Abstract: Authentication of a networked device with limited computational resources for secure communications over a network. Authentication of the device begins with the supplicant node transmitting a signed digital certificate with its authentication credentials to a proxy node. Upon verifying the certificate, the proxy node then authenticates the supplicant's credentials with an authentication server accessible over the network, acting as a proxy for the supplicant node. Typically, this verification includes decryption according to a public/private key scheme. Upon successful authentication, the authentication server creates a session key for the supplicant node and communicates it to the proxy node. The proxy node encrypts the session key with a symmetric key, and transmits the encrypted session key to the supplicant node which, after decryption, uses the session key for secure communications. In some embodiments, the authentication server encrypts the session key with the symmetric key.

Abstract: The present invention relates to a method that may be used in a digital data communication system comprising a communication network constituted of a plurality of nodes, and a plurality of subscriber equipment units each connected to a node, includes: a transmission phase (P1) including the steps of limiting of the size of each frame to be transmitted, adding identification-authentication credentials, and transmitting the frames with a predetermined transmission interval; and a transmission phase (P2) including the steps of monitoring-checking for compliance with the input conditions; removal of each frame that is non-compliant, replicating each frame that is compliant, monitoring-checking for compliance with the output conditions, removing each frame that is non-compliant, transmitting each frame that is compliant, and recording and storing of the identification-authentication credential for each frame transmitted.

Abstract: The present invention enables the selection of network routes based on a combination of traditional route table entries and identity policy information determined dynamically for each network session. This enables a network operator to apply different policies to network entities presenting differing identity credentials. It also allows network operators to block access to networks and network resources when identity credentials are not provided or are unauthorized.

Abstract: A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity.

Abstract: A computer system implements a plurality of modules, including a tenant administration proxy that receives session credentials from a tenant application in the private communication system and authenticates the tenant application in response to the session credentials, a connector service that receives a bridge setup request from the tenant application and establishes a bridge connection with the tenant application in response to the bridge setup request; and a configuration manager that stores service information regarding a cloud-based service that is accessible through the computer system. The tenant administration proxy retrieves the service information from the configuration manager and provides the service information to the tenant application in response to a request from the tenant application, and wherein the connector service facilitates communication between the cloud-based service and an enterprise service in the private communication system over the bridge connection.

Abstract: A communication device for reporting a wireless local area network (WLAN) connection status in a wireless communication system comprises a storage device for storing instructions and a processing circuit coupled to the storage device. The processing circuit is configured to execute the instructions stored in the storage device.

Abstract: Some embodiments of the invention introduce cloud template awareness in the service policy framework. Some embodiments provide one or more service rule processing engines that natively support (1) template-specific dynamic groups and template-specific rules, and (2) dynamic security tag concepts. A service rule processing engine of some embodiments natively supports template-specific dynamic groups and rules as it can directly process service rules that are defined in terms of dynamic component groups, template identifiers, template instance identifiers, and/or template match criteria. Examples of such services can include any kind of middlebox services, such as firewalls, load balancers, network address translators, intrusion detection systems, intrusion prevention systems, etc.

Abstract: In some embodiments, an apparatus includes a network node configured to be included in a set of network nodes operatively coupled to a core network node. The network node is configured to receive a first packet and a second packet from a host device operatively coupled to the network node. The network node is configured to send the first packet to the core network node via a first path of a tunnel between the network node and the core network node. The first path of the tunnel has a first cost. The network node is configured to send the second packet to the core network node via a second path of the tunnel. The second path has a second cost different than the first cost.

Abstract: A secure demand paging system (1020) includes a processor (1030) operable for executing instructions, an internal memory (1034) for a first page in a first virtual machine context, an external memory (1024) for a second page in a second virtual machine context, and a security circuit (1038) coupled to the processor (1030) and to the internal memory (1034) for maintaining the first page secure in the internal memory (1034).

Abstract: A method and related apparatus for providing latency optimized segment routing tunnels is described herein and includes obtaining a latency metric for each segment that links respective pairs of nodes in a network, determining a tunnel through the network between a first endpoint and a second endpoint that is optimized for latency, and, once such a tunnel is determined, causing a packet to travel along the tunnel that is optimized for latency by encoding the packet with segment routing instructions for the network, wherein the network is configured to provide shortest paths according to a metric other than latency.

Abstract: A Software-Defined Network (SDN) data-plane machine stores flow data and a hardware-trust key. The SDN data-plane machine receives and processes a hardware-trust challenge based on the hardware-trust key to generate and transfer a hardware-trust response. The SDN data-plane machine receives and routes user data based on the flow data. The SDN data-plane machine receives flow modification data from SDN controllers and determines if the SDN controllers are authorized by the hardware-trust controller before modifying the flow data. The SDN data-plane machine receives and routes additional user data responsive to the modified flow data. The SDN data-plane machine reports SDN controllers that attempt to modify the flow data but that are not authorized by the hardware-trust controller to modify the flow data.

Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol.

Abstract: A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity.

Abstract: Techniques described herein relate to generating and managing digital credentials using a digital credential platform in communication with various digital credential template owners and digital credential issuers. In some embodiments, a digital credential platform server may receive and coordinate requests and responses between the digital credential template owners and a set of digital credential issuers, to determine which digital credential issuers are authorized to issue digital credential based on which digital credential templates. The digital credential platform server may provide the authorized issuers with access to particular digital credential templates and the functionality to issue digital credentials to users based on any of the particular digital credential templates. Additional techniques described herein relate to tracking, analyzing, and reporting data metrics for issued digital credentials.

Abstract: Name information which is generated by using a value corresponding to a decryption key and address information of a key cloud device which provides a cloud-key management type decryption service in which the decryption key is used are stored in a storage of a directory service device in a manner to associate the name information with the address information, and a searching unit of the directory service device searches the storage by using the inputted name information to obtain address information corresponding to the inputted name information.

Abstract: Disclosed are approaches for distributing credentials using derived credentials, such as by relaying a simple certificate enrollment protocol (SCEP) payload. A computing device configures a device profile corresponding to a client device. The device profile can include a SCEP payload. The computing device later receives an override for the SCEP payload from a broker service. In response, the computing device creates a copy of the device profile that includes the override for the SCEP payload. The computing device then sends the copy of the device profile to the client device.

Abstract: Techniques are described for managing customer-specified routing policies for network-accessible computing resources. In some situations, the customer-specified routing policies may be based at least in part on DNS (“Domain Name System”) information specified by a customer, such as if the customer specifies one or more target destinations to use with an indicated DNS domain name that are different from the destination IP address(es) provided for that DNS domain name by DNS servers—if so, the managing of such a DNS-based routing policy for that customer may include identifying when network-accessible computing resources provided to the customer send electronic communications to that DNS domain name, and causing those electronic communications to be redirected to the customer-specified target destination(s). Such customer-specified target destinations may include, in different situations, final destinations, intermediate destinations, etc., as well as identify particular routes.

Abstract: Systems and methods for the management of virtual machine instances are provided. The hosted virtual machine networks are configured in a manner such that communications within the hosted virtual machine network are facilitated through a communication protocol. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. Through the utilization of one or more virtual network mapping components in communication with the hosted virtual network components, communications to and from the hosted virtual networks can be processed by mapping relationships between the virtual network communication protocol and the router communication protocol. The mapping information can be provided in advance or as requested to the router components and hosted virtual network components to facilitate bi-lateral communications between the components.

Abstract: Detecting malware is disclosed. A candidate malware application is caused to be executed using a virtual machine. Traffic analysis is performed on network traffic associated with the execution of the candidate malware application. A determination is made as to whether the candidate malware application is malicious or not, based at least in part on the traffic analysis and an application type associated with the candidate malware application.

Abstract: Methods, systems, and computer readable media for application session sharing are disclosed. According to one method, the method includes receiving, from a first client node, a request for initiating a remote application session for interacting with an application instance by one or more users. The method also includes initiating the remote application session and configuring a remote control server for interacting with the remote application session. The method further includes providing communications between the first client node and the application instance associated with the remote application session using the remote control server.

Abstract: An intermediate device (such as a firewall) is disposed between first and second devices (such as a client and a server device, respectively). Communications between the first and second devices are intercepted in both directions by the intermediate device, which spoofs the receiving device by modifying messages sent by the transmitting device. The modified message uses a key held by the intermediate device instead of a key belonging to the sending device.

Abstract: Virtual private network (VPN)-related techniques are described. The techniques provide intuitive mechanisms by which a client device more efficiently establishes a VPN connection. In one example, a client device includes a memory, processor(s), and a VPN handler. The VPN handler is configured to monitor actions initiated by one or more applications executable by the programmable processor(s), and determine whether each of the initiated actions requires a VPN connection via which to transmit outbound data traffic corresponding to a respective application of the one or more applications. The VPN handler is further configured to, in response to a detection that at least one initiated action requires the VPN connection via which to transmit the outbound data traffic, automatically establish the VPN connection to couple the client device to an enterprise network, and transmit the outbound data traffic corresponding to the respective application, via the VPN connection.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium directed towards automatically configuring an AAA proxy device (also referred to herein as “the proxy”) to load-balance AAA request messages across a plurality of AAA server devices. In one embodiment the proxy receives an AAA handshake message from an AAA client device. The proxy forwards the handshake message to each of the plurality of server devices and, in reply, receives an AAA handshake response message from each of the plurality of server devices. The proxy extracts attributes from each of the handshake response messages and automatically configures itself based on the extracted attributes. The proxy then load-balances, modifies and/or routes subsequently received AAA request messages based on the extracted attributes.

Abstract: The present invention includes systems and methods for retrieving information via a flexible and consistent targeted search model that employs interactive multi-prefix, multi-tier and dynamic menu information retrieval techniques (including predictive text techniques to facilitate the generation of targeted ads) that provide context-specific functionality tailored to particular information channels, as well as to records within or across such channels, and other known state information. Users are presented with a consistent search interface among multiple tiers across and within a large domain of information sources, and need not learn different or special search syntax. A thin-client server-controlled architecture enables users of resource-constrained mobile communications devices to locate targeted information more quickly by entering fewer keystrokes and performing fewer query iterations and web page refreshes, which in turn reduces required network bandwidth.

Abstract: Techniques are described for providing managed virtual computer networks that may have a configured logical network topology with one or more virtual networking devices, with corresponding networking functionality provided for communications between multiple computing nodes of the virtual computer network by emulating functionality that would be provided by the networking devices if they were physically present. In some situations, the emulating of networking device functionality includes receiving routing communications directed to the networking devices and using included routing information to update the configured network topology for the managed computer network.

Abstract: A replication of a physical network is created in the cloud. The replicated network safely validates configuration changes for any hardware network device of the physical network and the physical network end state resulting from the changes without impacting the physical network steady state. The replicated network creates virtual machines on hardware resources provisioned from the cloud. The virtual machines emulate network device functionality and have the same addressing as the network devices. Nested overlay networks reproduce the direct connectivity that exists between different pairs of the network devices on the virtual machines. A first overlay network formed by a first Virtual Extensible Local Area Network (VXLAN) provides direct logical connections between the cloud machines on which the virtual machines execute.

Abstract: A radio base station (10) of the present invention comprises: a determination unit (101) that determines whether to perform an off-the-air of a cell (11) managed by the local radio base station (10); a communication unit (102) that communicates with the other radio base stations (10) managing peripheral cells and with a communication provider apparatus (20) managing the bearer information of a user terminal (2); and a communication control unit (103). When it is determined that the off-the-air of the cell of the local radio base station (10) is to be performed, the communication control unit (103) transmits, to the other radio base stations (10) managing the peripheral cells, the authentication code of the user terminal (2) existing in the cell of the local radio base station (10).

Abstract: Two endpoint devices communicate with one another in a secure session by negotiating encrypted communications at initial establishment of the session. Each endpoint device communicates its available security profiles to the other endpoint. A specific security profile is then selected that defines the data encryption and authentication used during the secure session between the two endpoint devices.

Abstract: Examples may include techniques to securely provision, configure, and de-provision virtual network functions for a software defined network or a cloud infrastructure elements. A policy for a virtual network function may be received, at a secure execution partition of circuitry, and the virtual network function configured to implement the policy by the secure execution partition of the circuitry. The secure execution partition may connect to the virtual network function through a virtual switch and may cause the virtual network function to implement a network function based on the policy.

Abstract: A method, computer usable program product or system for automatically sharing a set of sensitive data in accordance with a set of predetermined policy requirements including receiving across a network a set of certified policy commitments for a node; authenticating the set of certified policy commitments; utilizing a processor to automatically determine whether the set of certified policy commitments satisfies the set of predetermined policy requirements; and upon a positive determination, transmitting across the network the set of sensitive data to the node.

Abstract: Methods and systems for determining placement of a virtual serving gateway. The method includes obtaining a set of input information. The input information includes network information and configuration information providing one or more parameters for placing the virtual serving gateway, and includes at least one mobility insensitivity criterion. Placement of the virtual serving gateway at one or more physical hosts is determined in accordance with the network information and the configuration information. The virtual serving gateway is distributively placeable across physical hosts. A set of output information is generated. The output information includes information identifying placement of the virtual serving gateway at the physical hosts, and a hosting percentage for each physical host.

Abstract: In general, techniques are described for atomically installing and withdrawing host routes along paths connecting network routers to attenuate packet loss for mobile nodes migrating among wireless LAN access networks and a mobile network. In some examples, whenever the mobile node moves from one attachment point to the next, it triggers the distribution of its host route from the new attachment point toward the service provider network hub provider edge (PE) router that anchors the mobile node on a service provider network. Routers participating in the Mobile VPN install the host route “atomically” from the attachment point to the mobile gateway so as to ensure convergence of the network forwarding plane with the host route toward the new attachment point prior to transitioning mobile node connectivity from a previous attachment point.

Abstract: According to one aspect disclosed herein, a performance monitoring SDN controller can translate an intent specified by a performance monitoring application into a flow rule and an action set to be utilized by a performance monitoring SDN element to process a packet flow received from the target SDN network. The performance monitoring SDN controller can provide the flow rule and the action set to a performance monitoring SDN element, which can receive the packet flow from the target SDN network and can analyze the packet flow in accordance with the flow rule to match the packet flow to an action included within the action set. The performance monitoring SDN element can execute the action to monitor a performance metric of the packet flow and to provide a value for the performance metric to the performance monitoring application agent, which can generate a message that includes the value.

Abstract: The present disclosure presents a system, method and apparatus herein enabling secure coupling of a computing device, such as a mobile device with an endpoint, such as an application server. The computing device can include any electronic device such as a computer, a server, an application server, a mobile device or tablet. The endpoint can be any electronic device as well that is located within an enterprise network. In at least one embodiment, the secure coupling of the mobile device with a computing device can include a security gateway server. In one example, the security gateway server can be a tunnel service server. In another embodiment, an application server can include a tunnel service module to provide the secure coupling with the mobile device.

Abstract: There is provided a method and apparatus for detecting an unauthorized access point. The method for detecting an unauthorized access point according to an embodiment of the present disclosure includes making an attempt to deliver, through an access point to a validation server, a message that includes network information regarding a network access of a terminal device and requests a validity verification of the network information; and determining that the access point is unauthorized when a response indicating that the network information is valid is not received from the validation server. According to the embodiment of the present disclosure, it is possible to implement a device for determining an unauthorized access point device in a general manner, independent of a specific device.

Abstract: Methods are disclosed for incorporating a security gateway within a wireless mesh network. In one embodiment, the wireless mesh network is a heterogeneous mesh network. In one embodiment, a gateway node, which is part of the wireless mesh network, requests a connection to the core network through a security gateway. The security gateway responds by creating an IPSec tunnel and a GRE tunnel within the IPSec tunnel from itself to the gateway node. Once the gateway node is communicatively coupled to the security gateway via secure tunneling, the gateway node sends a mesh routing protocol to the security gateway.

Abstract: Techniques are described that allow fast path delivery of content from content data networks directly to metro transport networks so as to bypass Internet service provider (ISP) networks. The metro transport network is positioned between subscriber devices and an Internet service provider network that authenticates the subscriber devices and allocates respective layer three (L3) addresses from an Internet Protocol (IP) network address prefix assigned to the Internet service provider network. Routes within the metro transport network, including an access router, ISP-facing provider edge routers and one or more peering routers, establish an EVPN within the metro transport network. The access router outputs, within the EVPN and to the peering router, an EVPN route advertisement that advertises network address reachability information of the subscriber devices (e.g., the IP network address prefix or MAC/IP address of the subscriber devices) on behalf of the Internet service provider network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for performing multi-factor authentication. In one aspect, a method includes determining that a user has successfully completed an authentication factor, determining whether a mobile device associated with the user is proximate to a computer; and authenticating the user based on determining that the user has successfully completed the authentication factor, and that the mobile device is proximate to the computer.

Abstract: Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is received at a networking subsystem of a firewall. The connection is characterized by a source IP address, a destination IP address and a network service protocol. The network service protocol of the network connection is determined. A matching firewall policy is identified for the connection. When the connection is allowed, it is redirected to a proxy module that is configured to support the network service protocol. A content processing configuration scheme identified by the matching firewall policy is retrieved that includes multiple content processing configuration settings, specifying whether a particular type of content filtering is to be performed, for each of multiple network service protocols.

Abstract: Methods and apparatus are disclosed to provide protection against Unsolicited Communication (UC) in a network, such as, without limitation, an Internet Protocol (IP) Multimedia Subsystem (IMS). A communication may originate from a sending device and may be intended for delivery to a receiving device. A network may determine authentication information associated with the sending device. The network may send the authentication information to a receiving entity to evaluate if the communication is unsolicited using the authentication information. If the communication is determined to be acceptable, a connection associated with the communication may be allowed.

Abstract: A method for accessing network services from external networks includes receiving at a cloud-based server a bridge setup request from a private communication system, establishing a bridge connection between the cloud-based server and the private communication system, establishing a communication path between the cloud-based server and a cloud-based application, receiving a request from a cloud-based entity that is directed to an enterprise service hosted within the private communication system, transmitting the request to the enterprise service over the bridge connection, receiving a response from the enterprise service over the bridge connection, and transmitting the response to the cloud-based entity. Related computer program products and systems are also disclosed.

Abstract: A communication device may be provided. The communication device may include: a packet generator configured to generate a packet including data for a second communication device and a header including an identifier identifying a communication service for the data and a transmitter configured to transmit the packet via a flow restriction device to the second communication device.

Abstract: Techniques are described for providing users with access to computer networks, such as to enable users to interact with a remote configurable network service to create and configure computer networks that are provided by the configurable network service for use by the users. Secure private access between a computer network provided for a user by the configurable network service and one or more other remote computing systems of the user (e.g., a remote private network) may be enabled in various ways. For example, a user may programmatically invoke an API provided by the configurable network service to obtain assistance in establishing remote access from a remote location to a provided computer network of the configurable network service, such as to establish a VPN connection from the remote location to the provided computer network using hardware and/or software supplied to the remote location in response to the API invocation.

Abstract: Systems and methods that efficiently combine multiple wireless networks or devices resulting in faster, more reliable, and more secure mobile Internet. A Virtual Private Network (VPN) service application is operated to route outgoing and incoming data packets of a mobile device. The mobile device is (i) either coupled to a remote server through the VPN service application for data packets transfer between the remote server and the mobile device or (ii) performs cross-layer translation for data packets transfer between the mobile device and direct target hosts on the Internet. Concurrently using multiple channels secures data packets transfer by sending encrypted data packets over multiple channels and receiving the encrypted data packets by a single apparatus. Data packets are designated to be transferred via a Wi-Fi channel or a cellular channel, and then transferred using both the Wi-Fi channel and the cellular channel.

Abstract: Technologies for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture include various security monitoring components, including a NFV security services controller, a VNF manager, and a security monitoring VNF. The security monitoring VNF is configured to receive provisioning data from the NFV security services controller and perform a mutually authenticated key exchange procedure using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and a VNF manager. The security monitoring VNF is further configured to receive personalization data from the VNF manager via the secure communication path and perform a personalization operation to configure one or more functions of the security monitoring VNF based on the personalization data. Other embodiments are described and claimed.

Abstract: A communication network can be constructed to support software-defined networking (SDN) protocols and network functions virtualization (NFV) protocols. Such a communication network can advantageously be operated at lower costs, increased flexibility and control, and with simplified management to name but a few. In addition to these advantages, various networking security aspects can be enhanced by leveraging the SDN/NFV architecture.

Abstract: A communication device includes a communication section and an encrypting section. When the communication section receives from a communication control device alternative address information indicating an address of an alternative device registered as a transfer destination after a communication request for communication with a specified device is transmitted to the communication control device, the communication section determines the alternative device as the communication partner and transmits to-be-transmitted data that is encrypted by the encrypting section to the alternative device. The transfer destination indicates a transfer destination of the data to be transmitted to the specified device.

Abstract: Overhead of sending data from one application to another by doing input and output processing can be costly. The present invention provides a method of transmitting data with a low overhead between applications in a multi-tenant runtime environment. The multi-tenant runtime detects a connection between tenants, and then performs low-overhead data transmission mechanisms by cloning data from one tenant space to another tenant space, while keeping the data isolated for two tenants.

Abstract: Systems and methods for managing networking activities of a multi-tenant cloud computing environment. An example method may include distributing, by a controller node executed by a processing device, a dynamic host configuration protocol (DHCP) agent to each of a plurality of compute nodes of a computing environment; identifying, by the controller node, a first virtual machine hosted on a first compute node of the plurality of compute nodes; determining a first DHCP agent associated with the first virtual machine and the first compute node; and transmitting, by the controller node, networking information relating to the first virtual machine to the first DHCP agent hosted by the first compute node.

Abstract: Overhead of sending data from one application to another by doing input and output processing can be costly. The present invention provides a method of transmitting data with a low overhead between applications in a multi-tenant runtime environment. The multi-tenant runtime detects a connection between tenants, and then performs low-overhead data transmission mechanisms by cloning data from one tenant space to another tenant space, while keeping the data isolated for two tenants.