Abstract: An information processing device that causes a router to open a new communication port and permits an active access from a terminal when the terminal connected to an outer network is provided. A multi function device (information processing device) accesses a POP server and acquires a mail. In a case where the mail from an outer terminal describes an access request, the multi function device transmits to a port-open-command that requests a router to open a new communication port. The multi function device transmits to the outer terminal a port identifier of the new communication port that was opened by the router. The outer terminal transmits data to the multi function device with the received port identifier designated therein. The multi function device, triggered by the mail from the outer terminal, can cause the router to open a new communication port that permits an active access from the outer terminal.

Abstract: When copying a guest from a source virtual environment to a target virtual environment, policy control of the target environment is provided. A configuration specification is created based on the source virtual environment and the guest to be copied. The configuration specification contains specific policies and/or requirements of the guest. The guest and the configuration specification are copied to the target virtual environment. The target virtual environment is examined to determine whether it is compliant with the copied configuration specification. If so, the copied guest runs in the target virtual environment. If not, the target virtual environment can be modified to be in compliance with the configuration specification.

Abstract: The inventive communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web. Other applications operating on the network appliance are made firewall aware so that existing network appliance identity schemes can be used to also control gate access to and from the network, to and from applications that run on the network appliance, and to and from other applications that run on the local network. Because the firewall is integrated closely with other application on the network appliance, after the external user is granted access to the network, network applications can control and terminate access through the firewall as desired.

Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.

Abstract: An email policy is applied in a policy manager, running on a mail server in a local area network, to determine whether an outgoing email message should be allowed to be transmitted to a destination address outside the local area network, for example over the internet. A digital signature is used in the policy manager, to determine if the sender is the sender indicated in the message itself. If so, a sender-dependent policy is applied.

Abstract: The present invention is directed towards systems and methods for integrating cache managing and application firewall processing in a networked system. In various embodiments, an integrated cache/firewall system comprises an application firewall operating in conjunction with a cache managing system in operation on an intermediary device. In various embodiments, the application firewall processes a received HTTP response to a request by a networked entity serviced by the intermediary device. The application firewall generates metadata from the HTTP response and stores the metadata in cache with the HTTP response. When a subsequent request hits in the cache, the metadata is identified to a user session associated with the subsequent request. In various embodiments, the application firewall can modify a cache-control header of the received HTTP response, and can alter the cookie-setting header of the cached HTTP response.

Abstract: Methods and systems for an intelligent network protection gateway (NPG) are provided. According to one embodiment, a firewall prevents unauthorized network-lawyer access to internal hosts by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall facilitates concurrent management of multiple incoming VoIP calls by providing multiple VoIP ports and advertising multiple IP address/VoIP port pairs corresponding to internal hosts.

Abstract: Systems and methods which facilitate single user sign-in for multiple accounts are shown. Embodiments create a single user base which maps users to multiple accounts. The use of a single set of credentials by the user is provided for according to embodiments irrespective of the applications associated with the various accounts having very different security protocols. A system hosting the shared user base preferably provides a single authentication point for multiple services. Embodiments an authenticator string, as may be passed between a client and bridge server and/or client and application, in order to enable user access, detect attacks with respect to a client conversation, etcetera. In addition to providing a shared user base for single sign-in, embodiments provide additional shared functionality and/or functionality not available from the applications themselves.

Abstract: Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device.

Abstract: In a procedure for delivering streaming media, a Client first requests the media from an Order Server. The Order Server authenticates the Client and sends a ticket to the Client. Then, the Client sends the ticket to a Streaming Server. The Streaming Server checks the ticket for validity and if found valid encrypts the streaming data using a standardized real-time protocol such as the SRTP and transmits the encrypted data to the Client. The Client receives the data and decrypts them. Copyrighted material adapted to streaming can be securely delivered to the Client. The robust protocol used is very well suited for in particular wireless clients and similar devices having a low capacity such as cellular telephones and PDAs.

Abstract: A server interacts with a sender to form a package which can include one or more attached data files to be sent to one or more recipients, and the server applies a policy established by a policy authority of the sender to the package. Since the sever both forms the package through interaction with the sender and applies the policy, any violations of the policy by the package can be brought to the sender's attention during an interactive session with the sender and before encryption of all or part of the package. As a result, the sender is educated regarding the policy of the sender's policy authority, and the sender can modify the package immediately to comport with the policy. The server delivers the package to the one or more intended recipients by sending notification to each recipient and including in such notification package identification data, e.g., a URL by which the package can be retrieved.

Abstract: A method and system are described for operating a source communication device. The source communication device receives a first request from a user through a user interface requesting a first communication session with a target communication device. The source communication device transfers a first signal to a network requesting the first communication session with the target communication device, wherein the target communication device provides an overt communication alert for the first communication session. The source communication device receives a second request from the user requesting a second communication session requesting that the target communication device provide a covert communication alert for the second communication session.

Abstract: A communication device having a secret mode enters the secret mode in response to receiving a secret mode access key. In the secret mode, the communication device receives a first instruction to handle a covert communication source in the secret mode. The communication device receives a second instruction to exit the secret mode. After exiting the secret mode, and in response to the first instruction, the communication device provides a covert communication alert for an incoming communication from the covert communication source. The communication device provides overt communication alerts for incoming communications from overt communication sources.

Abstract: A method and apparatus for providing securing a connection with a (Secure Sockets Layer) SSL/TLS-enabled server. In one embodiment, a web client establishes a new connection by initiating a communication with the SSL/TLS-enabled server. The communication includes a non-POST request. After the client negotiates the secured connection with the server in response to the non-POST request, the client submits a POST request to the SSL/TLS-enabled server via the secured connection.

Abstract: According to one embodiment of the invention, a plurality of IPsec packets belonging to a single IPsec tunnel are received. Different ones of the plurality of IPseck packets are distributed to different ones of a plurality of processing cores of a network element. At least some of those IPsec packets are processed in parallel and without taking a lock on a Security Association (SA) data structure storing a SA associated with the plurality of IPsec packets. The SA is atomically accessed and atomically updated.

Abstract: An authentication and validation architecture utilizing a P-CSCF (proxy-call session control function) service to validate a source IP address against a registered contact IP address upon receiving an initial request for a dialog or a standalone request (except REGISTER) from a registered user. This provides a security measure to prevent IMS (IP multiemdia subsytem) identity spoofing, when SIP security (IPsec) access security is not enabled, or not used, between the user equipment (UE) and P-CSCF service.

Abstract: An exemplary method involves an SSL server receiving an SSL session request from an SSL client. It is determined whether the SSL client is going to use certificate-based authentication. This may involve identifying a port at which the SSL session request was received. Alternatively, this may involve identifying an IP address at which the SSL session request was received. Alternatively still, this may involve examining authentication information in the SSL session request. If the SSL client is going to use certificate-based authentication, a certificate is requested from the SSL client. If the SSL client is not going to use certificate-based authentication, the certificate is not requested from the SSL client.

Abstract: An approach provides interdomain traversal to support packetized voice transmissions. A request is received and specifies a directory number for establishing a communication session from a first endpoint to a second endpoint. The first endpoint is behind a first network address translator of a first domain, and the second endpoint is within a second domain. A service provider network is accessed to determine a network address for communicating with the second endpoint based on the directory number, to determine existence of a second network address translator within the second domain, and to establish, if the network address can be determined, a media path between the first endpoint and the second endpoint based on the network address to support the communication session. An encrypted session is established with a proxy server according to a cryptographic protocol to support the media path. The proxy server resides within the second domain.

Abstract: Consumer computers that are not properly configured for safe access to a web service are protected from damage by controlling access to web services based on the health of the client computer. A client health web service receives health information from the client computer, determines the health status of the consumer computer, and issues a token to the consumer computer indicating its health status. The consumer computer can provide this token to other web services, which in turn may provide access to the consumer computer based on the health status indicated in the token. The client health web service may be operated as a web service specifically to determine the health of consumer computers or may have other functions, including providing access to the Internet. Also, the health information may be proxied to another device, such as a gateway device, that manages interactions with the client health web service.

Abstract: A method and apparatus for dynamic home address assignment by a home agent in multiple network interworking. The invention provides a method and apparatus send a key authorization request from a mobile station to a network device, the request indicating that the mobile station wishes to use a foreign agent care-of address to continue to receive data. The network device assigns a temporary address to the mobile station and creates a security policy database for the mobile station. The mobile station receives agent advertisements from foreign agents that may be able to provide service. The mobile station registers with a foreign agent. The network device then modifies the security policy database to reflect the information of the foreign agent. The Home Agent then assigns a home address to the mobile station and the network device updates the security policy database to include only the mobile device's home address as a selector.

Abstract: The present invention provides a system, method and apparatus for securely exchanging security keys and monitoring links in an IP communications network. The apparatus is disposed between the local device and the remote device and receives a security key associated with the secure communication(s) for the local device. The apparatus then uses the security key to decode one or more messages transmitted between the local device and the remote device. The apparatus may initiate one or more security protocols whenever the decoded message(s) satisfy one or more criteria. Note that the present invention can be implemented as a computer program embodied on a computer readable medium wherein each step is performed by one or more code segments.

Abstract: A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format.

Abstract: In general, the principles of this invention are directed to techniques of locally caching endpoint security information. In particular, a local access module caches endpoint security information maintained by a remote server. When a user attempts to access a network resource through an endpoint device, the endpoint device sends authentication information and health information to the local access module. When the local access module receives the authentication information and the health information, the local access module controls access to the network resource based on the cached endpoint security information, the authentication information, and a security state of the endpoint device described by the health information.

Abstract: Methods of screening incoming packets are provided. A first firewall detects a tunnel formation. A second firewall maintains a list of open firewall sessions. Each tunnel has one or more associated firewall sessions. The first firewall detects variable situations, such as when the tunnel is torn down, and notifies the second firewall so that, for example, the second firewall can act to clear an associated firewall session from the firewall session list. Incoming packets that are associated with firewall sessions that have been cleared from the firewall session list may not be passed through the second firewall.

Abstract: A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.

Abstract: Disclosed are systems, methods and computer program products for reducing security risk in a computer network. The system includes an administration server that collects system usage, user profile and security incidents information from a plurality of computers in the network. The server determines values of one or more risk factors for each computer using the collected information. The server then calculates security rating of each computer user as a function of the risk factors and adjusts the calculated security rating of a given computer user based on the security ratings of other computer users with whom the given computer users communicates. The server then selects, based on the adjusted security rating, security settings for the computer of the given user in order to reduce user's security risk to the computer network and applies the selected security settings to the computer of the given user.

Abstract: A security gateway/home agent controller HAC is used to assign one home agent HA from a plurality of HAs and to identify at least one security protocol that is common between a mobile node MN and the assigned HA. Establishment of a security association between the MN and the assigned HA is enabled according to the identified security protocol and utilizing bootstrapping parameters provided over a secure connection between the security gateway/HAC and the MN. The bootstrapping parameters include at least a home address for the MN, an address of the assigned HA and security credentials and security parameters for the identified at least one security protocol. In an exemplary embodiment the home address for the MN may be an IPv6 home address and the MN may have certain capabilities with respect to security protocols and ciphering suites which the MN sends to the security gateway.

Abstract: A system and method are provided for validating a security service associated with packets communicated on a network. A hash of a security service associated with packets communicated on a network is generated. In use, the security service associated with the packets is validated utilizing the hash.

Abstract: Intercepting a secure communication session includes distributing a key from a key distribution point to establish a secure communication session between a first endpoint and a second endpoint. A secure channel is established between the key distribution point and an intercepting point. The intercepting endpoint may be determined to be authorized to intercept the secure communication session. The key is provided to the intercepting endpoint only if the intercepting endpoint is authorized to intercept the secure communication session, where the key provides the intercepting endpoint with access to intercept the secure communication session.

Abstract: A programmable control unit interacts with a physical system. The physical system has a public network interface for communicating with remote computer systems. A user computer system is located remotely from the programmable control unit. A front-end security gateway is located remotely from the programmable control unit, wherein the front-end security gateway communicates with the user computer system to authenticate and authorize a user for access to the programmable control unit. The front-end security gateway forwards messages between the user computer system and the programmable control unit after the user is authenticated and authorized. A public communication network is coupled between the front-end security gateway and the programmable control unit to carry the forwarded messages. The public communication network includes a routing control configured to allow communication with the programmable control unit only by the front-end security gateway.

Abstract: A method and system method for e-mail management of e-mails having embedded classification metadata. A query from an end user to access an e-mail account by an e-mail client is received. It is then determined whether the query has come from an insecure e-mail client, such as a web e-mail client. Access rules for defining classification access restrictions for the e-mail client to access e-mail in the e-mail account are retrieved when the e-mail client is determined to be insecure. The e-mail query can then be modified before sending to an e-mail server storing the email account. The query is modified based on the retrieved access rules to exclude retrieval of e-mails based upon the e-mail classification metadata.

Abstract: A system and method for the authorization of access to a service by a computational device or devices. A software agent generates a digital signature for the device each time it attempts to access the service and send it to an authentication server, which compares the digital signature sent with one or more digital signatures on file to determine whether access to the service is permitted. The digital signature is generated by using hashes based on software and hardware configuration data collected from the device. The system may be used in conjunction with other authorization methods and devices.

Abstract: A data communication apparatus which is capable of preventing reception of undesired data by a destination without increasing the load on a network, etc. Data and a destination thereof are input. A sender ID related to a sender who sends the input data is input. The input data is sent to the input destination. A sender ID for data transmission to the input destination is permitted is stored as a permission ID. The input sender ID is collated with the stored permission ID. Whether to permit data transmission is determined according to the collation result.

Abstract: Various embodiments of the present invention relate to oblivious transfer protocols and to system for performing oblivious transfer. Embodiments of the present invention include a private data sampling protocol that is designed to balance the competing privacy interest of a database user and a database owner. Protocol embodiments enable the database user to obtain a fixed size random sample of the available data held by the database owner without the database owner learning which bits of data were accessed.

Abstract: A system and methods utilizing the network layer to provide security in distributed computing systems in order to thwart denial of service attacks. The system and methods of the present invention utilize puzzles placed at the network layer level to protect against denial of service attacks. The system and methods of the present invention advantageously provide a robust and flexible solution to support puzzle issuance at arbitrary points in the network, including end hosts, firewalls, and routers and thereby a defense against denial of service attacks.

Abstract: A method for providing a message service for a site is described. It is determined whether a service is provided at the site. If the service is provided at the site, a request is sent to a node at the site that provides the service. Determining if the service is provided at the site includes automatically determining if the service is provided at the site without user input.

Abstract: A method of managing a web single sign-on (SSO) application with a common set of uniform resource locators (URLs) includes defining a first servlet mapping including a description of a protected URL resource pattern, defining a second servlet mapping including a description of an unprotected URL resource pattern, determining display logic support to establish if display logic of the web SSO application supports both the first servlet mapping and the second servlet mapping, configuring the display logic of the web SSO application based on the determination, defining an intercepting filter, and registering URL patterns for the common set of URLs in the intercepting filter, the URL patterns including definitions of the protected URL resource pattern and the unprotected URL resource pattern.

Abstract: The invention relates, mainly to a cryptographic process using an elliptic curve represented by means of an equation containing first and second parameters (a, b), a bilinear matching, and calculations in a finite group of integers constructed around at least one first reduction rule reducing each integer to its remainder in a whole division by a first prime number (p) that constitutes a third parameter, the elements of the finite group being in bijection with points selected on the elliptic curve, and the number of which is linked to a fourth parameter (q), where this process uses public and private keys, each of which is represented by a given point of the elliptic curve or by a multiplication factor between two points of this curve. According to the invention, the first reduction rule is the only reduction rule implemented, and the elliptic curve is obtained through a step-by-step construction process, directly allocating to the finite group q*q q-order points in the elliptic curve.

Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: A Radio Frequency based security system for providing security for wireless Local Area Networks (WLAN) that allows the creation and maintenance of arbitrarily shaped secure wireless access areas with boundaries around said wireless Local Area Network and prevents access to the said wireless LAN from outside the perimeter of the secure area. The system includes a plurality of perimeter Radio Frequency Sentry Devices (RFSDs) that are employed to establish the boundaries of said secure area around said wireless LAN. The wireless LAN being secured may be an industry standard IEEE 802.11a, 801.11b or 802.11g based wireless LAN or any other wireless LAN that uses packet based communication protocols. The said RFSDs may be stand-alone devices or they may be connected to a wired or wireless Local Area Network.

Abstract: A security management system of a home network is provided. The home network includes a home gateway and one or more user devices connected to the home gateway. The security management system further includes a security management server adapted to provide a security management service for the home network. Within the home network, a security management module is disposed to provide a security service for the user devices within the home network. The user devices and a device where the security management module locates have unique device identifications, and the home network has a unique network identification. By the home gateway, the security management server communicates with the security management module. With the network identification and the device identification, the security management server and the security management module achieve a security management for the home network through a registration of the home network and a registration of the user device.

Abstract: An access node (e.g., DSLAM, OLT/ONT) is described herein that implements a trust verification method comprising the steps of: (a) filtering an up-stream message initiated by a non-trusted device (e.g., CPE); (b) intercepting the filtered up-stream message if the filtered up-stream message is a connectivity fault management message (e.g., LB message, LBR message, CC message); (c) inserting a trusted identification into the intercepted up-stream message; and (d) outputting the intercepted up-stream message with the inserted trusted identification. Thereafter, a trusted device (e.g., BRAS) receives and analyzes the outputted up-stream message with the inserted trusted identification message to ascertain a trustworthiness of the non-trusted device (e.g., CPE). Several different ways that an access network (e.g., IPTV network) can implement the trust verification method are also described herein.

Abstract: A data processing system that supports verifiable IPSec network communication. The data processing system comprises an IPSec network adapter that connects the data processing system to an external network and provides IPSec encryption and routing of IPSec packets. The data processing system also comprises a network adapter verifier, which is a secondary network card that is utilized to verify that IPSec packets being transmitted to the external network by the IPSec network adapter have been encrypted. The network adapter verifier comprises a device driver, which caches a copy of an IP address from a generated IPSec packet prior to the packet being received by the network adapter. The network adapter verifier is connected to the external network and monitors the transmission of packets out to the network connection by the network adapter. The IP identification (ID) of the packets are compared to the captured IP address of the generated IPSec packet.

Abstract: A network device management apparatus includes a search unit configured to search for a network device supporting a first communication protocol, an authentication information input unit configured to input authentication information used in communication with the network device using the first communication protocol, an authentication executing unit configured to execute authentication of the network device by using the authentication information, a first checking unit configured to, when the authentication by the authentication executing unit is successful, check whether a second communication protocol different from the first communication protocol is enabled in the network device, and a setting changing unit configured to change a setting of the second communication protocol depending on a result of the checking performed by the first checking unit.

Abstract: A system, method, and computer program product are provided for identifying unwanted activity utilizing a honeypot accessible via virtual local area network (VLAN) trunking. In use, a honeypot device is allowed to be accessed via VLAN trunking. Furthermore, unwanted data is identified, utilizing the honeypot device.

Abstract: The present invention discloses an apparatus and method for defining and enforcing rules of transition between two security domains, e.g., a transport domain and a persistent security domain. In turn, a border guard, e.g., a security device, is provided between these two domains that enforce rules for transition between the two security domains. This novel approach of defining a transport domain and a persistent security domain simplifies the classification of the digital content and its movement through the system. Namely, the border guard once established between the two systems can enforce DRM rules associated with how contents are moved between the two domains.

Abstract: An ENUM system includes a Web server and an ENUM server. The Web server stores first NAPTR records corresponding to an ENUM client and another ENUM client on an IP network. The ENUM server stores second NAPTR records in which first URIs are associated with predetermined information for being linked to the Web server. In the ENUM system, the ENUM client transmits, to the ENUM server, a query for the second NAPTR record of the another ENUM client. The ENUM client then transmits, to the Web server, a request for access to the first URI included in the received second NAPTR record, and obtains the first NAPTR record corresponding to the another ENUM client.

Abstract: Multiple non-conflicting actions associated with filter rules may be located and applied to a packet using a single ACL lookup by causing action records to be created from ACEs in the ACL, and then causing the ACL lookup to return the action record rather than any one particular ACE. Radix tables may be created to enable a search engine to quickly locate the appropriate action record based on a particular set of attributes associated with the incoming packet. The action record can contain multiple actions taken from multiple ACEs that apply to the particular packet. By grouping all the actions into an action record, and then searching for an action record that applies to the packet, it is possible to apply all non-conflicting actions to the packet regardless of the number of ACEs that are used to specify those actions. Since all the actions are located together, the actions of all ACEs may be applied to a packet using a single ACL lookup.

Abstract: Presently disclosed are methods and apparatus for analyzing packets and packet flows to detect covert communications channels (including reverse tunnels) in real time. These systems actively probe a suspicious connection in ways that are not possible in prior art log-based techniques and may initiate countermeasures against discovered covert channels. The present system may be implemented in a network device, such as an intrusion detection system, content engine, or other intermediary device employing a web cache. Embodiments automatically detect suspicious activity at particular source addresses by using relatively simple tests to detect suspect packets that should receive more extensive scrutiny. After more rigorous secondary testing (optionally including active probing techniques), suspect packets are either returned to the occasionally-checked state or flagged for further action, such as raising an alert or taking automatic countermeasures against the covert channel or its originators.

Abstract: An e-mail firewall (105) applies policies to e-mail messages (204) between a first site and a plurality of second sites in accordance with a plurality of administrator selectable policies (216). The firewall comprises a simple mail transfer protocol (SMTP) relay (202) for causing the e-mail messages (204) to be transmitted between the first site and selected ones of the second sites. A plurality of policy managers (216) enforce administrator selectable policies. The policies, such as encryption and decryption policies, comprise at least a first source/destination policy (218), at least a first content policy (202) and at least a first virus policy (224). The policies are characterized by a plurality of administrator selectable criteria (310), a plurality of administrator selectable exceptions (312) to the criteria and a plurality of administrator selectable actions (314, 316, 322) associated with the criteria and exceptions.