet duplication. The switch can use IEEE 802.1ad Q-in-Q VLAN tags in the packet to perform the switching and packet duplication. Slow path processing cores may also broadcast packets to other slow path processing cores via the switch.

Abstract: Content maintained in a first repository of a first installation (which can optionally be an on-premise installation) of a content management system, as well as metadata associated with the content, can be shared via an approach in which content items maintained in the first repository are synchronized with a copy of the content items maintained in a second repository of a second installation (which can optionally be a cloud-based installation). The first installation can be optionally firewall protected. The copy of the content items can be accessed by collaborative users both within and external to a firewall. Related systems, methods, products, etc. are described.

Abstract: A computer or microchip including a network connection for connection to a public network of computers including the Internet, the network connection being located in a public unit; and an additional and separate network connection for connection to a separate, private network of computers, the additional network connection being located in a protected private unit. An inner hardware-based access barrier or firewall is located between and communicatively connects the protected private unit and the public unit; and the private and public units and the two separate network connections are separated by the inner barrier or firewall. The protected private unit includes at least a first microprocessor and a system BIOS located in flash memory. The public unit includes at least a second or many microprocessors separate from the inner barrier or firewall. The inner barrier or firewall comprises a bus with an on/off switch controlling communication input and output.

Abstract: A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Abstract: A computer system receives user input indicating uniform resource identifiers (URIs) for a RESTful web service. The computer system identifies a programming language for a RESTful web service software development kit (SDK) client and creates methods for the URIs using programming code format of the identified programming language. The computer system creates the RESTful web service SDK client using the methods.

Abstract: Embodiments of the present invention provide an information processing method, device, and server, relating to the technical field of communications, and solving the problem that a user continuously releasing illegal information in the network. The method comprises: receiving network information; determining, according to the network information, a rating result of a network object corresponding to the network information; controlling the network object according to the rating result of the network object corresponding to the network information. Embodiments of the present invention further provide an information processing device and server. The present invention is applied to the network information management.

Abstract: Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second location of a first subscriber of the managed security service provider. Responsive to the request, the SMS causes a tunnel to be established between a first virtual router (VR) and a second VR running on a first and second service processing switch, respectively, of the service provider which are coupled in communication via a public network and associated with the first location and the second location, respectively.

Abstract: Systems and techniques are described for monitoring network communications using a distributed firewall. One of the techniques includes receiving, at a driver executing in a guest operating system of a virtual machine, a request to open a network connection from a process associated with a user, wherein the driver performs operations comprising: obtaining identity information for the user; providing the identity information and data identifying the network connection to an identity module external to the driver; and receiving, by a distributed firewall, data associating the identity information with the data identifying the network connection from the identity module, wherein the distributed firewall performs operations comprising: receiving an outgoing packet from the virtual machine; determining that the identity information corresponds to the outgoing packet; and evaluating one or more routing rules based at least in part on the identity information.

Abstract: An electronic device for communication in a data network including a communication circuit adapted for performing the network communication, which communication includes controlling a plurality of network layers, the layers including a physical layer, a link layer and at least one higher order layer, the communication circuit includes a protective circuit for identifying unwanted data. The electronic device is characterized in that the protective circuit is arranged to monitor data during transmission of data from the electronic device, and identify unwanted data, and the communication circuit is adapted to avoid transmission of the unwanted data identified by the protective circuit. In this way the network is protected against excessive traffic, for example during a Denial of Service attack.

Abstract: A system for securely transferring information from an industrial control system network, including, within the secure domain, one or more remote terminal units coupled by a first network, one or more client computers coupled by a second network, and a send server coupled to the first and second networks. The send server acts as a proxy for communications between the client computers and the remote terminals and transmits first information from such communications on an output. The send server also transmits a poll request to a remote terminal unit via the first network and transmits second information received in response to the poll on the output. The system also includes, outside the secure domain, a receive server having an input coupled to the output of the send server via a one-way data link. The receive server receives and stores the first and second information provided via the input.

Abstract: In one embodiment, a method includes initiating integrity monitoring at a network device, continuously monitoring the network device to detect changes at the network device over a period of time, and transmitting information collected during said integrity monitoring to a security device for use in determining if the network device is allowed access to a trusted network. An apparatus and logic are also disclosed.

Abstract: A loader application and an associated dynamic link library are installed on a client system. Upon a first execution of the loader application, a user authorization to communicate with locations external to the client via a communications network is received. The dynamic link library and not the loader application is auto-updated without requiring additional user authorization. The auto-updating is repeated during one or more executions of the loader application subsequent to the first execution.

Abstract: A computer system includes memory storing an operating system. An agent executive runs within the operating system. The agent executive receives an agent identity token from a grid computer system. The agent identity token includes a unique cryptographic key assigned to the agent executive. The agent executive collects information about the computer system for an evaluation of integrity of the agent executive, according to a plurality of agent self-verification factors. The agent executive encrypts the collected information using the cryptographic key and transmits the encrypted information to the grid computer system. The agent executive retrieves an encrypted set of commands from the grid computer system, which are selected by the grid computer system in response to the transmitted information. The agent executive decrypts the encrypted set of commands and executes, at the computer system, each command in the set of commands.

Abstract: A network access manager controls access to a network interface according to a set of access control instructions specifying permissible and impermissible addresses and domains on a network. The network access manager establishes a graylist of addresses based on a domain request that is associated with a whitelisted domain that is accessed via a blacklisted address. When a request to establish a connection is received directed to a graylisted address, the connection is permitted to establish and the connection is added to a session graylist. When a session data transfer packet is received, if the session corresponds to a session on the session graylist, the session data transfer packet is examined to determine if it matches a whitelisted domain, in which case the session is associated with a session whitelist and permitted access to the network. The access control instructions may be automatically updated from a trusted access control management system.

Abstract: Systems and methods for authenticating applications that access web services. In one embodiment, a web service gateway intercepts a request for a web service from an application, and determines if the application is authorized by a service provider based on information provided in the web service request. If the application is authorized, then the web service gateway identifies a profile for an end user that initiated the web service using the application, and determines if the web service is allowed for the end user based on the profile. If the web service is allowed for the end user, then the web service gateway determines that the application is authenticated, converts the web service request to a protocol used by a server that provides the web service, and transmits the web service request to the server.

Abstract: In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions.

Abstract: Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.

Abstract: A system and an article of manufacture for automatically determining configuration completeness during information technology (IT) transformation from a pre-transformation source environment to a post-transformation target environment include obtaining a record of each of multiple data flows in a source environment, transforming each data flow in the source environment to a transformed data flow that corresponds to a target environment, and automatically determining that each of the transformed data flows is covered by a firewall configuration of one or more interfaces in the target environment.

Abstract: A system for providing local access by means of a local data appliance to data collected from remote monitors and sensors is described. The system includes a plurality of remote monitors and sensors, the remote monitors and sensors reporting data over a wide area communications network, and a data collection center receiving the data from the remote monitors and sensors, the data collection center operable to process the data and generate customer defined reports based on the data. A local data appliance placed in the customer's network operates to receive the data from the data collection center, and to process the customer data, generate reports based on the data and send instructions to the remote monitors and sensors. The appliance resides behind the customer's firewall but is separate from the customers network and data center equipment.

Abstract: A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, monitor packets of the received connection and determining application state data associated with the connection from the monitored packets in the first node, and share application state data with at least another node in the firewall cluster.

Abstract: The present invention provides a unique way of implementing the SOCKS protocol for establishing connections through a firewall. In general, instead of having a SOCKS server implemented entirely in the firewall, SOCKS servers are implemented on both a server and a client, which are configured to communicate with each other through the firewall. The SOCKS servers on the server and client allow multiple objects on both the server and the client to communicate with each other through a single port through the firewall, wherein the SOCKS servers on the server and the client cooperate with each other and their respective objects to allow the objects to establish the connections.

Abstract: An information processing apparatus securely stores a program group comprising one or more programs and includes a first detector that detects an execution waiting state of a given program among the program group; a secure module that is configured such that information stored therein cannot be referred to by an external device, and when the execution waiting state is detected by the first detector, that encrypts the given program and writes the encrypted given program to a storage area that is different from that of the program group; a second detector that detects an execution request concerning the given program; a decrypter that decrypts the given program encrypted by the secure module and writes the decrypted given program to the storage area, when the execution request concerning the given program is detected by the second detector; and a program executor that executes the given program decrypted by the decrypter.

Abstract: A method and system for detection of intrusion in networked control systems, is provided. The method includes generating an operating model of a system being controlled. The operating model of the system comprises a relationship between a plurality of components in the system defined by a plurality of parameters. Further, the method includes calculating an estimated value of at least one parameter for at least one component in the system. The operating model is used to calculate the estimated value of the at least one parameter. Furthermore, the method includes measuring a latest value of at least one parameter at a predefined interval. The method also includes triggering an alert for intrusion for the at least one component based on an analysis of at least one of the latest value and the estimated value of at least one parameter.

Abstract: In one example, a method includes: receiving a first input value associated with a first data field; responsive to determining the first data field is associated with a delta operation, selecting a second input value associated with a corresponding second data field of a previously transmitted message; comparing the first input and second input values to determine if the first and second input values are equivalent; when the first and second input values are not equivalent, generating a message, wherein the first data field includes only data of the first input value not included in data of the second input value, and providing an operator symbol indicating the delta operation to specify that the first data field of the message includes only data of the first input value that is not included in data of the second input value associated with the second data field of the previously transmitted message.

Abstract: An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording.

Abstract: Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.

Abstract: When communication from a first virtual device to a second virtual device is received, it is determined a first virtual interface associated with the first virtual device and a second virtual interface associated with the second virtual device. It is then determined a first security domain associated with the first virtual interface and a second security domain associated with the second virtual interface to implement a security policy between the first security domain and second security domain. The communication between the virtual devices is allowed or blocked.

Abstract: A network security device may gather a large amount of metadata pertaining to the connections being managed thereby. A refinement module may filter and/or aggregate the connection metadata. The metadata may be refined on the network security device. The refined metadata may be provided for display on a terminal. The refined metadata may include a subset of the larger connection metadata, which may reduce the overhead required to display and/or transmit monitoring information to the terminal device. The refined metadata may comprise connection groups, which may be formed based on aggregation criteria, such as connection source, destination, application, security policy, protocol, port, and/or the like. The connection groups may be ranked in accordance with ranking criteria.

Abstract: Mobile clients can execute IPv6 applications in an IPv4 environment without the need for any specialized IPv6 hardware or upgrades to the network infrastructure. The architecture provides a seamless, disruption-free connectivity experience for mobile clients. Mobile clients are automatically connected to other mobile clients irrespective of their network connectively, whether wireless, wire line, IPv4, IPv6, public or private. Mobile clients communicate with other mobile clients using a secure, end-to-end IPv6 tunnel. This creates a persistent VPN connection between two clients using software.

Abstract: A request for information or services available on an intranet may be made by users on an extranet outside the intranet. An email is generated in an external server on the extranet in response to the request for information or services, and then sent from the external server to an internal server inside the intranet. The email comprises one or more approved forms based on the request, wherein specifics of the request are embedded into the body of the email. The email is processed at the internal server, in order to generate a response to the request, wherein the response is returned by the internal server to the external server in a reply email. The reply email includes an attachment containing the results of the processing performed by the internal server. The external server allows the user to access these results via an external graphical user interface.

Abstract: Methods and systems are disclosed for providing indirect and temporary access to a company's IT infrastructure and business applications. The methods/systems involve establishing an access control center (ACC) to control the access that technical support personnel may have to the company's IT infrastructure and business applications. Thin client terminals with limited functionality may then be set up in the ACC for use by the technical support personnel. The thin client terminals connect the technical support personnel to workstations outside the ACC that operate as virtual desktops. The virtual desktops in turn connect the technical support personnel to the IT infrastructure and business applications. An ACC application may be used to control the connection between the thin client terminals and the virtual desktops and the virtual desktops and the IT infrastructure and business applications.

Abstract: The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses.

Abstract: Methods and systems for managing tunneled endpoints are provided. One method includes preventing a user from accessing an endpoint that was previously accessed by the user via a first URL including an address with a first port designation, creating a constructive bookmark to the previously accessed endpoint, and establishing a tunnel to the previously accessed endpoint based on the constructive bookmark. Another method includes preventing a user from bookmarking a URL to an endpoint. A system includes a processor coupled to a memory a module for managing tunneled endpoints that, when executed by the processor, cause the processor to perform one or more of the above methods.

Abstract: According to one example embodiment, a modem or other network device include an energy module configured to enter a low-power, low-bandwidth state when not in active use by a user. The low-power state may be maintained under certain conditions where network activity is not present, and or when only non-bandwidth-critical traffic is present. The network device may include a user interface for configuring firewall rules, and the user may be able to concurrently designate particular types of traffic as important or unimportant. The energy module may also be integrated with a firewall, and power saving rules may be inferred from firewall rules.

Abstract: A security device may be configured to receive information regarding traffic that has been outputted by a particular user device; and compare the information regarding the traffic to security information. The security information may include device behavior information, traffic policy information, or device policy information. The security device may determine, based on the comparing, that a security threat exists with regard to the traffic; and take, based on determining that the security threat exists, remedial action with respect to the traffic. Taking the remedial action may include preventing the traffic from being forwarded to an intended destination associated with the traffic, providing an alert, regarding the security threat, to the particular user device, or providing an alert, regarding to the security threat, to another device.

Abstract: Disclosed is a system and method enabling a mobile device to establish a communication channel with a device residing in the corporate network and in close physical proximity, without the requirement for a direct high speed network connection between the mobile and corporate devices. The system and method allow the mobile device tot maintain its existing network connection, with no special user/network credential access. The system and method enable an improved security control over the traffic that is transferred between the devices as these are filtered and controlled through a Firewall Traversal pairing server and not directly between devices.