Abstract: A facility for proxying network traffic between a pair of nodes is described. The facility receives packets traveling between the pair of nodes that together constitute a network connection. For each packet of the connection that is part of a transport protocol setup process, the facility updates a representation of the status of the setup process to reflect the packet, and forwards the packet to its destination without proxying the packet. For each packet of the connection that is subsequent to the setup process, the facility proxies the contents of the packet to the packet's destination.

Abstract: A method for model based verification of security policies for web service composition. The method includes corresponding to a verification generated by an information flow analysis. The method further includes obtaining an abstracted security qualifier. The method proceeds by presenting the abstracted security qualifier to an application model. The abstracted security qualifier being presented to the application model as a security requirement. Subsequently, the method proceeds by farther including removing the data security requirement on data utilized in the service from the compliance rule. The method proceeds by processing flow in the application model, such processing being based upon the data security requirement. The method further includes verifying the consistency in response to the processing flow.

Abstract: A network device connects between a client and a server. The network device is configured to store information regarding an application operating on the server; receive a first message, from the client, intended for the server; generate a second message in response to the first message; send the second message to the client; receive a third message from the client; generate, based on the information regarding the application on the server, a fourth message, that includes the information regarding the application operating on the server; send the fourth message to the client; receive a service request from the client in response to the fourth message; and establish, based on the service request, a connection between the client and the server.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers is provided. According to one embodiment, a request to establish an IP connection between two locations of a subscriber is received at a service management system (SMS) of the service provider. A tunnel is established between service processing switches coupled in communication through a public network. First and second packet routing nodes within the service processing switches are associated with the first and second locations, respectively. An encryption configuration decision is bound with a routing configuration of the packet routing nodes, by, when the request is to establish a secure IP connection, configuring, the packet routing nodes to cause all packets transmitted to the other location to be encrypted and to cause all packets received from the other location to be decrypted.

Abstract: An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively.

Abstract: This disclosure provides various embodiments for searching one or more repositories hosting, storing, or maintaining a plurality of development artifacts. A search query for development artifacts is received through an interface of an integrated development environment, the search query identifying at least one search term. An index is used to identify a set of search results, the index identifying a plurality of development artifacts and including context data identifying, for each development artifact in the plurality of development artifacts, at least one attribute of the respective development artifact. The set of search results identify a subset of the plurality of development artifacts determined to potentially relate to the at least one search term. At least a portion of the set of search results are presented to a user, the listing including at least one development artifact in the subset of the plurality of development artifacts.

Abstract: A method is described for merging security constraints associated with an application when using security annotations. The application comprises one or more servlets, such as a Java servlet. During application deployment, a list of role names is generated by merging static security constraints, for example, identified in a deployment descriptor, and in a static security annotation that defines a list containing the names of authorized roles for a servlet. Later, during application runtime in an application server, security constraints are retrieved from a plurality of sources, including both dynamic and static security annotations. Using the list of role names and the security constraints retrieved, a set of merged security constraints having a defined and proper order of precedence is generated. In particular, preferably one or more dynamic security annotations are first merged with one or more static security annotations to generate a set of runtime constraints.

Abstract: A security protocol control apparatus includes a communication unit configured to perform a communication with a communication partner via a network, and a setting information generation unit configured to, based on setting information for a first security protocol previously established, generate, within the security protocol control apparatus, setting information for a second security protocol that has not yet been established.

Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

Abstract: A method, system and computer program product is disclosed for supporting role-based access control in a collaborative environment, wherein pluralities of users work together in a collaborative process using a software system. The method comprises componentizing the software system into a multitude of software components, and limiting access to specific software components to certain users based on roles assigned to the users as defined by a run-time state of the collaborative process. The set of components that a user can access is dynamic, that set can change based on the “context” or the step where the user is in a collaborative workflow/process.

Abstract: Methods, systems, and devices are disclosed for detecting encrypted Internet Protocol packet streams. The type of data within an encrypted stream of packets is inferred using an observable parameter. The observable parameter is observable despite encryption obscuring the contents of the encrypted stream of packets. A timer is established that maintains settings despite changes in the type of inferred data.

Abstract: The invention relates to a method for routing a bi-directional end-to-end connection between an end subscriber and the domain of a service provider by means of a signalling protocol via an interposed firewall with address transformation device, wherein by means of a security and tunnel device, located in the end-to-end connection between the end subscriber and the firewall with address transformation device in the domain of the end subscriber, and a session border controller, located in the end-to-end connection in the domain of the service provider, a tunnel is set up between the security and tunnel device and the session border controller and a bi-directional data exchange takes place via the tunnel between the end subscriber and the domain of the service provider in the area between the security and tunnel device and the session border controller by means of a tunnel protocol, and also a telecommunication network and a security and tunnel device for this.

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract: A non-transitory machine-readable storage medium storing program code for causing a processor to establish a plurality of links to a plurality of devices communicatively coupled to the processor, a particular link of the plurality of links supporting control-plane communications between the processor and a particular device of the plurality of devices over a wireless access network; receive a server message from a particular server of a plurality of servers communicatively coupled to the processor, the server message comprising message payload for delivery to the particular device; generate an encrypted message comprising the message payload and an identifier identifying a particular agent of a plurality of agents on the particular device; and send the encrypted message to the particular device over the particular link, wherein establishing the plurality of links comprises executing a link initialization sequence associating the particular link with a credential associated with the particular device.

Abstract: The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.

Abstract: This invention allows connection of an apparatus with a low security level without lowering the security level of a network even when such apparatus issues a connection request. This invention is directed to an access point which makes wireless communications with a station using an encryption method (AES). Upon reception of a connection request message including information indicating an encryption method (WEP) that can be used by a station, the access point checks if the encryption method (WEP) recognized based on the received connection request message is different from the encryption method (AES). When it is determined that the two encryption methods are different, the access point launches a controller which makes wireless communications with the station using that encryption method (WEP).

Abstract: When a virtual private network (VPN) connection is made, an internet protocol (IP) packet is encrypted and encapsulated within an outer IP packet. Quality-of-service information is placed in the outer packet header that includes classifiers that refer to the encrypted packet.

Abstract: Electronic document processing logic coupled to a computer and to a quarantine is operable to identify an encrypted electronic document received at the computer; determine whether the key server stores particular decryption data, or credentials to access decryption data, that can decrypt the encrypted electronic document; in response to determining that the key server does not store particular decryption data that can decrypt the encrypted electronic document: store the electronic document in the quarantine; notify one of the users; receive from the one of the users the particular decryption data; decrypt the electronic document; scan the electronic document to identify specified content in the electronic document; and perform one or more responsive actions based on the specified content. As a result, encrypted content in documents or e-mail can be decrypted, scanned for viruses, malware, or prohibited content, and re-encrypted or delivered.

Abstract: A method consistent with certain implementations involves receiving a stream of legacy encrypted main content that contains selectively DRM encrypted duplicate content; decrypting the legacy encrypted stream of content; eliminating the duplicate content that is not DRM encrypted; generating a selectively DRM encrypted stream of content; and providing the selectively DRM stream of content as an output signal for consumption by a device residing on a home entertainment network. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: In a hitless manual cryptographic key refresh scheme, a state machine is independently maintained at each network node. The state machine includes a first state, a second state, and a third state. In the first state, which is the steady state, a current cryptographic key is used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key is still used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key is used for authenticating signatures of incoming packets. In the third state, the new key is used for generating signatures for outgoing packets and either one or both of the old key and new key are used for authenticating signatures of incoming packets.

Abstract: A method and apparatus for monitoring text-based communications to secure a computer is described. In one embodiment, the method for monitoring text-based communications to secure a computer includes defining at least one portion of the computer display that is associated with text-based communications and examining the at least one portion of the computer display to identify textual data within the text-based communications.

Abstract: A cloud computing environment provides the ability to deploy a web application that has been developed using one of a plurality of application frameworks and is configured to execute within one of a plurality of runtime environments. The cloud computing environment receives the web application in a package compatible with the runtime environment (e.g., a WAR file to be launched in an application server, for example) and dynamically binds available services by appropriately inserting service provisioning data (e.g., service network address, login credentials, etc.) into the package. The cloud computing environment then packages an instance of the runtime environment, a start script and the package into a web application deployment package, which is then transmitted to an application (e.g., container virtual machine, etc.).

Abstract: A client for IPv4 having a SIP function sends a first REGISTER message to an adapter. Then, the adapter executes an authentication sequence of EAP-AKA for an access gateway connected between an IMS/MMD network and an IPv4 network, then establishes a tunnel connection. Then, the adapter generates a second REGISTER message corresponding to IPv6 based on the first REGISTER message corresponding to IPv4. The adapter sends the second REGISTER message to a SIP server connected to the IMS/MMD network through the tunnel connection to the access gateway.

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract: A communication system may be configured to control by a security controller the use of a node in a network for a service or application to transmit data via the node, wherein the security controller controls the use of the node based on a predetermined list indicating whether the service or application is allowed for the node, the predetermined list including combined identifiers for client applications and identifiers for network nodes.

Abstract: A method and system for secure communication is presented. A virtual private proxy is generated based on an agreement between a first entity and a second entity. A first virtual private proxy is associated with the first entity and a second virtual private proxy is associated with the second entity. Data associated with the first entity is monitored at the virtual private proxy. Whether the data violates the agreement is determined and communication of the data from the first virtual private proxy to the second virtual private proxy is disallowed when the data violates the agreement.

Abstract: An embodiment of the present invention provides a system that enables a user to securely invoke a REST (Representational State Transfer) API (Application Programming Interface) at an application server. A client can establish a secure communication channel with an application server, and can send a request to the application server to invoke the REST API. The client can then receive a security token from an authentication system in response to authenticating the user with the authentication system. Next, the client can receive a nonce and a timestamp from the application server. The client can then determine a security token digest using the security token, the nonce, and the timestamp. Next, the client can resend the request to the application server to invoke the REST API with the security token digest. The application server can invoke the REST API if the security token digest is valid.

Abstract: Programmable logic devices (PLDs), programmable logic arrays (PLAs), complex programmable logic devices (CPLDs), and field programmable gate arrays (FPGAs), (collectively referred to as “PLDs”) can include circuitry for performing automatic erasing or “zeroization” of security information including data and programming. Such circuitry detects the occurrence of a possible security event, selects and/or forms one or more appropriate erase commands, and causes the command(s) to be executed against PLD memory. The circuitry prevents security information from being compromised under certain situations.

Abstract: One or more requests are received from a first system. The requests are queued in a queue. A serialization group is determined for a request and the request is associated with the determined serialization group. At least a subset of the requests from the queue is transmitted to a second system if the second system is available, including transmitting requests in a respective serialization group to the second system serially in accordance with an ordering of the requests within the respective serialization group.

Abstract: An improved system and method are disclosed for peer-to-peer communications. In one example, the method enables endpoints to securely send and receive messages to one another within a hybrid peer-to-peer environment.

Abstract: A method and apparatus for providing authorized remote access to one or more application sessions includes a client node, a collection agent, a policy engine, and a session server. The client node requests access to a resource. The collection agent gathers information about the client node. The policy engine receives the gathered information, and makes an access control decision based on the received information. The session server establishes a connection between a client computer operated by the user and the one or more application sessions associated with the user of the client node identified in response to the received information.

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

Abstract: According to one aspect, the subject matter described herein includes a system for Diameter routing and firewall filtering. The system includes a Diameter signaling router comprising a network interface for receiving, from a first Diameter node, a first Diameter message having Diameter information. The Diameter signaling router also includes a firewall module for determining whether the first Diameter message satisfies a firewall policy. The firewall policy is based on at least a portion of the Diameter information in the first Diameter message. The Diameter signaling router further includes a routing module for forwarding at least a portion of the first Diameter message towards a second Diameter node in response to the first Diameter message satisfying the firewall policy.

Abstract: Methods and systems for mediating between first and second network security policies, by: (1) mapping a first security policy to a generic second security policy, and (2) mapping the generic second security policy to a plurality of rules each associated with a target network security policy.

Abstract: Embodiments of the present invention extend protection of network traffic between different security realms based on security labeling. In particular, embodiments of the present invention label provide for implicit labeling of traffic shared between different security realms. The traffic may be shared using IPsec protocols. A gateway inspects the IPsec traffic and identifies security associations (SAs) of the IPsec traffic. The gateway then determines a security label of the SA. Various access control policies may then be applied to the traffic based on its security label.

Abstract: An apparatus and a method for synchronizing a Security Association (SA) state as SA information of a mobile communication terminal is lost are provided. In the method, an IPSec tunnel is established by performing an SA procedure with a server, and a secure port is obtained. A service request message is transmitted to the server via the obtained secure port, and an unsecure port is opened. When a service response message is received from the server, it is determined whether the service response message is received via the unsecure port. When the service response message is received via the unsecure port, the SA procedure is re-performed. Therefore, the terminal may use a service through a secure network without interruption, and reduce a waste of resources by avoiding unnecessary retransmission of a message for requesting a service.

Abstract: An e-mail firewall applies policies to messages between a first site and a plurality of second sites in accordance with administrator selectable policies. The firewall includes an SMTP relay and policy managers to enforce administrator selectable policies, such as encryption and decryption policies, a source/destination policy, a content policy and a first virus policy. Some policies are characterized by administrator selectable criteria, administrator selectable exceptions to the criteria and administrator selectable actions associated with the criteria and exceptions. Policy managers can include an access manager for restricting transmission of messages between the first and second sites in accordance with the source/destination policy, a content manager for restricting transmission of messages between the first and second sites in accordance with the content policy, and a virus manager for restricting transmission of messages between the first and second sites in accordance with the virus policy.

Abstract: An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.

Abstract: The invention is directed to a system and method for booting multiple servers or other network resources from a single operating system image. The operating system image is stored on a solid state disk. When a server is booted, cache space is allocated in the volatile memory portion of the solid state disk. This cache is used to store data necessary for booting and operation of the operating system. As additional servers or other network resources are booted, the cache is used to access the necessary operating system data.

Abstract: A switching equipment stores identification information of communication established with respect to an infrastructure network system in a storage unit, and when an access request is received from a terminal device, the switching equipment adds the stored identification information to the access request and transfers the access request to a 1× Radius server. When the terminal device having requested the access is authenticated, the 1× Radius server notifies a PANA PAA of address information of the terminal device associated with the identification information added to the access request. The PANA PAA approves the same network access as the switching equipment with respect to the terminal device in the received address information.

Abstract: A NAT device and method implemented on the device for filtering tunneled IPv6 traffic is disclosed. The method comprises: receiving an IP traffic stream at an ingress network interface to the NAT, performing deep packet inspection on the traffic stream to detect the tunneled IPv6 packets, and applying a filter to the IPv6 packets.

Abstract: Architecture for secure transmission of data from a sender to a receiver can include multiple network server nodes and a processor that contains computer instructions stored therein for causing the processor to accomplish the methods for secure transmission. The methods can include the initial step of generating a nonce at a server node. A copy of the nonce can be securely transmitted to the intended recipient of the information. The nonce can then be encrypted at the server node using an encryption means that is remotely located from the server node. The actual information is then transmitted from the sender to the server node. The server node decrypts the nonce at the server node using the encryption means, and encodes the information using the decrypted nonce, which is then deleted. The receiver then accesses the server node and decodes the information using its last remaining copy of the nonce.

Abstract: A method for enforcing policies used with a computer client, the method including receiving, at policy decision point (PDP) processor, information from a single sign-on (SSO) system indicating an occurrence of an event of interest on the computer client, performing, using the PDP processor, a policy check in response to the occurrence of the event of interest, wherein a policy check result is generated, and providing the generated policy check result to the SSO system.

Abstract: A method in one embodiment includes establishing a first secure tunnel between a scanner and a configuration manager, and a second secure tunnel between the scanner and a scan controller, where the scanner is located in a public network and the configuration manager and the scan controller are located in a private network, communicating scanner configuration information between the scanner and the configuration manager over the first secure tunnel, and communicating scan information between the scanner and the scan controller over the second secure tunnel. The secure tunnels may be established from within the private network, by forwarding a first origination port and a second origination port to a first destination port and a second destination port, respectively. The first and second origination ports may be located in the public network, and the first and second destination ports may be located in the private network.

Abstract: A surround security system which screens packets transitioning a TCP/IP stack of a computer system from being broadcast over a network or being communicated to applications installed on the computer system. The surround security system may further include protections for the operating system, applications and security configurations.

Abstract: A system (101) for implementing redaction rules in compliance with an organization's privacy policy, where the system intercepts messages between an information source (103) and an information destination (102), modifies the message contents based on redaction rules (106) and forwards the redacted contents over to the client. The system also maintains a record of the redacted information and updates the contents of any message submitted by the client (102) in order to maintain database integrity.

Abstract: An exemplary method includes detecting a request to launch an application on a device, accessing metadata associated with the application over a network, using the metadata to determine whether sufficient resources are available to launch the application on the device, and performing at least one action based on said determination. The at least one action may include launching the application on the device when sufficient resources are available or blocking a launch of the application on the device when sufficient resources are not available. In certain embodiments, the method is performed by the device. In certain embodiments, the device includes a set-top box configured to access a media service over the network. Corresponding methods, systems, apparatuses, and computer-readable media are also disclosed.

Abstract: Access control methods include receiving an access authorization message from an authentication server computer at a blocking device that connects a first network to a second network, modifying access criteria of a transparent firewall at the blocking device responsive to the received access authorization message and operating the transparent firewall according to the modified access criteria to control transfer of messages between the first and second networks. The invention may also be implemented as apparatus and computer readable media.

Abstract: Method and apparatus for maintaining state information on a client device configured for voice-over-internet protocol (VOIP) communication is described. In one example, a VOIP call between the client device and an endpoint device through a packet network is established. State information is sent from the client device to the endpoint device during the VOIP call. The state object having the state information embedded therein is received from the endpoint device at the client device. The state object is stored in the client device. The state object may be retrieved from the client device during the VOIP call or a subsequent VOIP call in response to an authenticated request from the endpoint device. Alternatively, the state object may be retrieved from the client device during a subsequent web session in response to an authenticated request from a host.