Abstract: A broadband gateway may be used to authorize transactions associated with one or more accounts, which may be associated with a user of the broadband gateway. The transaction may be handled by the broadband gateway. The authorizations may be performed based on information associated with the accounts, whose storage may be controlled by the broadband gateway. The broadband gateway may block and/or terminate transactions failing authentication and/or validation, which may be performed based on the stored information. The transactions may be initiated within a network serviced by the broadband gateway. The transactions may also be initiated outside the serviced network. The stored information may comprise a user profile, which may comprise a plurality of settings for controlling and/or managing authorization performed by the broadband gateway. The user profiles may be configurable by users, wherein configuration may comprise initializing and/or modifying one or more of the transaction related settings.

Abstract: An integrated security system integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network having remote connectivity and access. The integrated security system delivers remote premise monitoring and control functionality to conventional monitored premise protection and complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices can be added, enabling users to remotely see live video or pictures and control home devices via a personal web portal or other client device. Camera management enables automatic configuration and management of cameras in the premise network.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: Systems and methods are for registering and authenticating an unmanaged IP device to an IP multimedia subsystem (IMS). An exemplary method includes implementing a system from which an unmanaged IP device retrieves IMS credentials needed to register and authenticate to the IMS. The system is remote to the unmanaged IP device and is accessible to the unmanaged IP device through an IP access network. The method further includes permitting the unmanaged IP device to register and authenticate to the IMS with the IMS credentials received from the system.

Abstract: An electronic device may include a finger biometric sensor, a display, and a processor coupled with the finger biometric sensor and the display. The processor is capable of displaying a plurality of finger representations on the display corresponding to different fingers of a hand, enrolling respective user's fingers for the plurality of finger representations using the finger biometric sensor, displaying a menu of available functions on the display, associating at least some of the available functions with respective enrolled user's fingers, and performing a given function based upon a match of a newly sensed user's finger with a respective enrolled user's finger using the finger biometric sensor.

Abstract: Efficient routing for a client-server session or connection is provided in an application layer of multi-layered systems interconnect stack by caching a plurality of application-specific information at an intermediary network point; using the application specific information to route messages for an application connection; and indexing the application-specific information with a key provided by the application. Optionally, a second key may be used to retrieve the application-specific information if the first key is not provided in an application connection request, where the second key is optionally opaque to the application program. The intermediary network point may be an edge of network Internet Protocol (IP) switch, and the application layer in which the routing is performed may be layer seven of the Open Systems Interconnection model.

Abstract: A method may include receiving session control messages and counting the session control messages of a same type having a same transaction identifier (ID). The method may further include blocking the session control messages of the same type having the same transaction ID when the count exceeds a threshold number. The method may further include determining whether the blocked session control messages are associated with an anomalous event and, when the blocked session control messages are not associated with the anomalous event, increasing the threshold number.

Abstract: Systems and methods for facilitating transmitting messages to remote host are provided. Method includes receiving request to connect client computing device to remote host, wherein client computing device resides on client side of firewall, and wherein request is associated with identification of local port, first port forward, and remote host. Method includes facilitating connection of client computing device to client proxy via local port. Method includes facilitating connection of client proxy to server proxy via splitting protocol. Method includes facilitating connection of server proxy to remote host via tunnel associated with the port forward or second port forward through tunnel. Method includes facilitating communication between client computing device and remote host via tunnel and splitting protocol, wherein facilitating communication comprises translating data between default format of client proxy corresponding to local port, default format of server proxy, and protocol of tunnel.

Abstract: Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.

Abstract: Mechanisms are provided for collecting configuration data from components of a managed computing system environment. A portion of code is obtained, in a data processing system, from a data collection system that does not have security credentials to allow the data collection system to directly access to the managed computing system environment. The portion of code is executed by the data processing system using security credentials maintained in the data processing system. Executing the portion of code causes the data processing system to access the managed computing system environment and collect configuration data from the managed computing system environment. The data processing system, via the portion of code, provides the configuration data collected from the managed computing system to the data collection system which stores the collected configuration data in a data storage.

Abstract: A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.

Abstract: A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.

Abstract: A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.

Abstract: A system and method transfers information relating to quality or standards of an organization from a server to a wireless handheld computing device and from the wireless handheld computing device to the server in real-time or near real-time. Each member of an organization can have the same policies and procedures as soon as any of the policies and procedures are updated. The inventive system can allow an organization to also measure compliance and conformance with the distributed policies and procedures. With the handheld computing devices, each member of an organization can complete tests that are closely tied to the distributed policies and procedures. The results of these tests can be transmitted in real-time or near real-time from the handheld computing devices to a central computer server so that an organization can track current performance of all its members relative to the policies and procedures and relative to each other.

Abstract: A gateway device and methods performed therein to prevent unauthorized client devices from connecting to the host network of the gateway device is described. The gateway device does not respond right away to an individual client message sent to the gateway device. Instead, the gateway device only responds to a predetermined sequence of the client messages, which is only known to the gateway device and authorized client devices. Because the gateway device will not respond to random client messages and the likelihood that an unauthorized client device can correctly guess the predetermined sequence of the client messages is low, the risk of a malicious party being able to hack into the host network, for example, by using port scanning techniques, can be mitigated.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device access an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both.

Abstract: In methods and a device for mitigating against cyber-attack on a network, a distributed intermediary device is placed into a network between computers or network nodes of the network to mitigate cyber-attacks between the computers or nodes of a network from remote systems. Threats are assessed by utilizing internal information assurance mechanisms of the device to detect such cyber-attacks without requiring external modification of the software and/or hardware of the computers or nodes of the network to be protected. The device prevents attacks at the platform level against the OS and network resources.

Abstract: Secure communications are provided over a network in a distributed workload environment having target hosts which are accessed through a distribution processor by a common network address. Secure communications are provided by routing both inbound and outbound communications with target hosts which are associated with a secure network communication through the distribution processor. Both inbound and outbound secure network communications are processed at the distribution processor so as to provide network security processing of communications from the target host and network security processing of communications to the target host.

Abstract: A first network device is configured to receive a request for content from a user device, determine that the user device is not authenticated, and send information to the user device that the user device requires authentication. The first network device is configured further to receive a notification that the user device is authorized to receive content from multiple content providers. The first network device is configured further to generate a secret key and authenticate the user device by using the secret key. The first network device is further configured to send the content to the user device.

Abstract: A method is performed by a device. The method includes determining whether the device is allowed to attach to an operator network based at least partially on whether all access point names in a minimum access point name list are enabled in the device. The device allows itself to attach to the operator network if it is determined that the device is allowed to attach to the operator network. The device prevents itself from attaching to the operator network if it is determined that the device is not allowed to attach to the operator network. The device can wirelessly receive a command to disable an access point name in the device. If an access point name on a detach access point name list is disabled, then the device detaches from the operator network and prevents itself from reattaching until an integrated circuit card in the device is removed and replaced.

Abstract: Described is using a client-side account selector in a passive authentication protocol environment (such as OpenID) in which a relying party website trusts the authentication response from an identity provider website. The account selector may access and maintain historical information so as to provide user-specific identity provider selection options (rather than only general identity provider selection options). The account selector is invoked based upon an object tag in the page, e.g., as invoked by a browser extension associated with that particular object tag. The account selector may communicate with a reputation service to obtain reputation information corresponding to the identity providers, and vary its operation based upon the reputation information.

Abstract: Disclosed are systems and methods to provide application acceleration as a service. In one embodiment, a system includes a head office to serve an enterprise application comprised of a collaborative document. The system also includes a branch office to request the collaborative document from the head office. The enterprise application may also include a computed document and/or a static document. In addition, the system also includes a set of Point of Presence (POP) locations between the head office and the branch office to communicate the collaborative document, the computed document and the static document on behalf of the head office from a closest POP location to the head office to a closest POP location to the branch office and then onward to the branch office.

Abstract: Some embodiments use proxies on host devices to suppress broadcast traffic in a network. Each host in some embodiments executes one or more virtual machines (VMs). In some embodiments, a proxy operates on each host between each VM and the underlying network. For instance, in some of these embodiments, a VM's proxy operates between the VM and a physical forwarding element executing on the VM's host. The proxy monitors the VM's traffic, and intercepts broadcast packets when it knows how to deal with them. The proxy connects to a set of one or more controllers that provides a directory service that collects and maintains global information of the network. By connecting to the controller cluster, the proxy can obtain information that it can use to resolve broadcast requests. In some embodiments, the connection between the proxy and the controller cluster is encrypted and authenticated, to enhance the security.

Abstract: A gateway is preconfigured to establish an Internet Protocol (IP) tunnel with a default local mobility anchor on behalf of a mobile node. The gateway receives from the mobile node an Internet access request including a mobile identifier and authorization and authentication protocol information, and sends to the default local mobility anchor an IP tunnel request to establish an IP tunnel. The gateway receives from the default local mobility anchor a tunnel redirect message to redirect the IP tunnel from the default local mobility anchor to a serving local mobility anchor and, responsive to the tunnel redirect message, authenticates the mobile node and establishes an IP tunnel with the serving local mobility anchor through which the mobile node communicates.

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract: A method for handling digital certificate status requests between a client system and a proxy system is provided. The method includes the steps of receiving at the proxy system digital certificate status request data transmitted from the client system and generating query data for the digital certificate status in response to receiving the digital certificate status request data. The query data is transmitted to a status provider system, and status data from the status provider system in response to the query data is received at the proxy system. Digital certificate status data based on the status data received is generated and transmitting to the client system.

Abstract: A first application that is hosted by a first machine receives a login request from a user. The first application requests authentication verification from a second application that is hosted by a second machine. The first application authenticates the user if the user was authenticated by the second application, wherein the user can be authenticated by both the first application and the second application after having provided authentication credentials to one of the first application or the second application.

Abstract: A group video messaging method stores user information identifying authorized users of a video messaging system, and provides a user interface to the video messaging system. The user interface permits authorized users to transfer video files to the video messaging system for storage and retrieval, and to identify criteria for other authorized users to access each transferred video file. The method also stores in the video messaging system the video files transferred to the system by the authorized users; stores information identifying the user that transferred each stored video file to the video messaging system, and the criteria for authorized users to access the stored video files; and stores information identifying different groups of the authorized users and which of the stored video files are to be accessible to each of the authorized users or authorized user groups.

Abstract: A VPN gateway device is able to assign, manage, and terminate a large volume of connections from apps executing on devices, enabling a large scale per-app VPN mobile environment. When a mobile device user opens an app on a mobile device, a VPN gateway transmits a unique IP address to the app. The gateway also transmits an app federation cookie to the app. The app shares the app federation cookie with a second app. The VPN gateway then assigns the second app the same unique IP address. The gateway then transmits a range of ports to the first app. The app uses a port in the range of ports for data transmission from the device to the VPN gateway. The gateway receives a data transmission from the first app via a VPN and determines that the data transmission originated from the first app based on the source port.

Abstract: One or more requests are received from a first system. The requests are queued in a queue. A serialization group is determined for a request and the request is associated with the determined serialization group. At least a subset of the requests from the queue is transmitted to a second system if the second system is available, including transmitting requests in a respective serialization group to the second system serially in accordance with an ordering of the requests within the respective serialization group.

Abstract: A secure interconnection system between two public networks comprises at least one first router, a first firewall, a second router, a second firewall and a blade server, and a first virtual local area network containing the data streams exchanged between a first communications facility and a second communications facility, a second virtual local area network containing the management and maintenance streams of said system which are exchanged between a supervision center and the blade server and a third virtual local area network containing the authentication streams for said first communications facility which are exchanged between the said second firewall and said blade server, said virtual local area networks being designed so as to exhibit an empty intersection.

Abstract: The invention proposes a method and corresponding apparatuses for handing over a video conversation from a PS domain to a CS domain in a radio network. When signals of a network covered by the packet switch domain where the video conversation currently locates in are not good or become unavailable, as long as source MME and eNodeB detect the presence of video conversation, a procedure of handover to circuit switch domain for video bearer will be initiated, and a handover request will be transmitted to MSC server. After receiving the handover request, a control equipment in the circuit switch domain will request for resources to a target radio network requesting for the allocation of necessary communication link to the video bearer.

Abstract: A remote access manager in a virtual computing services environment negotiates a time limited NAT routing rule to establish a connection between a remote device and virtual desktop resource providing user computing services. A series of NAT connection rules are revised in a dynamic manner such that a pool of ports is available to connect a plurality of remote users to local virtual compute resources over one or more public IP addresses. Once a connection is established, an entry is made in a firewall state table such that the firewall state table allows uninterrupted use of the established connection. After an entry has been made in the state table, or the routing rule has timed out, the port associated with the original NAT routing rule is removed and the same port can be re-used to establish another connection without disrupting active connections.

Abstract: A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.

Abstract: The present invention relates to a converged personal network service (CPNS). More particularly, the present invention relates to a method for switching a personal network (PN) gateway in a PN from a first device to a second device, including the steps of: the first device transmitting, to the second device, a first message requesting PN gateway switching; the first device receiving a second message from the second device in response to the first message; and the first device authenticating the PN gateway when the second message includes a value indicating success, as well as to an apparatus therefor.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: A SIP firewall defends an IMS network against SIP registration-based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall opens a registration window to a protected node of the core network. In such manner, the firewall opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node.

Abstract: Methods, systems, and products are provided for user session management for web applications. Embodiments include identifying, by a web application, a user session directive and sending, from the web application to a proxy web security component, an instruction to implement the user session directive. Typical embodiments also include receiving, by the proxy web security component, the instruction to implement the user session directive and implementing, by the proxy web security component, the user session directive.

Abstract: A method is proposed, for use e.g. in the context of WiMAX networks supporting the CMIPv6 function, for allowing the ASN-GW to become aware of the status of a control procedure, the CMIPv6 mobility binding procedure. The ASN-GW is not directly aware of its result since the procedure implies a message exchange at the U-Plane level, where the ASN-GW implements only a routing function. Nevertheless the ASN-GW needs to know the status of the procedure since it has to perform some subsequent actions depending on that status. The method includes signalling the status via a signalling mechanism between the Access Service Network and the Connectivity Service Network, thus avoiding packet inspection at the U-plane by the Access Service Network Gateway.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: A method, system and computer-usable medium are disclosed for managing identity authorizations to access information processing system resources. An application thread requiring access to target resources is initiated and associated with an authenticated client identity and a server identity. The resource authorization attribute of a resource required for execution of the application thread designates the use of a client identity, a server identity, or a client identity and server identity when attempting authorized access of the resource. The client identity, the server identity, or the client identity and server identity is then respectively used to access the target resource and the application thread is executed.

Abstract: The described apparatus and methods include a wireless local area network (WLAN) access point having a wireless wide area network (WWAN) backhaul connection to provide a gateway between a LAN and a WAN. In one example, the access point may be a cellular telephone. Here, a processor in the access point is configured to generate a plurality of master keys, such that a plurality of access terminals may each utilize a respective one of the master keys to access the LAN. Further, the processor is configured to enable control of an allocation of resources to at least one of the access terminals.

Abstract: A method of enabling extension of a network service of a first domain to a remote customer site hosted by an Access Gateway (AG) in a Provider Ethernet domain. In the first domain, the remote customer site is represented as being hosted by a border gateway (BG) connected to the Provider Ethernet domain, such that subscriber packets associated with the network service are forwarded to or from the remote customer site via the BG. In the Provider Ethernet domain, a trunk connection is instantiated through the Provider Ethernet domain between the host AG and the BG. A trunk cross-connection function is installed in the host AG, for transferring subscriber packets associated with the network service between a respective attachment virtual circuit (AVC) through which the remote customer site is connected to the host AG and an extended AVC tunnelled through the trunk connection.

Abstract: Example methods and apparatus to form secure cross-VPN (virtual private network) communication sessions in multiprotocol label switching (MPLS)-based networks are disclosed.

Abstract: A method and apparatus for network security elements using endpoint resources. An embodiment of a method includes receiving a request for access to a network at an endpoint server. The method further includes detecting that the request for access to the network includes a request that is unauthorized. The request for access to the network is directed to a network security element.

Abstract: A method and a system for securing access to data stored in a remote content server (41), and corresponding to personal multimedia data of a user (A) for example, which data is accessible by another user (B) from a terminal (2) by means of an electronic address. In order to avoid direct and extended access by the user (B) to the data of a user (A), the system also includes an application server (5) for creating an electronic masking address having a determined validity period and for sending to an inverse proxy server (6) said electronic masking address assigned to the electronic address of the remote content server (41). In this way, the terminal (2) of the user (B) temporarily accesses data stored in the remote content server (41) via the inverse proxy server (6) by means of the electronic masking address.

Abstract: A computing device in a network is protected from malware originating from Web sites, referred to as Web threats, by having only one domain reputation database check performed before a URL is sent to a target Web site. The computing device performs a URL check using an external reputation database and generates a pass token if the URL is considered safe. The pass token is inserted into the header of the HTTP request containing the URL. When the gateway device in the network (the device that receives HTTP requests in the network and transmits them over the Internet) receives the HTTP request, it validates the pass token and allows the request to proceed to the target Web site without having to perform its own URL check using the same reputation database. Instead, it can rely on the pass token and assume that the URL will not pose a potential Web threat.

Abstract: A system includes a multi-stack subscriber, a gateway, and a web portal. The web portal determines whether the subscriber is authenticated to access the Internet using a first Internet Protocol by receiving logon information from the subscriber. The subscriber requests to access the Internet using a second Internet Protocol. The gateway and/or the web portal determine whether the subscriber is authenticated to access the Internet using the second Internet Protocol without sending a second logon to the subscriber.

Abstract: A Dynamic Virtual Private Network (DVPN) includes Virtual Private Network (VPN) Address Management (VAM) clients and a VAM server, and each VAM client includes a private gateway address, public address and subnet of the VAM client that are provided to the VAM server when registering in the VAM server. When a source VAM client receives a packet that is sent by a subnet of the source VAM client to a subnet of a destination VAM client, the source VAM client requests the VAM server to provide a next-hop address of subnet, a private gateway address, a public address and subnet of the destination VAM client to establish a DVPN tunnel between the source VAM client and the destination VAM client.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.