Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol.

Abstract: A multi-tenant data center environment includes a dedicated domain having at least one dedicated server associated with a client and a cloud domain having at least one cloud server associated with the client. The cloud server may have a public interface to a public network and a private interface to a private network. In turn, a network device is coupled between the dedicated domain and the public network, and is further coupled to the cloud server via the private network. A controller of the data center may be used to determine presence of the cloud server, and configure the network device to allow certain traffic to pass directly to the dedicated domain, while preventing other traffic from this direct path, based on access controls of the network device.

Abstract: One embodiment of a computer-implemented data structure synchronization mechanism comprises an interface for accessing a data structure and storing ownership data in a shared memory location. The method further comprises denying write operations if the thread attempting the write operation is not designated as the owner thread by said ownership data. The method further comprises denying requests to modify the ownership data if the thread making the request is not designated as the owner thread by said ownership data. The method further comprises effecting a write fence in the context of the thread making the request to modify ownership data prior to modifying the ownership data. Other embodiments are described.

Abstract: A captive portal system includes a login database, a web server, and a name server. The name server receives a DNS request from a user device, queries the login database to determine whether the user device is logged in, and responds to the DNS request with the IP address of the web server as a resolved IP address of the specified domain name when the user device is not logged in. The web server accepts a connection request from the user device to the IP address of the web server, receives an HTTP request specifying a non-local target URL from the user device, queries the login database to determine whether the user device is logged in according to the source address of the user device, and acts as a transparent proxy between the user device and the non-local target URL when the user device is logged in.

Abstract: A system and method are provided for secure network communications. A proxy server receives meter data, from a meter of a set of meters via a local network, for an energy management server. The proxy server uses secure communications to send the meter data via a non-secure network to the energy management server.

Abstract: A referer verification apparatus and method for controlling web traffic having malicious code are provided. In the referer verification method, whether a referer is present in a Hypertext Transfer Protocol (HTTP) packet is determined. If it is determined that the referer is present in the HTTP packet, Uniform Resource Locators (URLs) are extracted from a referer web page corresponding to the referer. The referer is verified based on a URL corresponding to a referer verification request received from a server and the extracted URLs. A Completely Automated Public Test to tell Computers and Humans Apart (CAPTCHA) verification procedure conducted by a user is performed based on results of the verification of the referer.

Abstract: Methods and systems for providing device authentication using device-specific proxy addresses are described. One example method includes associating a particular proxy network address with a device; receiving, over a network, a request to access a network resource, the request being received at the particular proxy network address; authenticating the device based on the particular proxy network address; and after authenticating the device, authenticating a user of the device based on user-specific credentials associated with the user.

Abstract: A routing device includes means for executing a function of translation between at least one address of a first network and at least one address of a second network; means for receiving an association request from a terminal of said first network; means for generating a second request by substituting a source address in the association request by an address of the routing device in the second network; means for sending the second request to an address translation server of the second network; and means for sending said terminal, in response to said association request, a response received from said address translation server in response to sending said second request.

Abstract: A method for providing security for mobile device users, comprising a data service node receiving from a first device a first message directed to a web provider, inserting an anonymizing forward-to header comprising a list of anonymizing gateways; based on the list, forwarding the message to a gateway that performs anonymizing functionality and forwards the message to an embedded-scripts-extracting gateway based on the list; the embedded-scripts-extracting gateway performing an embedded-scripts-extracting functionality and forwarding the message to the web provider.

Abstract: Disclosed are various embodiments for executing untrusted content in a trusted network through the use of an external proxy server application. An identification of a resource specified by a user is obtained in one or more computing devices. The user is associated with one of a plurality of network sites hosted by the one or more computing devices. The one or more computing devices are within a trusted network that is separated from an untrusted network by a firewall. The resource is obtained from an external proxy server application executed in the untrusted network. One or more network pages are generated for the one of the network sites based at least in part on the resource.

Abstract: A computer communication system including a client computer with an installed virtual private network (VPN) client and located in a public network, a server computer located in a corporate network, a web server remote from the client computer, a gateway computer located in the corporate network, and a VPN server computer located in the corporate network. The computer communication system is adapted to run following steps of providing a safe VPN communication connection between the client and the server computers: the client computer, using a WEB browser, downloads an application from the VPN server computer, and the downloaded application automatically configures the VPN client installed on the client computer and establishes a tunnelled connection from the client computer to the corporate network. All packets generated by the installed VPN client are forwarded through the tunnelled connection via the gateway computer to the VPN server in the corporate network.

Abstract: In a dispersed storage network where slices of secure user data are stored on geographically separated storage units (44), a managing unit (18) connected to the network (20) may seek to broadcast and update secure access control list information across the network (20). Upon a target device (e.g., devices 12, 14, 16, 18, or 44) receiving the broadcast, the target device creates and sends an access control list change notification message to all other system devices that should have received the same broadcast if the broadcast is a valid request to update access control list information. The target device waits for responses from the other system devices to validate that the broadcast has been properly sent to a threshold number of other system devices before taking action to operationally change local data in accordance with the broadcast.

Abstract: A system for implementing dynamic access to a private cloud environment via a public network is provided. The private cloud environment includes a gateway device linking to the public network and a plurality of storage devices connected to the gateway device. The system includes an intermediary server and a user terminal. The user terminal is linked to the intermediary server, via the public network, for acquiring a public IP address associated with the gateway device and a port information associated with the storage devices after being authenticated by the intermediary server. Then, the user terminal is linked to the gateway device in accordance with the public IP address, and is connected to the storage devices in accordance with the port information to access data from the storage devices.

Abstract: In various embodiments, the present disclosure provides a system and method for establishing a secure tunnel between a client device and a remote server utilizing multiple user identities, and in some embodiments, a client device identity, to authenticate access to the remote server.

Abstract: Discussed is a method of operating a CPNS (converged personal network service) gateway apparatus. The method includes transmitting a registration request message including user information to a server; transmitting an installation request message including the user information to a terminal; generating first authentication data on the basis of authentication information received by a user input; transmitting a trigger message including the first authentication data to the terminal; receiving a key assignment request message including second authentication data from the terminal in response to the trigger message; transmitting the received key assignment request message to the server; receiving a key assignment response message including a user key for the terminal in response to the key assignment request message; and transmitting the received key assignment response message to the terminal.

Abstract: This method of establishing a cryptographic session key comprises: a subscription phase (104) during which an identifier of a local loop to the end of which a receiver must be connected is acquired, and an authentication step comprising: a) an operation (142) of automatically obtaining an identifier of the local loop to the end of which the receiver is actually connected, and b) an operation (146) of verifying that the identifier obtained during the operation a) corresponds to the identifier acquired during the subscription phase so as to authenticate the receiver.

Abstract: An improved technique employs an automated agent inside the network perimeter, which generates and sends data packets to a listener outside the network perimeter. Along these lines, the automated agent generates data packets over a specified range of security parameters including port number, payload format, and communications protocol. The agent attempts to send these data packets across the network boundary through a firewall at an egress or other point of the network. The listener receives the data packets and analyzes the payload content of each received data packet for each value of the security parameters (e.g., port number, file type, and protocol). The listener then sends the results of the analysis to a report generator, which summarizes the analysis for an administrator of the network.

Abstract: A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, determine user data associated with the connection, and share the user data with at least another node in the firewall cluster.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: A method is provided for computing network reachability in a computer network. The method includes: identifying each of the subnetworks that comprise a computer network; determining, for each pair of subnetworks, data paths between the two subnetworks; for each identified data path, identifying access control lists implemented along a given data path and formulating a diagram that merges reachability sets derived from the access control lists along the given data path; and, deriving, for each pair of subnetworks, a set of network packets that can traverse between the subnetworks from the formulated diagrams.

Abstract: Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a remote file-system access protocol request issued by a client to a server is received at a network device logically interposed between the client and the server. The request is issued to the server by the network device. A single shared holding buffer, used for both read and write accesses to the file and used by multiple processes running on the client, is implemented by the network device for the file during a remote file-system access protocol session. Data being read from or written to the file as a result of the request is buffered into the buffer. Responsive to a predetermined event in relation to the remote file-system access protocol or the buffer, the existence or non-existence of malicious, dangerous or unauthorized content is determined by performing content filtering on the buffer.

Abstract: Apparatuses, computer readable media, methods, and systems are described for requesting creation of virtual machine (VM) in a cloud environment comprising a virtual private cloud. Through various communications between a cloud DMZ, cloud provider, and/or company's network, a VM instance may be securely created, initialized, booted, unlocked, and/or monitored through a series of interactions building, in some examples, upon a root of trust.

Abstract: A method for remote triggered black hole filtering can include advertising a first modified next hop address for a destination address of network traffic, and advertising a second modified next hop address for a source address of network traffic. The first next hop address of the destination address might be overwritten with the first modified next hop address. Filtered traffic then can be forwarded to the first modified next hop address, wherein filtered traffic comprises only network traffic addressed to the destination address or from the source address. In some cases, the filtered traffic is transported and received via a sinkhole tunnel. A second next hop address of the source address can be overwritten to a second modified next hop address. The attack traffic, which can be filtered traffic that is both addressed to the destination address and from the source address, might be forwarded to a discard interface.

Abstract: Architecture for generating a temporary account (e.g., an email address) with a user-supplied friendly name and a secret used to the sign the temporary account. For example, when a user wishes to create a temporary email address to use with an online organization, a friendly name is provided and the system generates a temporary email address including the friendly name. A signing component signs the temporary email address with a secret. One or more of these secrets can be provisioned prior to the user's creation of a friendly name, which eliminates propagation delay. During use, only incoming email messages having the temporary email address signed with the secret are validated. When the user revokes the temporary email address, the secret is revoked and the revocation is propagated to network gateways, rejecting any email sent to that address.

Abstract: A system for controlling selection of filters for protecting against vulnerabilities of a computer network includes a vulnerability management system analyzes the computer network and determines network vulnerabilities for the computer network. The vulnerability management system is configured to receive real-time data on a status of filters protecting against vulnerabilities of the computer network. A database contains a pre-generated mapping of network vulnerabilities to filters for protecting against the network vulnerabilities. The vulnerability management system enables user control of filters for protecting against vulnerabilities of the computer network based upon the determined network vulnerabilities of the computer network, the pre-generated mapping of network vulnerabilities to the filters for protecting against the network vulnerabilities and the real-time data on the status of the filters.

Abstract: Cross-Domain guard with authentication and authorization function used to protect data transferred between two separate and secure networks. The guard utilizes an existing audit port to provide the capability augment or replace data-forwarding decisions, which were previously being based solely on whether the data is in a well-formed packet. The authentication and authorization may be resident in a partition, a side car processor or a separate network.

Abstract: A system is configured to: receive a message from a gateway device; identify one or more sessions corresponding to an identifier included in the message; and clear the one or more corresponding sessions. The identifier may correspond to a part of the gateway device where a session is stored or maintained for a mobile device to connect to a server device.

Abstract: A system and method to select and retrieve contact center transactions from a set of transactions stored in a queuing mechanism. The system includes an interactive voice response system configured to accept at least one call and dynamically populate a web form with call data associated with the at least one call. The system also includes a queuing engine configured to allow a call agent to access the call data prior to the at least one call being connected to the call agent.

Abstract: An authentication method, system and device are provided by the embodiments of the present invention. Said method includes the following steps: an Application Server (AS) receives an AS access request, which carries a user identifier, transmitted by a User Equipment (UE); the AS generates a key generation request based on the user identifier and transmits it to a network side; the AS receives the key transmitted by the network side, and authenticates the UE according to the key. In the present invention, generating the key between a terminal without a card and the AS is implemented, and the AS authenticates the UE using the generated key, and the security of the data transmission is improved.

Abstract: A method of circumventing network obstacles to provide a peer-to-peer communication channel between peers utilizing hypertext transfer protocol (HTTP) includes communicating a HTTP request from a peer device to a relay through a network including an obstacle where the HTTP request is intended for another peer device. The method further includes communicating a HTTP response from the relay to the peer device and establishing a communication channel between the peer device and the another peer device via the relay. The communication channel permits the peer device and the another peer device to send and receive data.

Abstract: A method for disambiguating entities on a multi-level security display includes receiving a selection of a particular security level and rendering entities having a different security level in a visually distinct way. Visual distinction may include not drawing the entities on the multi-level security display.

Abstract: In certain embodiments, a method includes receiving, at a proxy, a request for access to a network from an application on an endpoint. The method also includes determining, by the proxy, information about the application on the endpoint by examining one or more headers of the request received at the proxy from the application. The method further includes determining, by the proxy, whether the one or more headers comprise expected information based on the determined information about the application. In response to determining that the one or more headers do not comprise the expected information, the method includes denying, by the proxy, the request for access to the network. In addition, in response to determining that the one or more headers comprise the expected information, the method includes forwarding, by the proxy, the request to the network on behalf of the application.

Abstract: A method, apparatus and system for obtaining user information are disclosed by the present invention. The present invention solves the problem of lower security of user information. The method includes: obtaining the interactive state of the service requester in the service request process, wherein the interactive state is used for indicating the specific state in which the service requester and its service are during the process of interaction with each other; determining if the interactive state of the service requester, in the process of requesting the service, meets the preset access-authorized-policy of the user information in the service request; when the interactive state of the service requester, in the process of requesting the service, meets the preset access-authorized-policy of the user information in said service request, obtaining the user information and sending the user information to the service.

Abstract: A process is disclosed in which all network traffic between a mobile device and an untrusted network arriving before the establishment of a VPN tunnel are dropped in response to rules imposed by the mobile device's operating system. Once a VPN tunnel is established all communication from the mobile device is secured, without an intervention on the part of the user of the device. A device supporting such a process is also disclosed.

Abstract: A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies.

Abstract: A method for a user agent to access a session policy in a network is provided. The method comprises sending, from the user agent, a single session policy request to a single network component, the single network component contacting a plurality of network components, wherein sending the single session policy request to the single network component utilizes a lower layer protocol. The lower layer protocol is at least one of Extensible Authentication Protocol (EAP), Point to Point Protocol (PPP), and General Packet Radio Service (GPRS) Activate Packet Data Protocol (PDP) context. The method further comprises aggregating policy information and providing the aggregated policy information to the user agent.

Abstract: Techniques for configuring and managing remote security devices are disclosed. In some embodiments, configuring and managing remote security devices includes receiving a registration request for a remote security device at a device for configuring and managing a plurality of remote security devices; verifying the registration request to determine that the remote security device is an authorized remote security device for an external network; and sending a response identifying one or more security gateways to the remote security device, in which the remote security device is automatically configured to connect to each of the one or more security gateways using a distinct Layer 3 protocol tunnel (e.g., a virtual private network (VPN)).

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.

Abstract: Embodiments may comprise logic such as hardware and/or code to provide a secure device area network. Many embodiments comprise a gateway node or enterprise enhanced node with a services distribution frame installed on a customer's premises. The gateway node or enterprise enhanced node may interconnect the secure wireless device area network at the customer's premises with a cellular network. In many embodiments, the cellular network core may provision authentication credentials and security keys, and manage access polies to facilitate access by Application Service Providers to devices on premises including smart devices via a security and policy enforcement function of a services distribution frame of the gateway node or enterprise enhanced node, Authorized members of the secure wireless device area network may connect to the Wide Area Network (WAN) through the gateway node and the cellular network core.

Abstract: Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.

Abstract: A broadband gateway, which enables communication with a plurality of devices, handles at least one physical layer connection to at least one corresponding network access service provider. Security boundaries such as conditional access (CA) and/or digital right management (DRM) boundaries associated with the broadband gateway are identified based on security profiles associated with the plurality of devices and/or a service from networks. The identified security boundaries are utilized to determine or negotiate CA information for content access for the service. The received content may be distributed according to the determined CA information and the security profiles of the corresponding devices. The broadband gateway may be automatically and dynamically configured based on the identified security boundaries to secure content distribution to the devices.

Abstract: A network device initiates a transmission control protocol (TCP) connection to establish a TCP session with a management device, and performs, via the TCP session, a secure protocol client/server role reversal for the management device. The network device receives, from the management device, initiation of a secure connection over the TCP session in accordance with a secure protocol, and provides, to the management device, a trusted certificate with an embedded host key that is dynamically generated using a cryptographic processor of the network device, based on the initiation of the secure connection. The network device also establishes the secure connection with the management device based on an authentication of the host key by the management device via the trusted certificate.

Abstract: One embodiment includes a non-transitory computer readable medium having instructions executable by a processor to implement a method. The method includes receiving user configuration data for a network device, the configuration system being coupled to a service network. The method also includes storing device configuration data in a configuration database coupled to the service network, the device configuration data being based on the user configuration data and service network data. The method also includes receiving a configuration request at the configuration system from the network device in response to the network device being unconfigured and connected in a user network. The method further includes transmitting the device configuration data from the configuration database to the network device in response to the configuration request.

Abstract: Disclosed is a network system and a control method thereof, the network system including a gateway connected to a plurality of home appliances through a home area network, an outdoor apparatus connected to the gateway through a network, and a dynamic domain name system (DDNS) server to manage dynamic internet protocol (IP) address information about an apparatus using a dynamic IP address. A communication connection is achieved through a dynamic IP between a gateway inside the home and an apparatus outside the home in a smart grid network environment, so a user can easily access in-home services based on a dynamic IP. In addition, unauthorized traffic, which may be introduced into the home, is automatically blocked, so that the quality of the home network service is improved.

Abstract: When a plurality of user terminals request a plurality of contents, the numbers of user terminals which request the content are managed. For each of the plurality of contents, the number of content servers which provide that content is decided using the managed numbers. For each of the plurality of contents, the content is installed in content servers as many as the number decided in association with that content, and user terminals which request the content are permitted to access the content servers which provide the content.

Abstract: A subscriber network can provide services. External applications can use the services on the subscriber network. A service access gateway can control application access to services of the subscriber network. The service access gateway can filter requests from an external application to access services on the subscriber network based on the customer for which the external application is accessing the service.

Abstract: A system may include a Web Real-Time Communication (WebRTC) backend server configured to receive a request for a Uniform Resource Identifier (URI) for a WebRTC call session requested by a browser application and generate the URI for the WebRTC call session; and a validation proxy configured to receive the URI from a WebRTC gateway and validate the URI with the WebRTC backend server. The WebRTC backend server may be receive a request to validate the URI from the validation proxy, determine whether the URI corresponds to a valid URI, and send a validation message to the validation proxy, if the received URI is valid. The validation proxy may generate a Session Initiation Protocol (SIP) message based on the received validation message and send the generated SIP message to a contact center services system to initiate a real-time call between the contact center services system and the browser application.

Abstract: Techniques for notification of reassembly-free file scanning are described herein. According to one embodiment, a first request for accessing a document provided by a remote node is received from a client. In response to the first request, it is determined whether a second request previously for accessing the document of the remote node indicates that the requested document from the remote node contains offensive data. If the requested document contains offensive data, a message is returned to the client, without accessing the requested document of the remote node, indicating that the requested document is not delivered to the client.

Abstract: A device implemented, carrier independent packet delivery universal addressing networking protocol for communication over a network between network nodes utilizing a packet. The protocol has an IP stack having layers. At least some of the layers have privacy preserving source node attribution and network admission control. The packet is admitted to the network only if a source node of the network nodes admits the packet.