Abstract: An information verification method based on a cloud security technology is provided. Before transmitting to-be-verified information including user information, a terminal device performs encryption processing on the to-be-verified information by using random numbers and a public key issued by a verification server, to obtain to-be-verified ciphertext information, which is to be used throughout transmission for logging into a server of a third-party application. The server of the third-party application cannot decrypt the to-be-verified information and the to-be-verified information may be obtained only by the verification server. The verification server transmits an application login success message to the terminal device based on decryption processing on the to-be-verified ciphertext information. In this way, the server of the third-party application may be logged in to without exposing privacy information of a user to the third-party application, thereby improving the security of identity verification.

Abstract: This Application sets forth techniques for identifying when a vetted software application transitions into providing unauthorized features. In particular, the techniques involve identifying original operating characteristics of a software application during a vetting process that is performed by a management entity (and/or other vetting entities). The vetting process produces a vetted software application, which includes information about the original operating characteristics of the software application. The vetted software application is then distributed and installed onto computing devices. In turn, computing devices that execute the vetted software application can gather its current operating characteristics and compare them to the original operating characteristics to identify any anomalies. Appropriate action can then be taken, such as notifying the management entity and/or terminating the execution of the vetted software application.

Abstract: One embodiment includes retrieving firewall flow log data that indicates whether a flow was allowed or denied, an identifier of a rule that allowed or denied the flow, a source port, a protocol, a destination port, a source IP or FQDN, and a destination IP or FQDN. The method continues with processing the firewall flow log data, such as by identifying and counting occurrences of unique flows and counting flows allowed or denied by each rule. The method further includes generating a recommendation of at least one of limiting an existing rule, deleting an existing rule, and modifying rule application precedence. The recommendation may be generated based on at least one of the occurrences of unique flows and counted flows allowed or denied by each rule of a rule base. This method also includes providing the recommendation within a user interface as a selectable option for implementation.

Abstract: The technology relates to executing a multi-portion web application. A web browser executing on one or more computing devices may load a main portion of a web application into a main window. The web browser may load into a sandboxed environment a feature application. The feature application may include a portion of the web application. A release isolation framework (RIF) executing on the one or more computing devices, may apply one or more patches to the sandboxed environment. The one or more patches may be configured to redirect elements from a window of the sandboxed environment to the main window.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: Techniques and architecture are described for providing a configurable security posture for a network device using an extended ownership artifact, e.g., an ownership voucher, an ownership certificate, etc., and a security profile mechanism that scales to user needs and desires for security profiles on network devices, i.e., easily and securely customizable on thousands of nodes of a network. The configurable security posture may be achieved using the manufacturer authorized signing authority (MASA) to issue an ownership voucher with a security bit extension to support security profile additions. Using the MASA service, a user may explicitly decide on various security postures of a given network device and may apply that profile across the fixed or modular chassis of a network of network devices.

Abstract: An information processing method is provided. The method includes: acquiring first identity information of a first security domain; obtaining first discovery request information on the basis of the first identity information, wherein the first discovery request information is used for requesting a target resource of a target device that matches the first identity information; and sending the first discovery request information.

Abstract: Aspects of the present disclosure are directed to creating virtual doors within artificial reality (XR) universes for traversal within that XR universe and between other XR universes. Users can create virtual doors that control access to their privately owned property (e.g., world, parcel, house, etc.) in an XR universe. For example, an owner of a virtual door can manually lock the door to prevent any user from entering their property through the virtual door. As another example, an owner of a virtual door can configure door permissions and/or privacy settings that serve as heuristics by which a door access control manager determines whether to authorize a particular user, XR world, and/or XR universe to access. The XR universe traversal system can control an execution environment to smoothly transition between different applications, thereby enabling a user to traverse between different XR universes without having to leave the XR environment.

Abstract: A system for communicating health data in a healthcare environment (1) comprises a communication network (4) for communicating health data in the healthcare environment (1), a reporting device (2) for transferring health data via the communication network (4), and a consuming device (3) for receiving health data from the reporting device (2) via a communication channel (41) of the communication network (4). Herein, the consuming device (3), for receiving health data from the reporting device (2), is constituted to send a subscription request message (A1) containing a subscription request to the reporting device (2), and that the reporting device (2) is constituted, upon receiving the subscription request message (A1), to validate the subscription request and to establish the communication channel (41) to transfer health data to the consuming device (3).

Abstract: Systems and methods for uniquely identifying and regularly authenticating users at login are disclosed. A method may include an authentication computer program receiving a user identifier for a user as part of a login attempt from a workstation computer program; communicating a multifactor authentication request to an authenticator application executed on a user mobile electronic device; receiving a response to the multifactor authentication request from the authenticator application; verifying that the response to the multifactor authentication request matches an expected value; and saving user activity data associated with the login attempt, and a user trust computer program calculating a user trust score based on the user activity data; determining that the user trust score is above a threshold; and authorizing the login attempt to the workstation and a user session on the workstation.

Abstract: The present application relates to embodiments for detecting firewall drift. In some embodiments, a first set of firewall rules of a first firewall for a first instance of a distributed application, a second set of firewall rules of a second firewall for a second instance of the distributed application, and a mapping of IP addresses to identifiers of services from amongst a first set of services of the first instance and a second set of services of the second instance may be obtained. First connectivity data and second connectivity data may be generated indicating, for each of IP address associated with the first and second set of firewall rules, a respective port number over which communications between a respective IP address are transmitted, and generating comparison data indicating whether firewall drift is detected based on a comparison of the first connectivity data and the second connectivity data.

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

Abstract: A system for validating automated vehicle data transmission capabilities of a vehicle is provided. The system includes a vehicle data transmission diagnostics (VDTD) server in communication with the vehicle and a plurality of roadside evaluation units. The VDTD server includes at least one processor and at least one memory device, and is programmed to: (i) determine that a data latency risk evaluation (DLRE) should be performed for the vehicle, (ii) transmit a DLRE request to the vehicle, (iii) receive, from the vehicle, a response to the transmitted DLRE request including trip data, the trip data including a selected route to be taken by the vehicle, (iv) interrogate the plurality of roadside evaluation units based upon the received trip data, and (v) select, based upon the interrogation, one of the plurality of roadside evaluation units to be a data latency evaluation checkpoint for the vehicle during the upcoming trip.

Abstract: Systems and techniques are described that are directed to intelligent scheduling of Wi-Fi services for applications, including enhanced dynamic prioritization. A device, such as an access point (AP), can receive data packets from multiple connected devices to dynamically identify an application flow for each data packet, and dynamically identify a user associated with the application flow for each data packet. The AP can generate prioritized candidate lists for selected data packets in queues corresponding to an access category (AC). In response to determining that the identified user associated with the application flow corresponds with a critical user, the AP can select data packets for the prioritized candidate lists based at least in part on priority policies for each of a plurality of applications and based at least in part on dynamic prioritization of applications for each of a plurality of applications; and schedule data packets from the prioritized candidate lists.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: A method performed by a first node implementing a first NF in a visited network (VPLMN) for communicating with a third node implementing a second NF in a home network (HPLMN) is provided. Embodiments include: determining that the third node should be communicated with; sending, towards a second node implementing a Security Edge Protection Proxy (SEPP) in the visited network, a request for a telescopic FQDN for the third node in the home network to be used by the first node in the visited network to communicate with the third node in the home network, which request comprises a FQDN of the third node in the home network; receiving, from the second node, a telescopic FQDN for the third node wherein the FQDN for the third node in the home network is flattened to a single label to be used by the first node to communicate with the third node.

Abstract: An integrated circuit includes: a processor; a receiver coupled to the processor; and memory coupled to the processor. The memory stores resource coordinator instructions that, when executed by the processor, cause the processor to: maintain a plurality of active secure sessions; identify a priority session trigger; and allocate receiver resources for incoming packets related to the plurality of active secure sessions based on the priority session trigger.

Abstract: A method including configuring a VPN server to utilize a first exit IP address to transmit a query to a host device for requesting data of interest; configuring the VPN server to determine that the host device has blocked the first exit IP address; configuring the VPN server to establish, based on determining that the host device has blocked the first exit IP address, a secure connection with a secondary server to enable communication of encrypted information; and configuring the VPN server to transmit, to the secondary server over the secure connection, an encrypted message identifying the host device and the data of interest to be retrieved from the host device to enable the secondary server to transmit a second query to request the data of interest based on utilizing a second exit IP address, different from the first exit IP address is disclosed. Various other aspects are contemplated.

Abstract: Systems and methods for failure characterization of secure programmable logic devices (PLDs) are disclosed. An example system includes a secure PLD including programmable logic blocks (PLBs) arranged in PLD fabric of the secure PLD, and a configuration engine configured to program the PLD fabric according to a configuration image stored in non-volatile memory (NVM) of the secure PLD and/or coupled through a configuration input/output (I/O) of the secure PLD. The secure PLD is configured to receive a failure characterization (FC) command from the PLD fabric or an external system coupled to the secure PLD through the configuration I/O, and to execute the FC command to, at least in part, erase and/or nullify portions of the NVM. The secure PLD may also be configured to boot a debug configuration for the PLD fabric that identifies and/or characterizes operational failures of the secure PLD.

Abstract: A computer-implemented method causes data processing hardware to perform operations for training a firewall utilization model. The operations include receiving firewall utilization data for firewall connection requests during a utilization period. The firewall utilization data includes hit counts for each sub-rule associated with at least one firewall rule. The operations also include generating training data based on the firewall utilization data. The training data includes unused sub-rules corresponding to sub-rules having no hits during the utilization period and hit sub-rules corresponding to sub-rules having more than zero hits during the utilization period. The operations also include training a firewall utilization model on the training data. The operations further include, for each sub-rule associated with the at least one firewall rule, determining a corresponding sub-rule utilization probability indicating a likelihood the sub-rule will be used for a future connection request.

Abstract: Systems and methods provide for management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and starting a firewall service with a set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

Abstract: This technology allows time synchronization in passive optical networks (“PON”). A first Ethernet device timestamps and transmits a packet to a second Ethernet device via the PON. The first Ethernet device transmits the packet to a small form-factor pluggable (“SFP”) device within the PON and connected to the first Ethernet device. The SFP device determines a transmission time to a second SFP device and modifies a correction field (“CF”) of the packet by subtracting an ingress time and the transmission time from the CF. The packet is transmitted to the second SFP device, which modifies the CF by the addition of an egress time. The modified CF value represents the real-time transmission delay incurred in the SFP devices. The packet is transmitted to a second Ethernet device to synchronize a clock using the timestamp and the CF value in accordance with the PTP/IEEE-1588 standard.

Abstract: In various examples, firewalls may include machine learning models that are automatically trained and applied to analyze service inputs submitted to input processing services and to identify whether service inputs are desirable (e.g., will result in an undesirable status code if processed by a service). When a service input is determined by a firewall to be desirable, the firewall may push the service input through to the input processing service for normal processing. When a service input is determined by the firewall to be undesirable, the firewall may block or drop the service input before it reaches the input processing service and/or server. This may be used to prevent the service input, which is likely to be undesirable, from touching a server that hosts the input processing service (e.g., preventing a crash).

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: A system and method for detecting potential lateral movement using cloud keys in a cloud computing environment includes determining a first node in a security graph is a compromised node, wherein the security graph represents cloud entities of the cloud computing environment; detecting a cloud key node connected to the first node, wherein the cloud key node represents a cloud key of the cloud computing environment; and generating a potential lateral movement path, including the first node, and a second node, wherein the second node is connected to the cloud key node.

Abstract: Examples of dynamically selecting tunnel endpoints are described. In an example, a request for authenticating a client device connected to an edge device via a wired link is received. The request includes information indicative of a port of the edge device at which the client device is connected and a type of the client device. Based on at least one of the port, the type, resource availability of a plurality of network devices, and location of the plurality of network devices, a network device is identified as a tunnel endpoint. A message indicative of a successful authentication of the client device is sent to the edge device. The message includes a network address of the network device identified as the tunnel endpoint.

Abstract: A data monitoring and evaluation system may receive a query associated with a data record from a user. The system obtains target data including a plurality of data presentations associated with the data record. The system identifies a plurality of attributes associated with the data record and maps the same with each of the plurality of data presentations for identifying a data presentation modification. The system may evaluate the data presentation modification to identify a principal data presentation. The system may determine the conformity of the principal data presentation a rule to create a principal data record. The system may determine the conformity of the principal data record to a record acceptance parameter. The system may generate a data modeling result comprising the principal data record conforming to the record acceptance parameter.

Abstract: A method, system and/or computer usable program product for automatically managing the conveying of messages among multiple communication channels including (i) receiving, from a first computing system, an on-line message addressed to a user, (ii) automatically categorizing the message among a predetermined set of message categories stored in memory, (iii) identifying a set of on-line message channels preselected by the addressee user for receiving messages for each of the predetermined set of message categories, (iv) identifying a set of performance metrics stored in memory for optimizing message channel selection, (v) utilizing the performance metrics to automatically select an optimum message channel from the preselected message channels for sending the categorized message to a second computing system of the addressee user, (vi) automatically formatting the categorized message for the optimum message channel, and (vii) sending the formatted message on-line to the second computing system of the addressee us

Abstract: Computer assets within a defined network are identified using scanning services respectively connected to each of a plurality of network zones within the defined network. A plurality of interne protocol (IP) addresses within the particular one of the network zones are identified by a particular scanning service contained within the particular one of the network zones. The particular scanning service collects information associated with each of the plurality of IP addresses and infers, using the collected information, additional information about the plurality of IP addresses. The particular scanning service validates the additional information and presents analytics based upon the collected information and the additional information. Firewalls contained within the particular one of the network zones are configured to allow access by the particular scanning service.

Abstract: The present technology pertains to a organization directory hosted by a synchronized content management system. The corporate directory can provide access to user accounts for all members of the organization to all content items in the organization directory on the respective file systems of the members' client devices. Members can reach any content item at the same path as other members relative to the organization directory root on their respective client device. In some embodiments novel access permissions are granted to maintain path consistency.

Abstract: The technology relates to executing a multi-portion web application. A web browser executing on one or more computing devices may load a main portion of a web application into a main window. The web browser may load into a sandboxed environment a feature application. The feature application may include a portion of the web application. A release isolation framework (RIF) executing on the one or more computing devices, may apply one or more patches to the sandboxed environment. The one or more patches may be configured to redirect elements from a window of the sandboxed environment to the main window.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A programmable switch includes a plurality of ports for communicating with devices on a network. Circuitry of the programmable switch is configured to receive a series of related messages from a first device on the network via at least one port, and determine whether one or more messages of the series of related messages have been received out-of-order based at least in part on a sequence number included in the one or more messages. The series of related messages are sent by the programmable switch to a second device via one or more ports in an order indicated by sequence numbers included in the series of related messages by delaying at least one message. According to one aspect, a network controller selects a programmable switch between the first device and the second device to serve as a message sequencer for reordering out-of-order messages using a stored network topology.

Abstract: Techniques for detecting emails that pertain to Internet services are disclosed. Information about such emails can be recognized by performing a discrete analysis of the email before delivering the email to the user and determining whether a corrective action is warranted. Such emails can be recognized by heuristic pattern analysis that scans incoming emails for patterns known to pertain to certain Internet services. Emails relating to other Internet services can be detected by a machine learning classifier that uses labeled training data. These accesses to Internet services can be written to a database. In many implementations, such discrete analysis is performed after an email has been classified as legitimate by one or both of a spam filter and a malware detector. An aggregate analysis, whose output can also update the database, can provide a broad picture of Internet service usage within a set of email users (e.g., by department).

Abstract: A datagram-oriented UDP protocol is used for communication between tunnel gateways in a wide area network. Lightweight remote client accesses network services using TCP tunneling. Each remote client maintains one or more UDP/IP+DTLS communication channels to a single member of the gateway group. Gateway servers belonging to the gateway group form some interconnection topology linking each gateway server to each other gateway server, whereby each gateway server maintains a communication channel with every other gateway server in the gateway group.

Abstract: A computing system may include a proxy server application and a database. The proxy server application may provide, to a computing device disposed within a managed network, instructions to identify one or more processes executing on the computing device. The proxy server application may also determine, for a process of the one or more processes, a file system path of a directory associated with the process and, based thereon, select one or more directories to scan for files associated with the process. The computing device may be provided with instructions to (i) scan the one or more directories and (ii) determine a plurality of attributes associated with one or more files discovered therein. The proxy server application may additionally receive results of the scan containing a representation of the plurality of attributes and store, in the database, the results of the scan.

Abstract: Methods and systems to manage permissions in a structured user-environment which provide a User Interface (UI) that provides a simple, intuitive administration to apply permissions at the user and group level to data in the structured user-environment. The UI also provides feedback to the administrator as to the inheritance path of each user and/or group as well as links between permissions, allowing the administrator to determine how a user or group was granted or denied access to a permission or resource.

Abstract: Methods and devices for determining whether a computing device has been compromised. File tree structure information for the computing device is obtained that details at least a portion of a tree-based structure of folders and files in a memory on the computing device. It is then determined from the file tree structure information that the computing device is compromised and, based on the determination that the computing device has been compromised, an action is taken.

Abstract: Various methods, apparatuses/systems, and media for automatically establishing a communication between two or more applications that do not share a compatible authentication model are disclosed. A receiver receives a request from a first application to communicate with a second application, wherein the first application supports a first authentication model and the second application supports a second authentication model which is incompatible with the first authentication model. A processor utilizes a configurable gateway layer, in response to receiving the request, to mediate a communication between the first application and the second application; and routes the request from the first application to the configurable gateway layer. The configurable gateway layer translates the first authentication model to the second authentication model.

Abstract: Methods, systems, and programs are presented for securing user-address information. A first memory is configured according to a first table that does not include information about user identifiers. Each entry in the first table includes a physical location identifier and information about a physical location. A second memory is configured according to a second table, where each entry in the second table includes the physical location identifier and an account identifier of a user for accessing a service. The first and second tables are configured to separate profile information from the address information of the user. Additionally, a firewall is configured to control access to the second memory. The firewall defines an authentication zone including the second memory but not the first memory, where access to the second memory by internal services is allowed and direct access by the user to the second memory is denied.

Abstract: An example method to provide communication between a first computer in a first computer network and a second computer in a second computer network is disclosed. The method includes aliasing the second computer's address in the second computer network to a loopback interface of a third computer in the first computer network and establishing a tunnel between the third computer and a fourth computer in the second computer network. Establishing the tunnel includes configuring the fourth computer to forward traffic received from the tunnel to the second computer. The method further includes configuring routing in the first computer network to direct traffic destined for the second computer network to the third computer, and configuring the first computer to transmit packets destined for the second computer with the second computer's address in the second computer network.

Abstract: Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database.

Abstract: A surgical hub within a surgical hub network may include a controller having a processor, in which the controller may determine a priority of a communication, an interaction, or a processing of information based on a requirement of a device communicating with the hub. The device may be a smart surgical device. The requirement of the surgical device may comprise data processed by a device component of an associated system The controller may prioritize communication of the data processed by the device component of the associate system with the surgical device. A network of surgical hubs may include a plurality of surgical hubs. Each hub may have one of a plurality of controllers, in which a first of the plurality of controllers is configured to distribute an execution of a process and data used by the process among at least a subset of the plurality of surgical hubs.

Abstract: Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Abstract: An example network device receives an encapsulated network packet via a network tunnel; extracts IPv6 header information from the encapsulated network packet; extracts IPv4 header information from the encapsulated network packet; determines that the encapsulated network packet is a spoofed network packet based on the IPv6 header information and the IPv4 header information; and in response to detecting the spoofed network packet, transmits a message to a Tunnel Entry Point (TEP) device, the message including data representing the IPv6 header information and IPv4 header information. A tunnel entry point (TEP) device may receive the message and use the message to detect spoofed IPv6 traffic, e.g., when an IPv6 header and an IPv4 header of an encapsulated packet matches the IPv6 header and the IPv4 header specified in the message. In this manner, the TEP device may block, rate limit, or redirect spoofed network traffic.

Abstract: A system and method for performing firewall operations on an edge service gateway virtual machine that monitors traffic for a network. The method includes detecting, from a directory service executing on a computing device, a login event on the computing device, obtaining, from the detected login event, login event information comprising an identifier that identifies a user associated with the login event, storing the login event information as one or more context attributes in an attribute table, and applying a firewall rule to a data message that corresponds to the one or more context attributes.

Abstract: A firewall intelligence system, includes a data storage storing a set of firewall rules for a network; a recommendation engine that receives, from a log service, traffic logs detailing traffic for the network and firewall logs detailing the usage of firewall rules in response to the traffic for the network, accesses, from the data storage, the set of firewall rules for the network; processes the set of firewall rules to evaluate the firewall rules against a set of quantitative evaluation rules to determine one or more firewall rule recommendations, wherein each firewall rule recommendation is a recommendation to change at least one of the firewall rules in the set of firewall rules; and a front end API that provides data describing the one or more firewall rule recommendations to a user device.

Abstract: Layer 7 protocol (non-HTTP) client applications are executed in the browser. The non-HTTP layer 7 protocol client application connects to a compute server that proxies layer 4 packets to the origin network that has the non-HTTP layer 7 protocol service. As an example, an SSH client (a non-HTTP layer 7 protocol) can execute in the browser and the TCP packets (layer 4 packets) are proxied by a compute server to the origin network that has the appropriate SSH server. The non-HTTP layer 7 protocol client application allows users to run commands or otherwise interact with the client as if they were using a native application (one that is not executed within the browser) without any client-side configuration or agent.

Abstract: In order to enable a dynamic handshake procedure, a device may be configured with a list of handshake contributors. Contributors with connection handshake properties may be added to the contributor list. To perform handshake, the contributor list is processed to extract the connection handshake properties of each contributor to the handshake. Handlers for handling the connection handshake properties may also be dynamically added and invoked when a handshake is received.

Abstract: Disclosed herein are various systems, apparatuses, software, and methods relating to data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising providing a WAN data diode using a uni-directional semantics protocol, providing a set of data diode proxies in either end of a point-to-point WAN link, providing a symmetric key encryption semantics to extend the WAN data diode securely across a WAN that is specified, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link, employing a unidirectional protocol in communication transmitted using the WAN, and, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.