Abstract: Briefly, embodiments of methods or systems for providing enhancements to network security are disclosed.

Abstract: Various methods for server-side recordation and playback of a remote desktop session are provided. One example method may comprise receiving data related to a remote desktop protocol session. The method of this example embodiment may further comprise providing for storage of the data at a location other than the device associated with the remote desktop protocol client of the remote desktop protocol session. Furthermore, the method of this example embodiment may comprise receiving a request to reproduce the remote desktop protocol session. The method of this example embodiment may also comprise retrieving the data from storage. Additionally, the method of this example embodiment may comprise facilitating reproduction of at least a portion of the remote desktop protocol session based at least in part on the retrieved data. Similar and related example methods, apparatuses, systems, and computer program products are also provided.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: A method provides cross enterprise communication in which intermediary communication components carry out cross enterprise communication. The method at a first sending enterprise includes: receiving a signed encrypted message from a sender within a first enterprise; validating the sender; decrypting the message; encrypting the message for receipt by a second enterprise; signing the encrypted message by the first enterprise; and sending the re-signed re-encrypted message to a second enterprise. The method at the second receiving enterprise includes: receiving a signed encrypted message from a first enterprise; validating that the first enterprise is the sender; decrypting the message; encrypting the message for receipt by one or more recipients at the second enterprise; signing the encrypted message by the second enterprise indicating that the message is from the first enterprise; and sending the re-signed re-encrypted message to the one or more recipients of the second enterprise.

Abstract: A file handle produced by a file server is encoded into a pseudo-pathname used as a substitute for a pathname in a network file access protocol for accessing a file in the file server. The method avoids repeating a directory lookup and may permit the network file access protocol to access a file that has been renamed since the file handle was produced. The method is particularly advantageous for enabling a file server to use a CIFS client for virus checking or backup of a file modified by an NFS client. In a preferred implementation, the encoding of the file handle into a pseudo-pathname involves converting the file handle to an ASCII hexadecimal format to produce a component name, and appending the component name to a special name of a pseudo-directory of file handles of files in a file system.

Abstract: A job management server for managing a plurality of jobs to be executed by a virtual computer generated on a computer, a job management part to manage information on a job net which configures a plurality of jobs and allocate a plurality of jobs included in a job net to the virtual computer, and a recovery part to monitor an execution status of each of the plurality of jobs included in the job net and perform recovery processing, wherein the job management server is configured to: specify a target job for changing allocation, in a case where a failure has occurred in a first virtual computer to execute a first job included in the first job net; determine a performance of a virtual computer required to execute the target job.

Abstract: A monitoring apparatus include a memory which stores a program for executing procedures and a processor coupled to the memory and executes the procedures based on the program, wherein the procedures includes detecting a destination of access from a server apparatus to a storage apparatus on the basis of a result of analysis of a packet transmitted and received between the storage apparatus and the server apparatus, the storage apparatus including a plurality of storage areas, the server apparatus executing a plurality of virtual servers, part of the plurality of storage areas being allocated to each of the plurality of virtual servers as an accessible storage area, and determining that abnormal access is performed from the server apparatus to the storage apparatus when the storage areas of the detected destination are beyond a certain criterion in the plurality of storage areas.

Abstract: Remote field testing of mobile communication devices is described herein. By way of example, network initiated data received at a mobile device or like device activated on a mobile network can be monitored. Further, an over the air (OTA) message sent by the mobile network to the monitored device can be identified. If pertinent to a test device or an application of the test device, the OTA message can be forwarded to the test device. In addition, an IP network, satellite network, or the other suitable remote network can be utilized to forward the OTA message. Accordingly, field testing can be implemented at a convenient place remote from the mobile network, reducing or avoiding time and cost associated with local field testing at wireless access points of the mobile network.

Abstract: Provided is a system in which two or more clients, each including an application program that transmits a network access request, and a server are able to communicate, wherein at least one client includes first control means for controlling the access request transmitted to the server, based on a security level assigned to the application program, and the server includes second control means for determining whether the first control means has been introduced to the client that has transmitted the access request, authorizing the access request when the determination result is positive, and controlling the access request based on a security level assigned to an access target when the determination result is negative.

Abstract: In order to provide secure user access to a device or service on a remote network, upon receipt of a request to access the device or service on a portal on a central server, a request is sent to a probe application installed on the remote network to establish a secure link to the central server. A message is then sent to the user directing the user to initiate a specific session request to the central server. The session request is cross connected to the probe application installed on the remote network over the secure link to establish a secure tunnel to the probe application. A secure user session is set up through the secure tunnel to the device or service via the probe application.

Abstract: A method for the transmission of a message by a server of a multimedia IP core network is disclosed. In one aspect, following the reception, by the server, of a request from a terminal to register with the core network, the registration request proposing an authentication method for the establishment of a secure tunnel between the terminal and an entity for the connection of the terminal to the core network. The transmission method may comprise identifying an access network used by the terminal for registering with the multimedia IP core network, drawing-up, according to the identified access network, a recommendation concerning the establishment or otherwise of the secure tunnel between the terminal and the connection entity for the authentication method, and inserting said recommendation into the message transmitted by the server.

Abstract: Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Abstract: The invention is directed to systems and methods for detecting the loss, theft or unauthorized use of a device and/or altering the functionality of the device in response. In one embodiment, a device monitors its use, its local environment, and/or its operating context to determine that the device is no longer within the control of an authorized user. The device may receive communications or generate an internal signal altering its functionality, such as instructing the device to enter a restricted use mode, a surveillance mode, to provide instructions to return the device and/or to prevent unauthorized use or unauthorized access to data. Additional embodiments also address methods and systems for gathering forensic data regarding an unauthorized user to assist in locating the unauthorized user and/or the device.

Abstract: Described in an example embodiment herein is a Multiple Application Container. Various embodiments of the Multiple Application Container may include, but are not limited to: (1) managed intranet access via a dedicated Virtual Private Network (VPN) tunnel shared amongst applications within the container, (2) managed file/data encryption, (3) native look and feel applications for the base Operating System (OS), (4) isolation from any non-OS based services on the device, and/or (5) Mobile Device Management (MDM) based capabilities, such as policy enforcement.

Abstract: A computing device includes: a processing unit; and memory encoding instructions that, when executed by the processing unit, cause the processing unit to: receive a request from a client computing device; establish a first secured connection to the client computing device; select a server computing device from a plurality of server computing devices to service the request from the client computing device, selection being made based, at least in part, upon load balancing considerations; establish a second secured connection to the server computing device, the second secured connection being separate from the first secured connection; and allow the client computing device to securely communicate with the server computing device through the first and second secured connections.

Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

Abstract: A method for connecting a first network device to a second network device includes receiving a request to resolve a network address of the second network device. The request includes a name associated with the second network device that corresponds to the network address. The request is evaluated to confirm that the name is registered with a name service that facilitates resolving the name and facilitates establishing communication links, which use encryption, between the first network device and the second network device over the network. It is determined whether the second network device is available to establish the communication link. If so, the communication link is automatically established, including sending a signal to a provisioning server to provision the first network device or the second network device with a resource for the communication link.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: A network element (NE) comprising a memory device configured to store instructions, and a processor configured to execute the instructions by dividing a first plurality of data packets of a data flow into a first plurality of sub-flows, and causing the first plurality of sub-flows to be transmitted to a second NE via a network, wherein the first plurality of sub-flows are transmitted using a first Internet Protocol Security (IPsec) security association (SA) cluster comprising a plurality of parallel sub-SAs. The disclosure also includes a NE comprising a processor configured to create an IPsec SA cluster comprising a first plurality of sub-SAs between the NE and a second NE using an internet key exchange (IKE) or an IKEv2, wherein the first sub-SAs are unidirectional, and wherein the first sub-SAs are configured to transport a first plurality of data packets in a common direction.

Abstract: A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established.

Abstract: The communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web.

Abstract: In one embodiment, a first instruction prescribing a setting for a feature is defined. A second instruction prescribing a first action is defined. A third instruction prescribing a second action is defined. It is determined whether the feature is present in a computing device, and if present, whether the feature is set to the setting. The first action is initiated if the feature is present and not set to the setting. The second action is initiated if the feature is not present.

Abstract: It is so arranged that an encryption key can be shared with a communication apparatus that participates in a network anew, even in an ad-hoc-mode type of environment. In order to achieve this, a communication apparatus determines whether it possesses an encryption key shared with another communication apparatus and, in accordance with the result of the determination, initiates sharing process for sharing the encryption key with a first communication apparatus from the communication apparatus after the sharing process for sharing the encryption key has been initiated from the first communication apparatus.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: Systems, devices, and methods for outputting an alert on a mobile device to indicate the use of a weak hash function are disclosed herein. In one example embodiment, the method comprises receiving data (e.g. from a server) that identifies at least one first hash function, identifying a hash digest generated using a second hash function, determining if the second hash function is weak using the received data, and outputting an alert indicating that the second hash function is weak if it is determined that the second hash function is weak.

Abstract: A wide area network using the internet as a backbone utilizing specially selected ISX/ISP providers whose routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths. Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel. The payload sections of these packets are the original IP packets and are encrypted and decrypted at both ends of the private tunnel using the same encryption algorithm using the same key or keys.

Abstract: Remote access for a terminal to a first network via a second network is managed; the first network being linked to the second network via a network apparatus. At the level of the network apparatus, there is received, from the terminal via the second network, a request for remote access to the first network indicating access information comprising a first parameter corresponding to a physical address of the terminal and a second parameter corresponding to a secret key of the gateway. The network apparatus thereafter decides whether the terminal is authorized to remotely access the first network on the basis of said access information. This network apparatus subsequently emits, bound for the terminal via the second network, a message indicating whether the terminal is authorized to remotely access the first network.

Abstract: An appliance has a communication network with a plurality of nodes for executing commands to enable operation by components. A firewall is provided to restrict access to the commands by the nodes without a password.

Abstract: A content protection management system that enables interoperability with other Content Protection and DRM technologies. A managed security domain provides a simple, consistent and reliable experience to whole-home network subscribers. The architectural concept for the whole-home network includes an underlying control plane with an overlaying content security control plane running a particular DRM technology.

Abstract: A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Abstract: A system and method in one embodiment includes modules for identifying an asset with a vulnerability risk, identifying a service running on a port on the asset, identifying a connection to the port, calculating an operational dependence role of the asset as a function of the service and the connection, and modifying the vulnerability risk based on the operational dependence role. Other embodiments include identifying a protocol of a data packet at the port, classifying the protocol into a protocol category with a protocol importance score, calculating a connection average for the asset, classifying the connection average into a connection category with a connection score, and calculating a service dependence score. Other embodiments include calculating a host dependence score, assigning a data importance score to data communicated by the asset, and calculating the operational dependence role as a function of the host dependence score and data importance score.

Abstract: A method and apparatus for providing a secure domain name services by utilizing a hypervisor to provide an isolated execution environment in which a secure browser session can be instantiated. The secure browser session utilizes a secure DNS server to provide domain name services.

Abstract: A VPN gateway device is able to assign, manage, and terminate a large volume of connections from apps executing on devices, enabling a large scale per-app VPN mobile environment. When a mobile device user opens an app on a mobile device, a VPN gateway transmits a unique IP address to the app. The gateway also transmits an app federation cookie to the app. The app shares the app federation cookie with a second app. The VPN gateway then assigns the second app the same unique IP address. The gateway then transmits a range of ports to the first app. The app uses a port in the range of ports for data transmission from the device to the VPN gateway. The gateway receives a data transmission from the first app via a VPN and determines that the data transmission originated from the first app based on the source port.

Abstract: Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: The present invention provides a unique way of implementing the SOCKS protocol for establishing connections through a firewall. In general, instead of having a SOCKS server implemented entirely in the firewall, SOCKS servers are implemented on both a server and a client, which are configured to communicate with each other through the firewall. The SOCKS servers on the server and client allow multiple objects on both the server and the client to communicate with each other through a single port through the firewall, wherein the SOCKS servers on the server and the client cooperate with each other and their respective objects to allow the objects to establish the connections.

Abstract: Aspects of the invention are directed to a method and system for discovering business content transfer paths in a network using file transfer information, and for calculating business risk per network component in a network. A method according to an embodiment includes: obtaining file transfer information for a plurality of file transfers between a plurality of nodes within a network; generating a confidence of correlation for each pair of file transfers in the plurality of file transfers; determining interdependencies between the plurality of file transfers based on the confidence of correlation for each pair of file transfers; and determining a business content transfer path based on the interdependencies between the plurality of file transfers.

Abstract: An approach for providing secure communication services is disclosed. A secure (e.g., a Virtual Private Network (VPN)) tunnel from a source node over an access network, such as a satellite network, to a destination node, wherein the nodes are external to the network. A connection that supports a mechanism for enhancing performance of the network is established for a portion of the secure tunnel that traverses the network.

Abstract: A method at a computing client located behind a NAT and restrictive-access firewall, including establishing a control connection with a TCP TURN server utilizing a port capable of traversing the restrictive-access firewall; requesting an allocation of an client service identity from the TCP TURN server; and receiving, from the TCP TURN server, a response containing the client service identity, the client service identity being independent of any port used to communicate with the TCP TURN server. Further a method at a TCP TURN server, including listening on a first port for communications from a computing client, the computing client being behind a restrictive access firewall and the first port capable of traversing the restrictive-access firewall; establishing a control connection with the client on the first port; receiving a request for an allocation of an client service identity from the computing client; and sending a response containing the client service identity.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communications through network address translation. The configuration includes receiving, by a computer device, a packet comprising a predetermined value indicating support by a node for an extension of a communications protocol, wherein the communications protocol is used for communications across a network translator device and the extension is capable of traversing network address translation, and in response to said receiving, determining that the node sending the packet supports the extension of the communications protocol.

Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communications through network address translation. The configuration includes receiving, by a computer device, a packet comprising a predetermined value indicating support by a node for an extension of a communications protocol, wherein the communications protocol is used for communications across a network translator device and the extension is capable of traversing network address translation, and in response to said receiving, determining that the node sending the packet supports the extension of the communications protocol.

Abstract: Exemplary embodiments involve a computing system requesting and receiving a socket policy file from a policy file server via a secure socket connection, identifying that the security policy requires communicating with a content server via a secure socket connection, and communicating with the content server via a second secure socket connection. The socket policy file specifies a security policy governing socket connections to a content server over a transport protocol layer. Additional embodiments involve requesting a socket policy file via a non-secure socket connection, receiving (via the non-secure socket connection) a placeholder socket policy file requiring requests for socket policy files to be communicated via a secure socket connection, establishing a secure socket connection with the policy file server, and submitting a request for the socket policy file to the policy file server via the secure socket connection.

Abstract: Disclosed are systems and methods to provide application acceleration as a service. In one embodiment, a system includes a head office to serve an enterprise application comprised of a collaborative document. The system also includes a branch office to request the collaborative document from the head office. The enterprise application may also include a computed document and/or a static document. In addition, the system also includes a set of Point of Presence (POP) locations between the head office and the branch office to communicate the collaborative document, the computed document and the static document on behalf of the head office from a closest POP location to the head office to a closest POP location to the branch office and then onward to the branch office.

Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: A group video messaging method stores user information identifying authorized users of a video messaging system, and provides a user interface to the video messaging system. The user interface permits authorized users to transfer video files to the video messaging system for storage and retrieval, and to identify criteria for other authorized users to access each transferred video file. The method also stores in the video messaging system the video files transferred to the system by the authorized users; stores information identifying the user that transferred each stored video file to the video messaging system, and the criteria for authorized users to access the stored video files; and stores information identifying different groups of the authorized users and which of the stored video files are to be accessible to each of the authorized users or authorized user groups.

Abstract: Methods, systems, and computer-readable media for exception handling of interactive communications privileges governing interactive communications with entities outside a domain are disclosed. The interactive communications privileges may have been learned through domain administrator configuration or may have been self-learned without domain administrator input. The interactive communications privileges can be used to process interactive communications requests between entities inside a domain and entities outside the domain. Exceptions to the interactive communications privileges can be requested by user entities inside the domain for interactive communications with entities outside the domain. In this manner, if the interactive communications privileges are not sufficient according to user entities inside the domain, the user entities inside the domain can request exceptions for other interactive communications privileges with entities outside the domain.