Entries |
Document | Title | Date |
20080209536 | Updating Parameters in a Bridged Multistandard Home Network - The invention relates to the field of home networks, in particular to the connection of two home networks of different types via a gateway. The network appliances in the network of the first type are also intended to be able to control the network appliances in the network of the second type, and vice versa. One problem that occurs when carrying out conversion processes on control messages is that an input parameter which is known in the network of the first type can be changed as required and can also be signaled further within this network, but the associated correspondence in the network of the second type is permanently set, and accordingly cannot be changed. The invention provides a way in which an input parameter such as this can nevertheless be likewise updated in the network of the second type. For this purpose, the network station which relates to the input parameter is first of all logged-off in the network of the second type. The changed input parameter is then converted to the information element in the network of the second type. The network station which relates to the input parameter is then logged on again in the network of the second type. This results in the network stations in the network of the second type being able to newly read the appliance description for the network station which relates to the input parameter. This then also results in the input parameter being updated in the network of the second type. | 08-28-2008 |
20080209537 | Self-Initiated End-to-End Monitoring of an Authentication Gateway - An example embodiment of the present invention provides processes relating to self-initiated end-to-end monitoring for an authentication gateway. In one particular implementation, the authentication gateway periodically creates and stores a temporary logon for access to a network and then sends a message including the temporary logon over a secure connection to a client. When the client receives the temporary logon, the client responds to the message by attempting to access a configurable network site. The authentication gateway redirects the client to a captive portal which prompts the client for a logon and the client enters the temporary logon at the captive portal. Then upon validating the temporary logon against the stored temporary logon, the authentication gateway authorizes access to the network. If the client successfully accesses the site, the client sends a verification report to the authentication gateway indicating successful access. Otherwise, the client reports on the failed access. | 08-28-2008 |
20080209538 | Strategies for Securely Applying Connection Policies via a Gateway - A strategy is described for securely applying connection policies in a system that includes a first entity (e.g., a TS client) connected to a second entity (e.g., a TS server) via a gateway using a remote-operating protocol (e.g., RDP). The strategy involves establishing a first secure channel between the gateway and the TS server and transmitting policy information from the gateway to the TS server. The strategy then involves deactivating the first secure channel and setting up a second secure channel between the TS client and the TS server. The strategy uses the second secure channel to transmit RDP data from the TS client to the TS server. The TS server uses the previously-transmitted policy information to determine whether to enable or disable a feature that affects the TS client, such as device redirection. | 08-28-2008 |
20080209539 | System and method for preventing service oriented denial of service attacks - A method, system, and computer program product for preventing network service attacks, including processing a message to validate the message for message version and syntax via a security firewall; canonicalizing the message and extracting a message header and body via a converter; converting the body into a Patricia Trie via the converter; and validating the header and the converted body for security via a comparator. | 08-28-2008 |
20080216167 | PROXY CONNECTION METHOD AND ADAPTER TO IMS/MMD NETWORK - A client for IPv4 having a SIP function sends first REGISTER to adapter. Then, the adapter executes an authentication sequence of EAP-AKA for an access gateway connected to the interval of an IMS/MMD network and the IPv4 network, then establishes the tunnel connection. Then, the adapter generates second REGISTER corresponding to the IPv6 based on first REGISTER corresponding to IPv4. And, the adapter sends second REGISTER to a SIP server connected to the IMS/MMD network through the tunnel connection to the access gateway. | 09-04-2008 |
20080229403 | Method and apparatus for providing wireless services to mobile subscribers using existing broadband infrastructure - Techniques for providing wireless services to mobile subscribers using existing broadband network infrastructures are described herein. In one embodiment, in response to a request received at a gateway device from a mobile subscriber over a radio access network (RAN) for accessing a service provider network, the gateway device authenticates the mobile subscriber for accessing the RAN, where the gateway device interfaces the RAN and the existing broadband network. Upon successfully authenticating the mobile subscriber for accessing RAN, the gateway device accesses a network service provider over the existing network to acquire a network address on behalf of the mobile subscriber optionally using at least a portion of credentials derived from the authentication, where the network address allows the mobile subscriber to access the service provider network. Other methods and apparatuses are also described. | 09-18-2008 |
20080235782 | PROVIDING REMOTE SERVICES TO LEGACY APPLICATIONS - A developer can provide complex services to existing legacy applications using one or more components configured to tap into a service abstraction framework. In one implementation, for example, a developer of a remote service provider adds one or more authentication attributes to the remote service provider, and further creates a local client driver that incorporates a client proxy. When a legacy application generates a function request (e.g., to print, send a text message, initiate a voice communication), the client proxy intercepts the request through an appropriate communication subsystem, and relays the request to the server proxy. The server proxy determines the extent to which authentication measures may be required. If required, the client proxy can initiate out-of-band processing with various authentication managers to validate/process the request at the remote service provider. | 09-25-2008 |
20080235783 | P-GANC OFFLOAD OF URR DISCOVERY MESSAGES TO A SECURITY GATEWAY - In one embodiment, a security gateway receives an IPSec Initiation (IPSec INIT) request from a client. The security gateway may communicate with a AAA server to authenticate the client. After authentication, the security gateway intercepts a URR Discovery request from the client. The security gateway determines registration information for a response to the registration request. The registration information may be information on where the client can locate a D-GANC. A response is generated using the determined information and sent to the client. The response to the discovery request is performed without communicating with a P-GANC. Accordingly, a security gateway is used to authenticate the client and also to respond to the discovery request. This does not require that a P-GANC function be deployed in a network. Thus, cost and processing power may be saved. | 09-25-2008 |
20080235784 | Gateway log in system with user friendly combination lock - User friendly gateway log-in system for validation of a user's identity for entry into a master security website that provides a gateway to a plurality of different subscriber websites includes: (a) a plurality of user computers; (b) an internet; (c) a host server connected to the internet for connection to user computers; and (d) a website program hosted on the host server for a website that requires individual user security, for connecting each of the plurality of computers to the website available to the user computers, that includes an open log in field. The program has software for secured activity for receiving and recognizing a unique user identification from a user of a user computer to create a personal combination lock rule for a unique easy-to-remember user initialization input that includes a preset selection and operation of the intersection of a first randomly arranged challenge presentation and a second randomly arranged challenge presentation to obtain a selection solution. Successful solution by a user provides access to the gateway for entry into any subscriber-website without website-specific log-in. | 09-25-2008 |
20080244724 | Consumer computer health validation - Consumer computers that are not properly configured for safe access to a web service are protected from damage by controlling access to web services based on the health of the client computer. A client health web service receives health information from the client computer, determines the health status of the consumer computer, and issues a token to the consumer computer indicating its health status. The consumer computer can provide this token to other web services, which in turn may provide access to the consumer computer based on the health status indicated in the token. The client health web service may be operated as a web service specifically to determine the health of consumer computers or may have other functions, including providing access to the Internet. Also, the health information may be proxied to another device, such as a gateway device, that manages interactions with the client health web service. | 10-02-2008 |
20080250490 | Authenticated session replication - Apparatus, systems, and methods may operate to receive, at an authentication agent in a first local area network (LAN), a virtual proxy authentication identification from a virtual proxy serving as a single point of trust for a second LAN across a wide area network. The virtual proxy authentication identification may be included in a modified session message originated within the second LAN. As a result, the apparatus, systems, and methods can operate to transmit content associated with the modified session message to a first plurality of individual proxy modules in the first LAN. Additional apparatus, systems, and methods are disclosed. | 10-09-2008 |
20080256620 | Default Internet Traffic and Transparent Passthrough - A method for routing packets sent from a user to the internet is provided for systems in which the user is connected to a private network. The method includes: extracting a source network address from the packet; using said source network address to retrieve a user profile for the user; examining said user profile to determine whether to route the packet through the private network or to route the packet directly to the Internet; and routing said packet according to said profile. This allows a user or network provider to choose whether to route packets destined for the Internet directly to the Internet rather than through the private network, thus preventing excessive network traffic on the private network. | 10-16-2008 |
20080282337 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a transparent proxy running within a network gateway logically interposed between a client and a server intercepts remote file-system access protocol requests/responses. Responsive to receipt of a remote file-system access protocol request from the client, the network gateway issues the remote file-system access protocol request to the server on behalf of the client. The network gateway buffers into a holding buffer associated with the network gateway data being read from or written to a file associated with a share of the server. Then, responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network gateway determines the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer. | 11-13-2008 |
20080282338 | SYSTEM AND METHOD FOR PREVENTING THE RECEPTION AND TRANSMISSION OF MALICIOUS OR OBJECTIONABLE CONTENT TRANSMITTED THROUGH A NETWORK - A system for preventing the reception and transmission of malicious or objectionable content transmitted through a network. A thin is client installed upon a user computer and is associated with a web browser computer program installed upon the user computer, the thin client and web browser being coupled to a web proxy server with a network service provider. At least one protective server is intermediate the web proxy server and the network, the protective server being dedicated to detecting a type of malicious or objectionable content and acting to deter the reception of detected content by the user computer. At least one reference library contains a profile defining malicious or objectionable content, the protective server utilizing the library to identify the malicious or objectionable content. | 11-13-2008 |
20080289029 | METHOD AND SYSTEM FOR CONTINUATION OF BROWSING SESSIONS BETWEEN DEVICES - A system and method are provided for continuing a browsing session initiated with a first client machine and a web site. The browsing session may be continued on a second client machine by tracking the navigation history associated with the browsing session of the first client machine. The navigation history comprises at least an address of a last viewed web page of the web site. Continuation of the browsing session is further facilitated by collecting at least one web cookie during the browsing session that is dependent upon the interaction between the first client machine and the web site. In this way, in order to allow switching between client machines to continue the browsing session, the navigation history and the at least one web cookie is provided from the second client machine to the web site to restore and resume the browsing session at the point that it was previously terminated. | 11-20-2008 |
20080301796 | Adjusting the Levels of Anti-Malware Protection - A client transmits requests via a gateway to a server in a network environment. The requests indicate content on a server to be transmitted as part of download process. The gateway receives into its memory the requested content and also maintains characteristics of the server and the client. The gateway adjusts the depth of scanning of the content for malware based on the retrieved server and client characteristics in order to optimize a balance between effectiveness of anti-malware scanning and a resulting user experience. | 12-04-2008 |
20080301797 | Method for providing secure access to IMS multimedia services to residential broadband subscribers - The present invention provides a method for providing secure access for a communication unit to an IP Multimedia Network in a communication system. The communication system includes a local area network (LAN), an Internet, and the IP Multimedia Network. A first secure connection is established between the LAN and the IP Multimedia Network. The first secure connection traverses the Internet. Secure access is provided to the communication unit by utilizing the first secure connection and a second connection between the communication unit and the LAN. | 12-04-2008 |
20080307518 | Security in communication networks - Disclosed is a method including allowing an application server to request setup of a session on behalf of a user terminal, and using mechanisms of a generic peer authentication procedure for procedure for enabling authentication of the application server to an interrogating server, the interrogating server being a network element that is configured to process said request to setup a session on behalf of a user terminal. Also disclosed are related devices, systems and computer programs. | 12-11-2008 |
20080313728 | INTERSTITIAL PAGES - A reverse proxy server can provide access to web applications. The reverse proxy system can produce interstitial pages not generated with the web application code and optionally block access to the web application until the interstitial pages have been processed. | 12-18-2008 |
20080313729 | Method and Apparatus for Automatic Filter Generation and Maintenance - A method is disclosed for automatic filter generation and maintenance. From information transmitted on a network, a first device identifier and a second device identifier are detected. Based on the first and second device identifiers, a filter is automatically configured to deny network-transmitted information that attempts to establish an association between the first device identifier and a device identifier other than the second device identifier. | 12-18-2008 |
20080320582 | REAL-TIME INDUSTRIAL FIREWALL - Providing for employing a real time firewall to secure components of an automation control network from unauthorized communication to or from such components is disclosed herein. A monitoring component can inspect at least a portion of an instance of communication directed toward or originating from a component of the automation control network. Such inspection can, e.g., be a deep packet inspection based on information received from a communication request and/or response protocol. A filtering component can selectively admit or deny propagation of the instance of communication based on the inspection and a predetermined security criterion. In such a manner, the subject innovation can provide for limited access to network components from office network machines and for securing components of an automation control network from influence by unauthorized entities. | 12-25-2008 |
20080320583 | Method for Managing a Virtual Machine - Methods for managing a virtual machine wherein an administration console (AC) ( | 12-25-2008 |
20090007252 | System and Method for Implementing Proxy-Based Auto-Completion on a Network - A system and method for implementing forward proxy based auto-completion on a network, wherein the network includes a data center, at least one forward proxy, and a collection of clients coupled to the at least one forward proxy. The data center marks at least one input field in an application as relevant for auto-completion. In response to detecting a first client accessing the at least one input field in the application to input at least one data entry, the forward proxy parses the at least one data entry entered into the at least one input field. The forward proxy ranks by frequency of entry the at least one data entry entered into the at least one input field. In response to detecting a second client accessing the at least one input field in the application to input at least one data entry, the forward proxy performs auto-completion on the at least one input field, wherein the auto-completion includes displaying a collection of past data entries in an order of the ranking to facilitate completion of the at least one input field. | 01-01-2009 |
20090007253 | FILTERING TECHNIQUE FOR PROCESSING SECURITY MEASURES IN WEB SERVICE MESSAGES - A message gateway apparatus is provided for use in a web service system to process a message containing a request for a destination web service application, in which the message includes a plurality of events within a structured document conforming to a web service protocol and each event of the plurality of events has a name and a content thereof. The message gateway apparatus comprises a message parsing module configured to sequentially identify the events of the plurality of events of the message, an input object creation module configured to sequentially extract the events of the plurality of events from the message parsing module, and a message filtering module configured to sequentially access the events of the plurality of events as the events are extracted from the message parsing module by the input object creation module to analyze the name of each event and perform security processing on the content of each event for which the corresponding name indicates that security measures have been applied according to a security protocol. The input object creation module is configured to construct an input object including input parameters for the destination web service application based on the message. The input object creation module constructing the input object by adding a representation of each event of the plurality of events to the input object after each event is accessed by the message filtering module. | 01-01-2009 |
20090013399 | Secure Network Privacy System - The invention provides a method and system of receiving communications from a network device in a network to a source of network data and establishing a secure and/or authenticated network connection between the network device and the source that appears to the network device as a direct connection to the source of network data. Broadly conceptualized, the method and system may also include a parsing module that modifies the network data passing back and forth between the network device and the source of network data. | 01-08-2009 |
20090019535 | METHOD AND REMOTE SYSTEM FOR CREATING A CUSTOMIZED SERVER INFRASTRUCTURE IN REAL TIME - System and method enabling creating a server environment in real or near-real time. Major elements of the system include a provisioning engine that controls server chassis coupled to frontend network and backend network. The frontend network enable connection of any server to the Internet or Intranet through a firewall and IDS security systems. The backend network couples specific servers to specific storage resources of a network storage. A GUI or direct API functions enables a user to specify server environment parameters, and the provisioning engine then controls the frontend and backend networks and other system elements to create the specified server environment. | 01-15-2009 |
20090019536 | AUTOMATIC IP NETWORK DETERMINATION AND CONFIGURATION FOR EDGE DEVICES - A method of self-configuration of a network device having at least one network connection port, comprising the steps of, after booting of the network device, actively probing a network in which the network device is located and analysing data packets received on the port(s), attempting to determine a network configuration for all network connections the device can make according to information extracted from the received data packets, and configuring device settings according to the network configuration determined. | 01-15-2009 |
20090037999 | Packet filtering/classification and/or policy control support from both visited and home networks - A method of supporting access to a selected Internet Protocol (IP) multimedia application via an IP Multimedia Subsystem (IMS) is provided for a roaming mobile node (MN)—i.e., user equipment (UE) ( | 02-05-2009 |
20090044261 | SYSTEM AND METHOD FOR SECURE DUAL CHANNEL COMMUNICATION THROUGH A FIREWALL - A server including a dual channel communications module operable to establish a communication session between the server and a client is provided. The server may be operable to receive a dual channel communication packet from the client. In a particular embodiment, the dual channel communication packet may include a header in a data payload. The header includes a client external IP address, and the data payload includes an encoded port command having a client internal IP address and a client data port number. A codec operable to decode the port command may also be provided. The server may also include a translation module for retrieving the client external IP address from the header. In a particular embodiment, the server is operable to establish data channel coordinates including the client external IP address, the client data port number, a server internal IP address and a server data port number. | 02-12-2009 |
20090044262 | METHOD, SYSTEM AND SOFTWARE FOR MAINTAINING NETWORK ACCESS AND SECURITY - A system, method and apparatus for securing communications between a trusted network and an untrusted network are disclosed. A perimeter client is deployed within the trusted network and communicates over a session multiplexing enabled protocol with a perimeter server deployed within a demilitarized zone network. The perimeter client presents requests to make available and communication initiation requests to the perimeter server which presents corresponding sockets to the untrustred network. The session multiplexing capabilities of the protocol used between the perimeter server and perimeter client permit a single communication session therebetween to support a plurality of communication sessions between the perimeter server and untrusted network. In the event data flows across the communication sessions are encrypted, decryption of the data flows is left to the components at the end points of the communication session, thereby restricting exposure of privileged information to areas within trusted networks. | 02-12-2009 |
20090049537 | System and Method for Distributed Multi-Processing Security Gateway - A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided. | 02-19-2009 |
20090049538 | Identifier Authenticating System - There is provided an identifier authenticating system in which information requesting users can share all the predetermined information held in a plurality of information providing servers. In the identifier authentication system, when an identifier holding user | 02-19-2009 |
20090055920 | Systems And Methods For Establishing A Communication Session Among End-Points - Systems and methods for establishing a communications session among end-points are shown and described. The method can include receiving, from a client computing device at a gateway computing device, a request to establish a communication session with an end-point, the client computing device executing a program that locates address information for the end-point within application output displayed at the client computing device and forwarding at least a portion of the received request to a private branch exchange in communication the gateway computing device, the at least a portion of the received request including the address information of the end-point and address information associated with an end-user of the client computing device. | 02-26-2009 |
20090064306 | Network access control based on program state - A gateway controls access to a region of a network by either granting or denying a client machine access to the network region based on whether a particular program is running on the client machine. A program is installed on the client machine which sends a detectable indication that the program is running. When it is detected that the program is running, the gateway allows the client machine access to the network region. When the program is not detected to be running, the gateway denies the client machine access to the network region. | 03-05-2009 |
20090064307 | Systems and/or methods for streaming reverse HTTP gateway, and network including the same - In certain example embodiments of this invention, there is provided systems and/or methods for a streaming reverse HTTP gateway, and/or networks including the same. In such a network, a reverse HTTP gateway is located within a demilitarized zone (DMZ) disposed between public (or external) and private (or internal) networks for providing security therebetween. Requests from external clients may be streamed from the external network to the internal network over various connections and ports, including a substantially persistent reverse connection between an internal server and a reverse HTTP gateway. The reverse HTTP gateway architecture of certain example embodiments removes the need for proprietary protocols implemented between the reverse HTTP gateway located in the DMZ and the internal server located in the internal network. In certain example embodiments, the reverse HTTP gateway architecture is configured to leverage the capabilities of HTTP 1.1. | 03-05-2009 |
20090064308 | SECURITY GATEWAY SYSTEM, METHOD THEREOF, AND PROGRAM - A non-secure network gateway | 03-05-2009 |
20090064309 | BROWSER PLUG-IN FIREWALL - A browser plug-in firewall manages data exchanged between a browser and a plug-in according to a pre-defined list of rights. | 03-05-2009 |
20090070865 | Security proxy service - A secure proxy service has been developed to authorize pre-defined individuals (defined as a “Security Agent”) to gain access to otherwise privileged information/premises when an individual has “gone missing”. The individual subscribing to the service defines and retains control of various factors such as: the time period to trigger the proxy service (i.e., missing for several days, missing for several weeks, etc.), the types of information to be accessed (i.e., only email, both premises and email, bank accounts, etc.), and the like. Once activated, the proxy allows the authorized individual(s) to gain access to the person's residence, computer accounts, bank accounts, etc. (via previously-executed “power of attorney” documents, when necessary) in an attempt to find clues regarding the missing person's location. | 03-12-2009 |
20090083846 | SYSTEM AND METHOD FOR SECURITY MANAGEMENT OF HOME NETWORK - A security management system of a home network is provided. The home network includes a home gateway and one or more user devices connected to the home gateway. The security management system further includes a security management server adapted to provide a security management service for the home network. Within the home network, a security management module is disposed to provide a security service for the user devices within the home network. The user devices and a device where the security management module locates have unique device identifications, and the home network has a unique network identification. By the home gateway, the security management server communicates with the security management module. With the network identification and the device identification, the security management server and the security management module achieve a security management for the home network through a registration of the home network and a registration of the user device. A security management method of home network devices is also provided. | 03-26-2009 |
20090089872 | Communication network access - A method of routing traffic between external users and a communication network via a private access network. The method comprises establishing a secure outer tunnel between the private network and a gateway of a public access network to which the private network is coupled, based upon authentication of the private network to the public access network, said gateway being coupled to said communication network. For each external user wishing to connect to the communication network via the private network, a secure inner tunnel is established between the user and the gateway based upon authentication of the user to the gateway, the inner tunnel being within said outer tunnel. Traffic is caused to flow between external users and the gateway through the respective inner tunnels. | 04-02-2009 |
20090089873 | SERVER MESSAGE BLOCK (SMB) SECURITY SIGNATURES SEAMLESS SESSION SWITCH - The present invention relates to systems, apparatus, and methods of securely transmitting data between a client and a server. The method includes receiving an initial security message from the client. The security message is to establish security between the server and the client. Further, the client's security parameters are set to enabled and not required. The method further includes forwarding the initial security message to the server and intercepting a security response from the server. The response includes security data and security parameters set to enabled and required. The method includes extracting the security data from the security response, and using the security data to establish a secure socket connection between the proxy server and the server. Furthermore, the method alters the request by changing the security parameters to not enabled and not required, and transmits the altered request and establishes a non-secure socket connection. | 04-02-2009 |
20090094693 | Access technology indication for proxy mobile internet protocol version 6 - A Local Mobility Anchor/Agent (LMA), on seeing a Proxy Binding Update (PBU) with a same Network Access Identifier (NAI) but with a different access technology indication or interface identifier can assign a unique prefix to a mobile node (MN) via a PBAck message. The unique prefix avoids the creation of a duplicate address that would conflict with the address assigned to another interface that was configured using a prefix provided by the LMA. This solution can enable an MN to attach to different Mobility Access Gateways (MAGs) that are in different access networks of differing technologies but attached to the same LMA (i.e. the MAGs and the LMA are in the same PMIP6 domain) and not cause conflicts in prefix assignment or confuse the LMA into thinking that the MN had performed a handover (HO). | 04-09-2009 |
20090106830 | Secure Network Communication System and Method - A secure network communication system and method for secure data exchange using transmission control protocol are disclosed. The system provides for data exchange using between a client and a server, by way of an agent and a broker interconnected to exchange data over an unsecured network link. Upon receipt of a control packet from the client, the broker forwards a modified control packet to the agent using a secure protocol. The agent then inspects the modified control packet and forwards it to the server. Upon receipt of a response packet from the server, the agent forwards the response packet to the broker using a secure protocol and upon receipt of the response packet, the agent modifies the response packet and forwards it to the client. In the case that the exchange of control packets indicates establishment of a TCP session, the agent and the broker establish a data channel between themselves to create a transparent TCP channel between the client and the server. | 04-23-2009 |
20090113536 | Digital Rights Management (DRM) Enabled Portable Playback Device, Method and System - A method for enabling access to digital rights managed (DRM) content from a server to a portable playback device using a device that functions as a proxy for enabling communication between the server and the portable playback device. The method provides for establishing a connection with a device capable of operating as a gateway device for passing data between the portable playback device and the server, requesting that the device establish a connection with the server and operate as a proxy for enabling data exchange between the portable playback device and the server, sending to the server, upon establishing the connection with the server via the device operating as a proxy, data indicating DRM solutions supported by the portable playback device, and a list comprising requested DRM content to be downloaded to the portable playback device, and receiving from the server, via the device operating as a proxy, the requested DRM content and DRM rules associated with the received content. | 04-30-2009 |
20090113537 | PROXY AUTHENTICATION SERVER - Techniques and systems for allowing a client to interact with a Microsoft Windows Server via a proxy authentication server are disclosed. Instead of engaging in the NTLM authentication protocol with a Microsoft Windows Server directly, a client may interact with a proxy authentication server. The proxy authentication server may perform all of the necessary NTLM interactions with the Microsoft Windows Server. Thus, the proxy authentication server authenticates itself with the Microsoft Windows Server, and acts as the client's agent. Because the client does not directly interact with the Microsoft Windows Server, the client does not need to authenticate itself with the Microsoft Windows Server; instead, after the proxy authentication server authenticates itself with the Microsoft Windows Server, the client can transact the client's business with the Microsoft Windows Server through the authenticated proxy authentication server. The proxy authentication server can act on behalf of multiple different clients in a network. | 04-30-2009 |
20090113538 | Method and system for controlling access for mobile agents in home network environments - Disclosed is a method and system for controlling access for a mobile agent in a home network environment. The method includes the steps of: issuing a role ticket to the mobile agent; verifying access authority to service requested by the mobile agent through the role ticket; and granting the mobile agent access authority to the service. Accordingly, a table for managing access authority of a user is distributed to devices, so that it is possible to provide the mobile agent access control method and system capable of minimizing network traffic in the home network environment. | 04-30-2009 |
20090113539 | GATEWAY SYSTEM AND METHOD FOR IMPLEMENTING ACCESS TO VARIOUS MEDIA - A gateway system for implementing access to various media is provided in the invention, and the gateway system includes: a communication media access module, for establishing a communication link with the corresponding media access network; a Media Independent Handover Functions module, for seamless handover between accesses to various media; and a handover decision module, for selecting a target network for the seamless handover. The gateway system may also include an authentication module, for sharing the authentication information of the User Equipment. Two methods for implementing access to various media are further disclosed in the invention. By the provided gateway system and methods, the User Equipment can access various media via the gateway system, seamlessly hand over between accesses to various media and achieve the access to a service network using the shared authentication information. | 04-30-2009 |
20090119766 | Method for Remotely Accessing a Local Area Network, and Switching Node for Carrying Out the Method - The invention relates to the technical field of data transmission in a network of distributed stations. One problem particularly with a UPnP-based home network is that although the network-internal communication is based on the IP protocol, the allocated IP addresses are valid only locally and they therefore cannot be accessed via the Internet. This is the starting point of the invention, which proposes that remote access to the network have the network's switching node provide address conversion which is effected using an internally managed table about the devices which are present in the network and their IP addresses. For the remote access, the globally valid IP address of the switching node is used, with an additional information item being additionally provided in the HTTP Get remote access and allowing the address conversion. A suitable additional information item is the converted local IP address of the network station which is to be addressed, in particular. The response to the remote access involves the inverse address conversion, so that the references back to the local area network again contain the globally valid address of the switching node plus the additional information item. | 05-07-2009 |
20090119767 | FILE LEVEL SECURITY FOR A METADATA CONTROLLER IN A STORAGE AREA NETWORK - A storage gateway is employed as part of a security enhancing protocol in a data processing system which includes at least one metadata controller node and at least one application node which is granted a time limited access to files in a shared storage system. The gateway is provided with information as to data blocks to which access is to be allowed and also with information concerning the duration of special access granted to a requesting application node. This insures that metadata cannot be improperly used, changed or corrupted by users operating on an application node. | 05-07-2009 |
20090119768 | Using Application Gateways to Protect Unauthorized Transmission of Confidential Data Via Web Applications - A security gateway receives messages transmitted between a server and a client device on a network and parses the messages into a plurality of data objects, such as strings and name-value pairs. The data objects may represent user personal identification information, such as user name, social security number, credit card number, patient code, driver's license number, and other personal identification information. The security gateway uses rules to recognize data objects and validate the data objects to determine whether the recognized data objects are appropriately included within the context. The security gateway may also perform an action on the data objects. Data objects that are not appropriately included in the context may be transformed, suppressed or disallowed. | 05-07-2009 |
20090126002 | SYSTEM AND METHOD FOR SAFEGUARDING AND PROCESSING CONFIDENTIAL INFORMATION - One aspect of the invention is a method for providing restricted access to confidential services without impacting the security of a network. The method includes using a gateway to isolate one or more components providing confidential services from one or more other portions of an enterprise network. A first communication directed to a selected one of the one or more components may be received at the gateway. A determination may be made as to whether the first communication is user traffic or management traffic. The first communication may then be authenticated. If the first communication is user traffic, the first communication is forwarded to a component providing the confidential services. If the first communication is management traffic, the first communication is encrypted and forwarded to a component providing the confidential services. Additionally, components of the sub-network may be monitored to identify malicious changes. | 05-14-2009 |
20090133113 | ADDING CLIENT AUTHENTICATION TO NETWORKED COMMUNICATIONS - A pass-through agent receives a request from a client and authenticates the client before forwarding the request to a target server that lacks client authentication capability. The target server is configured to accept requests from the pass-through agent, and may be configured to reject requests that do not come from the pass-through agent. | 05-21-2009 |
20090133114 | METHOD FOR IMPLEMENTING AN INTERNET PROTOCOL (IP) CHARGING AND RATING MIDDLEWARE PLATFORM AND GATEWAY SYSTEM - A method for Internet Protocol (IP) charging and rating gateway within a system having: (i) a proxy server for connection to an Authentication, Authorization, and Accounting (AAA) server; (ii) an access gateway, (iii) an IP classification engine for connection between a data network and the access gateway; and (iv) a gateway controller connected to the proxy server and the IP classification engine, including the steps of: (a) receiving IP packets at the IP classification engine, the IP packets originating from the data network and destined for a subscriber device via the access gateway; (b) classifying the IP packets according to the protocol of each of the packets at the IP classification engine; and (c) selectively instructing the IP classification engine to permit or deny the flow of IP packets between the data network and the access gateway at the gateway controller. Preferably, the proxy server is configured to emulate the access gateway and the AAA server. | 05-21-2009 |
20090138955 | USING GAA TO DERIVE AND DISTRIBUTE PROXY MOBILE NODE HOME AGENT KEYS - A Generic Authentication Architecture bootstrapping procedure is performed between a mobile terminal and a bootstrapping server function resulting in the mobile terminal and the bootstrapping server function each acquiring at least a bootstrapping transaction Identifier associated with the mobile terminal and a corresponding shared key. The mobile terminal derives a network application function specific key based on at least the acquired shared key and an identifier of said network application function. The bootstrapping transaction identifier and the network application function specific key are sent from the mobile terminal to the proxy mobile node. A request message for Mobile Internet Protocol registration is sent from the proxy mobile node to a home agent on behalf of the mobile terminal, the request message including the bootstrapping transaction identifier and an identifier of the proxy mobile node. The registration message is verified in the home agent with the use of a network application function specific key obtained from the bootstrapping server function or a network application function. The request message for Mobile Internet Protocol registration is authenticated with the proxy mobile node acting on behalf of the mobile terminal by verifying the message authentication code with the obtained network application function specific key. | 05-28-2009 |
20090138956 | Multi-use application proxy - Some embodiments of a multi-use application proxy have been presented. In one embodiment, an application proxy is executed as an intermediary a set of applications. The application proxy performs multiple functions between the set of applications. For example, the application proxy aggregates interactions between the applications and a client in one embodiment. | 05-28-2009 |
20090138957 | METHOD AND APPARATUS OF MANAGING ENTITLEMENT MANAGEMENT MESSAGE FOR SUPPORTING MOBILITY OF DCAS HOST - A method of supporting a mobility of a Downloadable Conditional Access System (DCAS) host is provided. The method includes: by the second authentication proxy server: performing mutual authentication with a secure micro of the host to generate a session key; requesting an integrated personalization system to download a secure micro client to the host, wherein the secure micro client is encoded using the session key; and transmitting, to a DPS, mapping information between the second authentication proxy server and the secure micro of the host, wherein, in response to receiving the mapping information, the DPS instructs a CAS server to transmit an entitlement management message to the network of the second authentication proxy server without transmitting the entitlement management message to the network of the first authentication proxy server. | 05-28-2009 |
20090138958 | Takeover Processes in Security Network Integrated with Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller. | 05-28-2009 |
20090144817 | TECHNIQUES FOR HIGH AVAILABILITY OF VIRTUAL PRIVATE NETWORKS (VPN'S) - Techniques for high availability of virtual private networks (VPN's) are provided. VPN gateways are organized as a virtual ring of VPN gateways. A client seeking to establish VPN communications with a destination resource is assigned one of the VPN gateways as a primary gateway and one VPN gateway as a secondary gateway. When a client's primary fails, the client seamless transitions to its designated secondary and the VPN gateways reconfigure themselves to account for the primary's failure. | 06-04-2009 |
20090158416 | Proxy with Layer 3 Security - A proxy system may use Layer 3 security mechanisms to establish secure communications between two devices. Each device may establish a secure session with the proxy using the same or a different configuration of a secure session. The proxy may pass traffic between the two devices and perform translation of the traffic between the two secure sessions. The proxy may also perform application layer gateway translations for communication traffic. Some embodiments may comprise a distribution or master proxy that may assign a communication session to a slave proxy in a scalable architecture. | 06-18-2009 |
20090158417 | Anti-replay protection with quality of services (QoS) queues - An embodiment of the present invention includes a technique to provide anti-replay protection with QoS queues. A single global anti-replay window is maintained to have global lowest and highest sequence numbers for an Internet protocol security (IPSec) security association (SA). The single global anti-replay window is associated with individual differentiated services code point (DSCP) or DSCP group, the individual DSCP or DSCP group corresponding to individual per-DSCP anti-replay windows. A received packet having a sequence number is pre-processed before packet processing using the single global anti-replay window. The received packet is post-processed after packet processing using the individual per-DSCP anti-replay windows. | 06-18-2009 |
20090158418 | SYSTEMS AND METHODS FOR PROVIDING A VPN SOLUTION - A system, apparatus and a method for implementing a secured communications link at a layer other than that at which packets are filtered are disclosed. In one embodiment, a computer system is configured to form a virtual private network (“VPN”) and comprises an address inspection driver to identify initial target packet traffic addressed to a target server. Also, the computer system includes a pseudo server module to receive rerouted initial target packet traffic from the address inspection driver. The pseudo server module is configured to convey packet regeneration instructions to a VPN gateway. The address inspection driver functions to identify additional target packet traffic addressed to the target server and routes the additional target packet traffic to the pseudo server. In one embodiment, the pseudo server is configured to strip header information from the additional target packet traffic to form a payload, and thereafter, to route the payload to the target. | 06-18-2009 |
20090165114 | Takeover Processes in Security Network Integrated with Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller. | 06-25-2009 |
20090165115 | Service providing system, gateway, and server - A large-scale content delivery system may be achieved, which may send a large amount of contents without intensive management of the contents in the server. In a service providing system where a client, a service gateway, and a server are connected to each other through a network, the client sends a first message to the server by way of the service gateway. The service gateway inquires a processing method of the first message from the client of the server by using a second message that includes a part of the first message content. The server replies to the inquiry of the processing method from the service gateway with a program that describes the processing method, and the service gateway processes the first message from the client on the basis of the received processing method. | 06-25-2009 |
20090172801 | PERFORMANCE ENHANCING PROXY - One embodiment of the present invention may take the form of a method and a system for performance enhancing proxy (PEP). A PEP system may include a configuration of software components and hardware devices to increase the performance of a two-way satellite broadband service. The PEP system may include one or more embodiments to reduce the time necessary for users to transmit and receive data provided through a communication network. | 07-02-2009 |
20090172802 | LOCAL PROXY SYSTEM AND METHOD - A local proxy system includes a storage device having a local proxy and a physical port connection. The local proxy is part of a split proxy configuration having a local proxy and a remote proxy. The physical port connection is operative to receive commands from a host via an internet application protocol; and to transmit commands to the host via a modem control protocol, to thereby function as a gateway for conveying these commands to a remote proxy, via the host. Also provided is a method of optimizing communication over a network; and a local proxy system that includes a storage device having a local proxy. The storage device is in connection with a host via a physical port connection complying with a standard storage device interface. | 07-02-2009 |
20090178131 | GLOBALLY DISTRIBUTED INFRASTRUCTURE FOR SECURE CONTENT MANAGEMENT - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090178132 | Enterprise Security Assessment Sharing For Consumers Using Globally Distributed Infrastructure - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
20090183251 | INTEGRATED INFORMATION MANAGEMENT SYSTEM AND METHOD - Embodiments of present invention provide for an integrated information management system. The system comprises a set of predetermined applications related to managing information of a government program. The system also comprises a web portal that renders a set of web pages as a virtual workspace. The web portal interoperates with the set of predetermined applications using a plurality of portlets. At least one of the plurality of portlets implementing an application of the set of predetermined applications that is external to the web portal and at least one of the plurality portlets implementing an application of the set of predetermined applications that is local to the web portal. | 07-16-2009 |
20090199289 | Method and System for Pervasive Access to Secure File Transfer Servers - End-to-end file transfer security for file transfer is provided over a network such as the Internet between a client, using a secure communication protocol which is pervasively available, such as HTTPS, to a secure file server which is accessible only through a secure file transfer protocol which is not pervasively available by using a secure proxy for accessing the secure file server rather than providing a protocol break merely for traversing a firewall. The secure proxy is arranged to provide a protocol conversion between the pervasively available secure protocol and the communication protocol through which the server is accessible and which is not pervasively available. By doing so, the secure proxy inherits secure functions of the secure server which thus need not be separately or independently provided in the secure proxy. | 08-06-2009 |
20090199290 | VIRTUAL PRIVATE NETWORK SYSTEM AND METHOD - One embodiment of the application provides a method and system for receiving at a gateway device a plurality of virtual private network tunnels to be routed to a Local Area Network (LAN), routing a first portion of the plurality of virtual private network tunnels to at least one slave device coupled to the gateway device, performing IPsec processing of the first portion of the plurality of virtual private network tunnels using at least one slave device, forwarding the first portion of the plurality of virtual private network tunnels after IPsec processing to at the gateway device and routing the plurality of virtual private network tunnels to the LAN. | 08-06-2009 |
20090241180 | System and Method for Data Transport - A data agnostic transport system that may be used for data objects such as email, calendar, notes, files, and multimedia. | 09-24-2009 |
20090249466 | METHODS AND DEVICES FOR ENFORCING NETWORK ACCESS CONTROL UTILIZING SECURE PACKET TAGGING - Disclosed are methods, devices, and media for enforcing network access control, the method including the steps of: extracting a packet signature from a packet (or packet fragment) received from a network; storing the packet signature and the packet in a buffer; computing a buffer signature using a per-endpoint secret key; determining whether the packet signature and the buffer signature are identical; and upon determining the packet signature and the buffer signature are identical, transmitting the packet to a protocol stack. Preferably, the step of extracting includes extracting the packet signature from a field (e.g. identification field) of a header of the packet. Preferably, the method further includes the step of: upon determining the packet signature and the buffer signature are not identical, discarding the packet. Methods for receiving a packet from a protocol stack, and transmitting the packet to a network are disclosed as well. | 10-01-2009 |
20090249467 | PROXY SERVER - A proxy server for downloading a data file for a client, such as an email client or web browser, including: a external proxy for downloading the data file for the client from an external server over a network, based on profile data associated with the client stored on the proxy server; a memory module for storing the data file; and an internal proxy for transferring the data file to the client when requested by the client. The external proxy operates asynchronously to the internal proxy, and the proxy server operates transparently with respect to the client. | 10-01-2009 |
20090271858 | Method For Connecting Unclassified And Classified Information Systems - A method and system that enables the connection of an unclassified information system to a classified information system while meeting all government requirements. The system utilizes a combination of COTS technologies (e.g., a Trusted Gateway System, type-2 encryption software, etc.), local administrative policies, and scriptable software applications. | 10-29-2009 |
20090271859 | SYSTEMS AND METHODS FOR RESTRICTING EVENT SUBSCRIPTIONS THROUGH PROXY-BASED FILTERING - A system, method and filter are provided for restricting event subscriptions. The system includes an event server, such as a session initiation protocol (SIP) event server, capable of maintaining at least one event. Also, the system includes a network entity, such as a requester, capable of sending a subscription message, such as a SIP SUBSCRIBE message, subscribing to the event. Further, the system includes a proxy, such as an SIP proxy, associated with the event server, and in coupled between the event server and the network entity. In this regard, the proxy is capable of receiving the subscription message. The system also includes a filter capable of receiving the subscription message from the proxy. Thereafter, the filter can determine whether the network entity is an authorized subscriber. Then, if the network entity is an authorized subscriber, the proxy can forward the subscription message to the event server. | 10-29-2009 |
20090276841 | METHOD AND DEVICE FOR DYNAMIC DEPLOYMENT OF TRUST BRIDGES IN AN AD HOC WIRELESS NETWORK - A method for deploying a trust bridge in an ad hoc wireless network can provide interoperability for multi-organizational authentication. The method includes processing at a delegate certification authority (DCA) node device authorizations received from of a plurality of certification authorities (CAs) of different organizations, where the authorizations authorize the DCA node device to serve as a DCA representing the CAs (step | 11-05-2009 |
20090282470 | CONTENT AGGREGATION SERVER ON VIRTUAL UNIVERSAL PLUG-N-PLAY NETWORK - A content aggregation server (CAS) establishes an IPSec tunnel with a gateway of a home network and discovers content on the home network. The CAS generates a web page that a user of the home network can access remotely to view an index of content hyperlinks, organize the content on the home network, and if desired select a hyperlink to access the content directly through the gateway, not the CAS, which thus is used for listing and managing content but not for hosting the content. | 11-12-2009 |
20090282471 | NAMED SOCKETS IN A FIREWALL - A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections. | 11-12-2009 |
20090288157 | SECURITY OVERLAY NETWORK - A device receives an indication of detected attack traffic associated with a network, identifies a victim of the attack traffic, and selects a security platform for processing the attack traffic. The device also advertises a tunnel and routing tag information in the network for the selected security platform, receives the attack traffic via the advertised tunnel, and forwards the attack traffic to the selected security platform for processing. The device further receives processed traffic from the selected security platform, and forwards, via the network, the processed traffic to the victim. | 11-19-2009 |
20090293113 | CONTROLLED DELIVERY OF EVENT INFORMATION TO IPTV USERS - A method and a gateway are provided for controlling delivery of event information to users sharing a user device. The gateway is informed of activity states of each user sharing a same user device. Events related to services used by the users are detected by the gateway. Because some users of a same device may be active while others are inactive, the gateway verifies the activity state of each user for whom an event is detected. Active users are informed of events that are of interest for them. | 11-26-2009 |
20090300749 | METHOD AND SYSTEM FOR DEFEATING THE MAN IN THE MIDDLE COMPUTER HACKING TECHNIQUE - A method for constructing a secure Internet transaction, the method includes: receiving a user identification (userid) and user password on a client device for filling out a form generated by a secure web site; concatenating the user's Internet Protocol (IP) address with a separate password that is maintained on the secure web site that the user is authenticating to; encrypting the concatenated user IP and separate password to form an Internet Protocol password (IPPW); wherein the encrypting is carried out with asymmetric public-key cryptography using a public key; building a transaction consisting of the IPPW and userid; transmitting the transaction and form via a network towards the secure web site; wherein in response the secure website performs the following: decrypts the IPPW, and determines if the IP portion of the decrypted IPPW is equal to the user's IP address. | 12-03-2009 |
20090300750 | Proxy Based Two-Way Web-Service Router Gateway - A system for providing two-way Web services is disclosed that enables the client and server to be in different enterprise domains—behind firewalls—with few or no changes to the firewalls. In accordance with the illustrative embodiment, a “tunnel hub” is deployed in the public domain and “tunnel gateways” are deployed behind the firewalls where the clients request two-way services and the servers provide two-way services. Each tunnel gateway initiates a secure tunnel out through the firewall to the target hub. Thereafter, a request for service enters the tunnel gateway, travels to the tunnel hub and to the appropriate tunnel gateway where the server is that provides the service. When the server provides the service, it enters the tunnel gateway, travels to the tunnel hub and to the appropriate tunnel gateway where the client is that requested the service. | 12-03-2009 |
20090313690 | Method for establishing a multi-link access between a local network and a remote network, and corresponding appliance - The invention enables the different access links between a local network and a remote network to be used in a common and transparent manner. The invention is based on the use of various IP tunnels using the different access links between an appliance on the local network of the user and an appliance on the remote network. Said tunnels are embodied as a single link providing access to the remote network. | 12-17-2009 |
20090320120 | REPLICATING MESSAGE QUEUES BETWEEN CLUSTERED EMAIL GATEWAY SYSTEMS - A method of “stateful failover” is provided that allows email gateway systems in a cluster to deliver email messages that have been accepted for delivery by a member of the cluster, but has failed with out delivering the messages. The method involves creating a backup copy of the messages that have been accepted for delivery by one email gateway system in the stateful failover cluster on one or more other email gateway systems in the stateful failover cluster. Upon detecting the failure of the email gateway system that accepted the message, another member of the stateful failover cluster that has access to the backup copy of the message queue takes responsibility for the delivery of the messages on the mirrored queue. | 12-24-2009 |
20090328184 | System and Method for Enhanced Security of IP Transactions - A transaction routing system is described. The system includes a communication gateway linked to at least one transaction terminal and at least one host server. The communication gateway determines whether to perform an authentication procedure during a call session. Based on a result of the authentication procedure, at least one proceeding step is determined. A method for ensuring enhanced security during transaction routing is also provided. | 12-31-2009 |
20100011433 | METHOD OF CONFIGURING A SECURITY GATEWAY AND SYSTEM THEREOF - There is provided a rule-set generator and a method of automated configuration of a security gateway. The method comprises setting-up an initial rule-set; obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records; transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “Accept”, thus giving rise to a transformation-based rule-set; and processing the transformation-based rule-set so as to generate an operable rule-set by processing the transformation-based rule-set. | 01-14-2010 |
20100024026 | Application gateway system and method for maintaining security in a packet-switched information network - A method and apparatuses are disclosed for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain. A packet processor part intercepts a packet that is in transit between the untrusted packet-switched information network and the protected domain. The packet is examined at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol. If the packet is not found to contain such digital data, it is processed at the packet processor part. If the packet is found to contain digital data that pertains to said certain protocol, it gets redirected to an application gateway part that processes the packet according to a set of processing rules based on obedience to said certain protocol. The packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device. | 01-28-2010 |
20100031338 | Collaboration gateway - Method for exchanging information between heterogeneous secured networks. Method supports synchronous communications across security domains including text chat, instant messaging, audio applications, video applications, and whiteboard collaboration. The invention intercepts incoming information traffic on either side and employs a guard for filtering information traffic between security domains according to a policy engine. | 02-04-2010 |
20100031339 | Streaming Media Service For Mobile Telephones - A mobile client ( | 02-04-2010 |
20100037308 | MULTI-SERVICE PROVIDER AUTHENTICATION - Network access providers implement interactive procedures and subscriber terminals employ embedded secure authentication structures and procedures to ensure that a satellite modem at the subscriber terminal accurately verifies the identity of a satellite modem terminal system at the location of the network access provider gateway facility during the satellite modem initialization process so that the satellite modem will only attempt to acquire satellite resource from the appropriate (authenticated and authorized) satellite modem termination system. In a virtual downstream channel environment, diverse downstream channel feeds are distinguished by authentication procedures. The present invention differs from standard theft of service prevention because theft of subscriber prevention is in a virtual channel environment, where subscriber terminals have access to a plurality of virtual channels by the nature of the signal. | 02-11-2010 |
20100071051 | System and method for exposing malicious sources using mobile IP messages - Malicious sources within networks are identified using bait traffic, including mobile IP messages, transmitted between a collaborating network device and a collaborating mobile client that has a fixed connection to the network. The bait traffic entices a malicious source to transmit malicious packets towards the collaborating mobile client and/or the network device. Upon receiving a malicious packet, the collaborating mobile client or the network device is able to identify the source of the packet as a malicious source and report the presence of the malicious source within the network. | 03-18-2010 |
20100071052 | REVERSE PROXY ARCHITECTURE - Aspects of the subject matter described herein relate to a reverse proxy architecture. In aspects, a client that seeks to access a Web document via a proxy sends a request to the reverse proxy. The reverse proxy obtains the Web document from a server indicated by the request and modifies links therein so that if the links are clicked on or otherwise fetched by the client, the communication goes back to the reverse proxy. The reverse proxy may also modify cookies, if needed, so that the cookies refer to a domain or hostname associated with the reverse proxy. | 03-18-2010 |
20100071053 | Presence Status Notification From Digital Endpoint Devices Through A Multi-Services Gateway Device At The User Premises - A gateway device for operation at a user premises to provide and manage application services provided for endpoint devices associated with the gateway device. The gateway device includes a communications client program to enable client-server communications between the gateway device and a remote communications server via the wide area network using a presence and networking message protocol. The gateway device utilizes at least one driver program with a driver communications protocol to communicate with, control, and manage associated endpoint devices. The communications client program interacts with the driver program, and the gateway device is configured to specify which associated endpoint devices, attributes and operations are exposed to the network via the communications client. The gateway device is configured to specify rules for presentation and/or notification of incoming presence and networking messages to the gateway device and the routing of those messages to the managed endpoint device through their respective drivers. | 03-18-2010 |
20100095367 | DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE - A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow. | 04-15-2010 |
20100095368 | HOME NODE B ACCESS CONTROL METHOD AND SYSTEM - A home Node B access control method provided herein includes: by a security access gateway, receiving access request information from a home Node B; forwarding the access request information to a network node capable of authenticating; and exercising access control for the home Node B according to the authentication result. A home Node B access control system is also provided herein. The method and the system for controlling the home Node B access ensure the security of the mobile network, stability of the wireless environment, and implementation of the operator policies. The access control is performed before the network allocates resources to the home Node B, thus avoiding waste of network resources and preventing unqualified home Node Bs from accessing the network. | 04-15-2010 |
20100095369 | Gateway Registry Methods and Systems - A gateway device for managing a set of two or more local management devices at a location. A system for networks at a plurality of locations. A method of operating a gateway device in a control network. A method for storing information to operate a gateway device in a control network. A method for storing information to operate a replacement gateway device in a control network. | 04-15-2010 |
20100107235 | METHOD AND COMMUNICATION SYSTEM FOR ACCESSING A WIRELESS COMMUNICATION NETWORK - A method for accessing a wireless communication network is described, comprising collocating a Proxy Agent apparatus with an Access apparatus and determining in a Mobile Gateway apparatus an address of the Access apparatus. The Proxy Agent apparatus comprises information about a Master apparatus, the Master apparatus being adapted for executing a master function. The method further comprises indicating a message, to be handled by the master function, as a master function message and sending the master function message to the address of the Access apparatus. Furthermore, the method comprises diverting in the Access apparatus the master function message to the Proxy Agent apparatus and forwarding the master function message to a Proxy Relay apparatus for relaying the master function message to the Master apparatus. | 04-29-2010 |
20100107236 | NETWORK SYSTEM, COMMUNICATION METHOD, COMMUNICATION TERMINAL, AND COMMUNICATION PROGRAM - Provided is a network system which attains effective prevention of information leakage without having a user recognize existence of spy ware or the like operating on a user terminal. | 04-29-2010 |
20100107237 | COMMUNICATION SYSTEM, RELIABLE COMMUNICATION MECHANISM, AND COMMUNICATION METHOD USED FOR THE SAME - Provided is a communication system capable of fundamentally preventing an attack from an unspecified counterpart and resolve problem even when a problem occurs in a user terminal or client and a server. A mediation server ( | 04-29-2010 |
20100115602 | METHOD AND SYSTEM FOR SECURING DATA FROM AN EXTERNAL NETWORK TO A NON POINT OF SALE DEVICE - A data control system allows non-point of sale devices ( | 05-06-2010 |
20100122337 | System and method for integrating mobile networking with security-based VPNS - Systems and methods provide a secure network path through an inner and outer firewall pair between a mobile node on a foreign network and a corresponding node on a home network. One aspect of the systems and methods includes providing a mobile IP proxy between the mobile node and a VPN gateway inside the firewalls. The mobile IP proxy acts as a surrogate home agent to the mobile node, and acts as a surrogate mobile node to a home agent residing on the home network. | 05-13-2010 |
20100122338 | NETWORK SYSTEM, DHCP SERVER DEVICE, AND DHCP CLIENT DEVICE - When customer-premises communication equipment connected to a home gateway device is about to establish IP communication with a server on a network, the present invention enables the server to establish communication after verifying that the physical connection location of the communication equipment is authorized. When a DHCP server issues an IP address to the home gateway device, the DHCP server not only passes a circuit-ID-based identifier to the home gateway device, but also transmits the identifier and information about the home gateway device to the server. Upon receipt of the identifier through the home gateway device, a communication equipment requests to establish IP communication with the server by using the identifier and the information about the home gateway device to which the communication equipment is connected. This permits the server to check whether the connection path of the communication equipment that has requested to be connected is proper. | 05-13-2010 |
20100125899 | REMOTE ACCESS TO LOCAL NETWORK VIA SECURITY GATEWAY - Multiple protocol tunnels (e.g., IPsec tunnels) are deployed to enable an access terminal that is connected to a network to access a local network associated with a femto access point. A first protocol tunnel is established between a security gateway and the femto access point. A second protocol tunnel is then established in either of two ways. In some implementations the second protocol tunnel is established between the access terminal and the security gateway. In other implementations the second protocol tunnel is established between the access terminal and the femto access point, whereby a portion of the tunnel is routed through the first tunnel. | 05-20-2010 |
20100132029 | USING STATISTICAL ANALYSIS TO GENERATE EXCEPTION RULES THAT ALLOW LEGITIMATE MESSAGES TO PASS THROUGH APPLICATION PROXIES AND GATEWAYS - A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway. | 05-27-2010 |
20100146617 | UNIFYING RELATED WEB SERVICE PORTS USING PORT POINTERS IN PROXY MEDIATION - A Web service description can be extended to cross reference a front-side port associated with a client using a Web service and a back-side port associated with a server providing the Web service. The extending of the Web service description can occur in a standards compliant manner for a programming language within which the Web service description is specified and for a repository in which the Web service description is maintained. | 06-10-2010 |
20100146618 | Multi-Level Secure Information Retrieval System - According to one embodiment, a multi-level secure information retrieval system includes an enterprise access service tool coupled to one or more client applications and at least one gateway managed by an enterprise. The enterprise access service tool executes services operating in a service oriented architecture. The enterprise access service tool receives requests from the client applications, associates each of the requests with one of a plurality of differing security levels, and transmits the requests to the gateway. The gateway transmits the requested information back to the client applications in which the information is filtered by the gateway according to their associated security levels. | 06-10-2010 |
20100162378 | METHODS AND APPARATUS TO ENHANCE SECURITY IN RESIDENTIAL NETWORKS - Example methods and apparatus to enhance security in residential networks and residential gateways are disclosed. A disclosed example apparatus includes a transceiver to receive an Internet protocol (IP) packet, a first packet processing module associated with a protected IP address, the first packet processing module to be communicatively coupled to a first network device, a second packet processing module associated with a public IP address, the second packet processing module to be communicatively coupled to a second network device, and a packet diverter to route the received IP packet to the first packet processing module when the IP packet contains the protected IP address and to route the IP packet to the second packet processing module when the IP packet does not contain the protected IP address. | 06-24-2010 |
20100162379 | UNSOLICITED COMMUNICATION MITIGATION - A method and apparatus for mitigating unwanted communication are disclosed. A request to establish communications is received at a first Protection Against Unsolicited Communications in Internet Protocol Multimedia Subsystem (PUC) server. The PUC server determines whether to block the communication. If the communication is blocked, the sender is informed and a record of the blocked communication may be stored. Alternatively, the communication may be delivered to a subsequent PUC server (along with appended information about the sender), the receiver or sent to storage. | 06-24-2010 |
20100162380 | COMMUNICATIONS SYSTEM PROVIDING SHARED CLIENT-SERVER COMMUNICATIONS INTERFACE AND RELATED METHODS - A communications system may include a plurality of communications devices connected together in a network and having a plurality of user accounts associated therewith. At least one of the communications devices may process requests using an HTTP client application associated therewith. The system may also include an application server for accessing the user accounts via the HTTP client application, and an HTTP server for interfacing the HTTP client application with the application server. The HTTP server and the HTTP client application may format requests to be communicated therebetween in an HTTP format, and each may provide additional state information with the HTTP formatted requests recognizable by the other for authentication purposes. Furthermore, the HTTP client application may request a first universal resource locator (URL) from the HTTP server for accepting work requests from the application server, and a second URL different from the first for responding to work requests. | 06-24-2010 |
20100169964 | APPARATUS AND METHOD FOR PROVIDING PEER-TO-PEER PROXY SERVICES IN PEER-TO-PEER COMMUNICATIONS - A network gateway device providing peer-to-peer proxy service is provided, including a P2P meta descriptor detector detecting an original P2P meta descriptor file from the public network, a P2P proxy control unit modifying the original P2P meta descriptor file to generate a modified P2P meta descriptor file, and forwarding the modified P2P meta descriptor file to a computer in the private network, an internal tracker receiving a first inquiry message, and replying with a pseudo sharing computer list, and a peer-to-peer engine loading the original P2P meta descriptor file to download shared contents, and forwarding the shared contents to the computer. | 07-01-2010 |
20100175122 | SYSTEM AND METHOD FOR PREVENTING HEADER SPOOFING - A system and method for preventing spoofing including a receiver at a session border controller (SBC) configured to receive a message from a network element, wherein the message is a request for network access and the message comprises a first source information. The system and method may also include one or more processors at the session border controller (SBC) configured to identify an identifier associated with the network element, wherein the identifier corresponds to a second source information, and to replace the first source information in the message received from the network element with the second source information corresponding to the identifier of the network element. The system and method may also include one or more databases configured to store the second source information. The system and method may also include a transmitter at the session border controller (SBC) configured to transmit the message with the second source information to a service provider proxy for granting network access. In another embodiment, network access may be denied in the event it is determined that the first source information in the message received from the network element with the second source information corresponding to the identifier of the network element are different. | 07-08-2010 |
20100175123 | ADDRESS TRANSLATION DEVICE AND ADDRESS TRANSLATION METHOD - In order to more efficiently use port resources, which are finite global address resources assigned to an address translation device, the address translation device holds a session-port assignment table showing a correspondence between an existing session and a local endpoint (port resource) in the address translation device, and a port assignment rule indicating port usage about assignable ports. An address translation unit translates address information of a packet received according to the correspondence between the existing session and the port resource shown in the session-port assignment table, and assigns the port according to the port usage indicated by the port assignment rule for a packet for opening a new session. An assignment rule update unit changes a ratio of the port usage in the port assignment rule while the correspondence between the existing session and the port resource in the session-port assignment table is not changed. | 07-08-2010 |
20100180332 | INFORMATION PROTECTION APPLIED BY AN INTERMEDIARY DEVICE - Methods, systems, and computer-readable media are disclosed for applying information protection. A particular method includes receiving a data file at a gateway coupled to a network. The data file is to be sent to a destination device that is external to the network. The method also includes selectively applying information protection to the data file at the gateway prior to sending the data file to the destination device. The information protection is selectively applied based on information associated with the destination device, information associated with the data file, and information associated with a user of the destination device. | 07-15-2010 |
20100192216 | SECURITY GATEWAY SYSTEM, METHOD AND PROGRAM FOR SAME - A non-secure network gateway | 07-29-2010 |
20100199346 | SYSTEM AND METHOD FOR DETERMINING SYMANTIC EQUIVALENCE BETWEEN ACCESS CONTROL LISTS - Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting rules. An aspect of the invention determines whether two or more access control lists are equivalent or not. Order-dependent access control lists are converted into order-independent access control lists, which enable checking of semantic equivalence of different access control lists. Upon conversion to an order-independent access control list, lower-precedence rules in the order-free list are checked for overlap with a current higher precedence entry. If overlap exists, existing order-free rules are modified so that spinoff rules have no overlap with the current entry. This is done while maintaining semantic equivalence. | 08-05-2010 |
20100205665 | SYSTEMS AND METHODS FOR ENFORCING POLICIES FOR PROXY WEBSITE DETECTION USING ADVERTISING ACCOUNT ID - In embodiments of the present invention improved capabilities are described for systems and methods that enforce policies with respect to proxy communications. | 08-12-2010 |
20100218247 | SERVICE ACCESS USING A SERVICE ADDRESS - A method is disclosed that includes assigning a service address to a service of a private network. The service of the private network is accessible, via a gateway, by a client computer. The method also includes turning off duplicate address detection at the gateway. The gateway is associated with a public network address that is different from the service address. | 08-26-2010 |
20100218248 | REDIRECTION OF SECURE DATA CONNECTION REQUESTS - Methods, systems, and computer-readable media are disclosed for processing a secure data connection request. A particular method receives, at a first gateway, a secure data connection request from a client identifying a server to connect to. The first gateway sends the client device a redirect message instructing the client device to attempt alternate connection via a second gateway. The client sends a secure data connection request to the second gateway and the second gateway facilitates the secure data connection between the client and the server. | 08-26-2010 |
20100235901 | CIFS PROXY AUTHENTICATION - Techniques are described for a proxy system to provide a client device with transparent access to multiple network file servers. The proxy system may appear to the client device as a single network file server. The proxy may be configured to forward requests received from the client device to multiple servers as well as provide responses from the server back to the client. Further, the proxy system may authenticate itself, as the client, to each of the multiple network servers using authentication credentials supplied by the client. After prompting a user to submit credentials to establish a session with a first network server, the proxy system may send a session timeout error code, prompting the client to submit a fresh authentication request used by the proxy system to establish a session with a second network server. | 09-16-2010 |
20100235902 | SERVER PROTECTION FROM DISTRIBUTED DENIAL OF SERVICE ATTACKS - A network device connects between a client and a server. The network device is configured to store information regarding an application operating on the server; receive a first message, from the client, intended for the server; generate a second message in response to the first message; send the second message to the client; receive a third message from the client; generate, based on the information regarding the application on the server, a fourth message, that includes the information regarding the application operating on the server; send the fourth message to the client; receive a service request from the client in response to the fourth message; and establish, based on the service request, a connection between the client and the server. | 09-16-2010 |
20100242105 | SYSTEMS AND METHODS FOR SELECTIVE AUTHENTICATION, AUTHORIZATION, AND AUDITING IN CONNECTION WITH TRAFFIC MANAGEMENT - The present invention provides a system and method for authentication of network traffic managed by a traffic management virtual server. A traffic management virtual server may determine that a client has not been authenticated from a request of the client to access a server. Responsive to the request, the traffic management virtual server may transmit a response to the client with instructions to redirect to an authentication virtual server. The authentication virtual server may receive a second request from the client. The authentication virtual server may then authenticate credentials received from the client and establish an authentication session for the client. Further, the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server. The second response identifies the authentication session. The traffic management virtual server then receives a request from the client with an identifier to the authentication session. | 09-23-2010 |
20100269169 | METHODS AND ARRANGEMENTS FOR SECURITY SUPPORT FOR UNIVERSAL PLUG AND PLAY SYSTEM - The present invention relates to a nodes and methods for use in a Universal Plug and Play (UPnP) system to provide support for both UPnP security and mobility of security aware UPnP nodes. A gateway is arranged to provide remote access to a UPnP network to remote UPnP nodes via the gateway. The gateway comprises means for creating a virtual UPnP node for emulating internal presence of a remote UPnP node on the UPnP network. The virtual UPnP node is arranged to obtain and store security information associated with the remote UPnP node. The security information specifies how the remote UPnP node is authorized to interact with other UPnP nodes in the UPnP network. The security information may be used to filter messages from the UPnP network to the remote UPnP node. | 10-21-2010 |
20100269170 | RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING - A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway. | 10-21-2010 |
20100299740 | SYSTEM AND METHOD FOR REMOTE FORENSIC ACCESS - A system for providing remote access to a storage device ( | 11-25-2010 |
20100299741 | METHOD AND SYSTEM FOR MANAGEMENT OF SECURITY RULE SET - There are provided a method of automated managing an ordered set of security rules implemented at one or more security gateways and a system thereof. The method comprises a) obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request; b) automated searching for a rule within said ordered set of security rules, said rule best matching to be amended in order to facilitate allowance of the unfitting connectivity request, wherein best matching is defined in accordance with one or more predefined criteria; c) automated generating amendment of the best matching rule, said amendment capable to facilitate allowance of the unfitting connectivity request; and d) automated implementing the generated amendment at one or more relevant security gateways among said one or more security gateways. At least one predefined criterion may be related to extra allowed traffic resulting from the amendment and/or to requested traffic restricted after amendment because of shadowing by one or more rules above the amended rule. | 11-25-2010 |
20100313262 | PROVISIONING REMOTE ACCESS POINTS - Provisioning remote access points for use in a telecommunication network. A remote access point contains identity information established during manufacturing; this identity information may be in the nature of a digital certificate. The identity information is stored in the remote access point, and may be stored in a Trusted Platform Module if present. When the remote access node is powered up in unprovisioned state, outside the manufacturing environment, it attempts to establish an internet connection via a first wired interface, and queries a user for information representing the TCP/IP address of its controller via a second wired interface. Once an internet connection is present, and a TCP/IP address has been provided, the remote access point attempts to connect to the controller at that address. The controller may filter connection requests through a whitelist of approved remote access points. Once a connection is established, controller and access point exchange and verify each other's identities. This may be done through the exchange and verification of digital certificates. Provisioning information is downloaded from controller to remote access point and installed. This may be done via a tunnel such as an encrypted tunnel. Software updates may be applied. The provisioned remote access point is placed in operation. | 12-09-2010 |
20100325718 | Automatic Firewall Configuration - One embodiment of a gateway router is equipped to recognize a trustworthy local server automatically, and to accept certain incoming connections to a local server that the router has recognized as trustworthy. | 12-23-2010 |
20100333187 | SUBSCRIBER BASED POLICY FOR SERVICE NETWORK GATEWAYS - A subscriber network can provide services. External applications can use the services on the subscriber network. A service access gateway can control application access to services of the subscriber network. The service access gateway can filter requests from an external application to access services on the subscriber network based on the customer for which the external application is accessing the service. | 12-30-2010 |
20110023107 | Lifecycle Management Of Privilege Sharing Using An Identity Management System - A method, system and computer-usable medium are disclosed for managing the lifecycle of a shared privileged account. A proxy service is implemented with an Identity Management (IdM) system that defines and manages a plurality of identity services, which in turn manage a plurality of privileged accounts used to access a plurality of managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requester. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requester uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requester with the shared privileged account by deleting the shared ID authorization account. | 01-27-2011 |
20110047610 | Modular Framework for Virtualization of Identity and Authentication Processing for Multi-Factor Authentication - Identity access appliance works in conjunction with the edge network devices and provides the necessary protocol authentication, user authentication statement, authorization summary and its attributes. Besides authentication these appliances protect the infrastructure against intrusions such as possible authentication vulnerabilities, authentication connection attacks, denial of service attacks, spam and scanning/hacking the credentials, in a short span of time and generate real time alerts, statistics and reports. | 02-24-2011 |
20110047611 | User Role Mapping in Web Applications - Roles and policies are used to provide display and access to data in a flexible manner. Users and/or web applications can be mapped to user roles that dictate which displays or other application resources are available to the user or application. Roles are assigned to web applications individually, allowing for user roles to be used without requiring an independent mapping of users to roles. In some cases, application roles can be centrally managed, so that presentation systems also avoid the need for an independent mapping of user or application roles. | 02-24-2011 |
20110047612 | Method for Network Access, Related Network and Computer Program Product Therefor - A method of providing access of a mobile terminal to an IP network includes establishing a security association between the mobile terminal and a first security gateway of a first router in said plurality of routers. The mobile terminal is provided access to the IP network via the first router, and the data exchanged between the mobile terminal and the first router is encapsulated by using the security association. The security association is made available to at least one second router having a second security gateway. The mobile terminal is provided access to the IP network via said the second router, and data exchanged between the mobile terminal and the second router is encapsulated by using the same security association. Establishing the security association includes assigning a Security Parameter Index that identifies univocally the first security gateway and the security association. Making the security association available to the second router includes making available to the second router the Security Parameter Index. The second router may thus have access to the security association either by requesting it from the first router or by identifying it in a set of security associations sent from the first router to a set of routers candidate to become the second router as result of the mobility of the mobile terminal. | 02-24-2011 |
20110055914 | PERSONAL INFORMATION LEAKAGE PREVENTIVE DEVICE AND METHOD - Conventional service providing systems personalized according to the user's information need to provide personal information. Therefore, there has been a problem that personal information might be leaked by service providers. A reliable proxy is installed between a user terminal and a service provider server to manage the personal information on the user. The proxy receives information necessary to create a content from the service provider server, creates a content reflecting the personal information from the information necessary to create the content, and transmits it to the user's terminal A countermeasure against estimation of personal information is taken for even a request of a user to acquire a sub-content and so forth. | 03-03-2011 |
20110055915 | METHODS OF PROVIDING DIGITAL CONTENT TAILORED TO USERS OF PRIVATE NETWORKS WITHIN A PROTECTED VIRTUAL ENVIRONMENT - A method of communicating valuable digital information to users is provided that utilizes, in some cases, a proxy server to white list significantly greater amounts of information available on the internet to penetrate protective virtual barriers such as firewalls or walled gardens, and in which such digital information is conveyed in a significantly tailored arrangement by assessing more precise geographic location data of the user during the process. | 03-03-2011 |
20110061099 | UPLOAD SECURITY SCHEME - The need for upload security arises during content sharing between users in communication link with each other and a server. In one embodiment, providing the upload security involves the server identifying a mobile device that sends an upload message destined to a user. Providing the upload security further involves the server accessing opt-in parameters predetermined by the user, determining if the identity of the sending mobile device is included in the opt-in parameters, and, if so, allowing the upload to the user's account, otherwise blocking the upload. The opt-in parameters include the identity of mobile devices that are authorized by the user to upload data to the user's account. In one embodiment, the communication link includes a wireless carrier network with capability for security screening of the upload message before it reaches the server based on the identity of the wireless carrier network. | 03-10-2011 |
20110072507 | MULTI-IDENTITY ACCESS CONTROL TUNNEL RELAY OBJECT - In various embodiments, the present disclosure provides a system and method for establishing a secure tunnel between a client device and a remote server utilizing multiple user identities, and in some embodiments, a client device identity, to authenticate access to the remote server. | 03-24-2011 |
20110083174 | Dynamic Network Tunnel Endpoint Selection - Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path. | 04-07-2011 |
20110088088 | Method of frame blocking for wireless device - A frame blocking method for wireless device comprises the steps of: receiving a frame; determining if a size of the frame complies with a predetermined size? If “YES” then proceed; determining if the frame complies with a predetermined frame format? If “YES” then proceed; determining if an IP address contained in the frame is the same with a currently using IP address pre-stored in the client device? If “NO” then ignore the frame, if “YES” then handle the frame by normal operations. Therefore, unnecessary frames can be blocked as early as possible so as to save power and improve overall communicating quality. | 04-14-2011 |
20110093944 | DETECTING ANOMALOUS WEB PROXY ACTIVITY - A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis. | 04-21-2011 |
20110093945 | USER-TYPE HANDLING IN A WIRELESS ACCESS NETWORK - A system, method, and apparatus in an access network such as the Generic Access Network (GAN) for providing user-type information to a Security Gateway (SEGW) or for enabling the SEGW to obtain user-type information for different user types so that the SEGW can apply specific security functions based on the user type. The invention may also provide user-type information to a controller node such as a GAN Controller (GANC) or may enable the GANC to obtain user-type information for application of security settings toward GAN-clients. An Authentication, Authorization and Accounting (AAA) Server may create a user-type indication internally, or may obtain an indication from a Home Location Register and forward the indication to the SEGW. The SEGW may forward the indication to the GANC, or the GANC may determine the user-type information internally or retrieve it from a database. | 04-21-2011 |
20110099620 | Malware Detector - A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid. | 04-28-2011 |
20110107413 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR PROVIDING A VIRTUAL PRIVATE GATEWAY BETWEEN USER DEVICES AND VARIOUS NETWORKS - A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed. | 05-05-2011 |
20110119748 | VIRTUAL COMPUTING INFRASTRUCTURE - A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. Virtual infrastructures of different users share physical resources but are isolated and have their own management entities. An interface between infrastructures allows controlled relaxation of the isolation, using a gateway between virtual nets, or shared virtual storage devices. This can allow businesses to share data or applications, while maintaining control of security. | 05-19-2011 |
20110119749 | SYSTEM AND METHOD FOR FILTERING SIP-BASED SPAM - A system for filtering SIP (Session Initiation Protocol)-based spam includes a spam detection unit for receiving a SIP message where labeling is performed from a sending user agent and detecting the spam using a label in the SIP message. Further, the system includes a spam checking unit for checking a call recipient from the SIP message and confirming a spam policy previously set by the call recipient through a spam management server; and a spam filtering unit for filtering the spam based on the confirmed spam policy. | 05-19-2011 |
20110119750 | METHOD FOR IMPROVING NETWORK APPLICATION SECURITY AND THE SYSTEM THEREOF - A method for improving network application security and the system thereof are disclosed in the invention, relating to the field of information security. The method includes: a proxy server in a customer terminal host receives a protocol message, generated and sent by the customer terminal software according to the information input by a user, and obtains the protocol content after parsing the protocol message, and determines whether critical information is included in the protocol content, if it is, the server sends the protocol content to the smart key device; and the smart key device obtains the critical information by parsing it and sends it to the user, and after a confirmation information is gotten from the user, the smart key device signs the protocol content and sends the signature result to the server; and then the server generates a new protocol message to an application server according to the signature result and the protocol content; after an error confirmation or no confirmation is received within a predetermined time period by the user, the smart key device performs the exception handling. The system includes a smart key device and a proxy server in the customer terminal host. The invention improves network application security on the premise of no change to the customer terminal, and it is usable and compatible. | 05-19-2011 |
20110119751 | SYSTEM AND METHOD FOR REGULATING COMMUNICATIONS TO OR FROM AN APPLICATION - The flow of information to or from an application on a host machine is regulated by a trusted agent operating in conjunction with at least one security element, such as a firewall or a policy server. When a communication to or from the application is detected by the trusted agent, the trusted agent gathers information about the attempted communication, and formulates and sends a message based upon the gathered information to at least one security element. The security element makes a decision to permit or block at least part of the attempted communication based upon the message received from the trusted agent. | 05-19-2011 |
20110126276 | CROSS PLATFORM GATEWAY SYSTEM AND SERVICE - A method, system, and apparatus for delivering content to a user of a registered platform are provided. Assets retrieved from a number of content sources may be stored on a database at a service provider. Information related to a number of content items retrieved from the assets may be presented to the user of the registered platform. In response to a request from the user, a content item associated with a content source may be delivered to the user without a need for user authentication. | 05-26-2011 |
20110131645 | LOAD BALANCING AND FAILOVER OF GATEWAY DEVICES - Methods and systems for load balancing and failover among gateway devices are disclosed. One method provides for assigning communication transaction handling to a gateway. The method includes receiving a request for a license from a computing device at a control gateway within a group of gateway devices including a plurality of gateway devices configured to support communication of cryptographically split data. The method also includes assigning communications from the computing device to one of the plurality of gateway devices based on a load balancing algorithm, and routing the communication request to the assigned gateway device. | 06-02-2011 |
20110145910 | PORT TAPPING FOR SECURE ACCESS - Secure access in a computing environment is provided. One implementation involves a client generating a sequence for tapping server ports, and the client identifying itself to the server by tapping the server ports based on the sequence. The server verifies if the tapping sequence is correct. If the tapping sequence is correct, access is provided from the client to the server. | 06-16-2011 |
20110154474 | METHOD, DEVICE, AND COMPUTER PROGRAM PRODUCT FOR DIFFERENTIATED TREATMENT OF EMAILS BASED ON NETWORK CLASSIFICATION - Method, device, and computer program product are provided for differentiated treatment of incoming and outgoing emails based on a network server. A server receives a query from a gateway, and the query includes information about an email received by the gateway. The server obtains rules for processing the email of the query. The server determines an identity for the email based on the rules for processing the email. The server transmits the identity to the gateway to cause the gateway to send the email having the identity to a post office server. The email having the identity is configured to cause the post office server to process the email based on the identity. | 06-23-2011 |
20110191844 | TECHNIQUES FOR MANAGING SECURITY IN NEXT GENERATION COMMUNICATION NETWORKS - Disclosed techniques provide enhanced security for a communications network. Access terminal devices intended for operation via the network are expected to have security agent functionality, e.g. in the form security agent software loaded into or otherwise enabled on each of the access terminal devices. Registration procedures include verification that such an agent is present/enabled on an access terminal and that the agent currently implemented on the terminal device provides adequate security for the communications network against malicious traffic from that device. | 08-04-2011 |
20110197272 | Low-Latency Detection of Scripting-Language-Based Exploits - Systems and methods for protecting client computers are described. One method includes receiving webpage data at a proxy from a webpage before the data reaches an intended recipient; gathering scripting-language-data from the webpage data; normalizing the scripting-language-data so as to generate normalized data; emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions, and determining whether to block the data from the intended recipient by analyzing inspection-data collected from the inspection points. | 08-11-2011 |
20110209211 | MULTI-STAGE POLLING MECHANISM AND SYSTEM FOR THE TRANSMISSION AND PROCESSING CONTROL OF NETWORK RESOURCE DATA - A method and corresponding system for coordinating submission of network resource data across a first network to a network resource located on a second network, the second network being coupled to the first network by a firewall such that the second network has a higher level of trust than that of the first network, the method comprising the steps of: receiving and storing in a storage the network resource data submitted by a network terminal coupled to the first network, the network resource data containing a network resource identifier for associating the network resource data with the network resource; receiving and storing in the storage control data associated with the network resource data, the control data for coordinating one or more actions on the network resource data; receiving a first poll message initiated through the firewall by a polling server located on the second network, the first poll message requesting stored network resource data containing the network resource identifier and forwarding the network resource data matching the network resource identifier to the polling server; and receiving a second poll message initiated through the firewall by the polling server, the second poll message requesting stored data matching the control data associated with the network resource data and forwarding the matched control data to the polling server. | 08-25-2011 |
20110231927 | Internet Mediation - Systems and methods for a user to personalize Internet content from an Internet service provider using selected policy applications. The policy applications may be discrete, single purpose applications. The system may be controlled from home gateways and remote devices. | 09-22-2011 |
20110231928 | SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 09-22-2011 |
20110239289 | System and Method to Associate a Private User Identity with a Public User Identity - The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record. | 09-29-2011 |
20110239290 | SECURE SHARING OF TRANSPORT LAYER SECURITY SESSION KEYS WITH TRUSTED ENFORCEMENT POINTS - Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session. | 09-29-2011 |
20110271339 | COMPUTERS AND MICROCHIPS WITH MULTIPLE INTERNAL HARDWARE FIREWALLS - An apparatus for a network of computers is presented. A plurality of inner firewalls operate within a personal computer. The personal computer operates in a network of computers and includes at least one microprocessor and at least two memory components. The plurality of inner firewalls deny access to a first memory component of the personal computer by another computer through a network connection with the personal computer during a shared operation. The plurality of inner firewalls also allow access to a second memory component of the personal computer by the other computer through the network connection with the personal computer during the shared operation. | 11-03-2011 |
20110289579 | UNIFIED CONTENT SCANNING AND REPORTING ENGINE - A method of unified content scanning in which content is deconstructed into base formats so as to be presented to content filters in a common format. The base formats include text, image and audio. The invention also includes a system of unified content scanning and a gateway appliance embodying the method of unified content scanning. | 11-24-2011 |
20110289580 | NETWORK SECURITY SYSTEM AND REMOTE MACHINE ISOLATION METHOD - In a thin client system in which clients are connected to remote machines via a network so as to implement transactions, a remote machine infected with a virus is isolated from the network in response to a user's instruction on each client whilst communication settings minimally required for transactions are maintained. That is, a request issue agent issues an isolation request in response to a user input, so that a request execute agent changes communication settings of the remote machine in response to the isolation request. In an isolated state of a remote machine isolated from the network, a management server is allowed to change network settings regarding the remote machine with reference to a disconnection setting file, which stores communication settings minimally required for the remote machine in advance. | 11-24-2011 |
20110296517 | METHOD AND APPARATUS FOR PROVIDING REACTIVE AUTHORIZATION - An approach is provided for providing reactive authorization for accessing a semantic network resource. An access application of a resource owner entity detects an authorization proxy entity acting between at least a semantic network resource and a requesting entity that requests access to the semantic network resource. The access application determines to cause, at least in part, actions that result in transmission of a query for whether to accept the requesting entity to an owner entity of the semantic network resource. | 12-01-2011 |
20110307950 | Net-Based Email Filtering - A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery. | 12-15-2011 |
20110307951 | SYSTEM AND METHOD FOR BLOCKING THE TRANSMISSION OF SENSITIVE DATA USING DYNAMIC DATA TAINTING - Blocking transmission of tainted data using dynamic data tainting is described. For example, sensitive information is stored on a client device as tainted data. The client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and the network. The gateway receives computer code from the non-trusted entity via the network. The gateway executes the computer code. The gateway tracks the execution of the computer code to determine whether the computer code attempts to access tainted data and transmit the tainted data to an outside entity. The gateway blocks the transmission of the tainted data to the outside entity responsive to determining that the computer code has attempted to access tainted data and transmit the tainted data to an outside entity. | 12-15-2011 |
20110314536 | System and Method for Testing Functionality of a Firewall - Described are computer-based methods and apparatuses, including computer program products, for testing functionality of a firewall. The testing the functionality of the firewall can include a method. The method can include selecting a plurality of valid message types, generating a percentage of valid and invalid messages from the plurality of valid message types, transmitting the plurality of valid and invalid messages to the firewall, receiving an indication of the firewall's handling of valid and invalid messages based on the transmitted message, and determining the functionality of the firewall from the received indication. | 12-22-2011 |
20110321152 | TRUSTED INTERMEDIARY FOR NETWORK LAYER CLAIMS-ENABLED ACCESS CONTROL - Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information. | 12-29-2011 |
20120005742 | METHOD AND SYSTEM FOR HANDLING SECURITY IN AN IP MULTIMEDIA GATEWAY - An IP multimedia gateway (IMG) may be operable to identify a client device which may not currently possess a security capability that is compatible with a security capability of a service manager for receiving a service from the service manager. A security process between the client device and the service manager may be enabled by the IMG to enable the client device to receive the service from the service manager. The client device may be local to the IMG or remote with respect to the IMG. The IMG may enable an authentication process between the client device and the service manager by performing authentication translation. The IMG may enable a cryptography process between the client device and the service manager by performing cryptography translation. The IMG may enable an authorization process for authorizing the client device to access a particular content by performing access control conversion. | 01-05-2012 |
20120011581 | SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 01-12-2012 |
20120011582 | SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 01-12-2012 |
20120011583 | SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 01-12-2012 |
20120023569 | SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 01-26-2012 |
20120023570 | WEB VPN - Web-based VPN system and corresponding service. The inventive web VPN system/service could be accessed by the users using only a conventional web browser without the need to install any specialized VPN client software on the user terminal, as it is the case with conventional VPN systems. User's terminal could be a user's desktop computer, notebook or a mobile device, such as a cell prone or a PDA, or any other computing platform what so ever, used by the user to access various network resources, such as web pages. One aspect is a web VPN service that encrypts, using, for example, SSL encryption, all web traffic going between the user's terminal and the Internet. System comprises a VPN server/proxy and an associated web server accessible by the user via a communication network, such as Internet. The web server associated with the VPN server/proxy communicates with the latter and enables the user to access and use the functionality provided by the private VPN server/proxy by means of a conventional web browser installed on the user's terminal. | 01-26-2012 |
20120023571 | IDENTITY-BASED-ENCRYPTION MESSAGE MANAGEMENT SYSTEM - Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient. | 01-26-2012 |
20120030749 | DYNAMIC LOAD REDISTRIBUTION AMONG DISTRIBUTED SERVERS - Embodiments are directed to redistributing authentication requests among a plurality of authentication servers and to centrally managing authentication affinities among distributed servers using a secure channels affinity service. A computer system instantiates a secure channel management service configured to manage secure channel connections. The secure channel management service receives state inputs from currently deployed authentication servers. The authentication servers may be configured to queue authentication requests for transmission to authentication servers. The computer system determines that, based on the received state input, at least one of the secure channels is to be remapped to a different authentication server. The computer system also remaps the determined secure channels to distribute future authentication requests among the authentication servers. In some cases, the current state of an authentication proxy server is embedded in communications transmitted by the authentication server, such that the secure channel connections are managed using the embedded state information. | 02-02-2012 |
20120060211 | Detecting Secure or Encrypted Tunneling in a Computer Network - Aspects of the present disclosure relate to a computer assisted method for detecting encrypted tunneling or proxy avoidance which may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection. | 03-08-2012 |
20120084852 | Walled Garden System for Providing Access to One or More Websites that Incorporate Content from Other websites and Method Thereof - A cleared sites list includes one or more hostname descriptors. A firewall includes rules associated with a cleared IP list including cleared IP addresses, and permits transfer of a cleared HTTP request from a user device to a cleared destination IP address that matches one of the cleared IP addresses. A controller examines a non-cleared HTTP request from the user device to a non-cleared destination IP address that does not match one of the cleared IP addresses, and acts as a transparent proxy between the user device and the non-cleared destination IP address when a destination host header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list. The controller further acts as a transparent proxy between the user device and the non-cleared destination IP address when a referrer header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list. | 04-05-2012 |
20120096538 | DYNAMIC MOBILE STREAMING APPLICATION SUPPRESSION - A method performed by a network device may include obtaining an Internet Protocol address and a user device identifier associated with a user device, determining that the obtained user device identifier does not match a previous user device identifier associated with the obtained Internet Protocol address, and monitoring packets destined for the obtained Internet Protocol address to determine whether the packets are associated with a streaming application, based on determining that the obtained user device identifier does not match the previous user device identifier. The method may further include detecting a packet destined for the obtained Internet Protocol address, where the packet is associated with a streaming application and where the packet is received from a particular network device and signaling the particular network device to stop sending packets associated with the streaming application and destined for the obtained Internet Protocol address. | 04-19-2012 |
20120102562 | SECURING NETWORK COMMUNICATIONS WITH LOGICAL PARTITIONS - Embodiments of the present invention provide methods, systems, and computer program products that enable secure network communications with logical partitions. A gateway between a physical network adapter and at least one virtual network trunk adapter receives a packet. The gateway tags the packet with an indication of an origin of the packet. The gateway delivers the tagged packet to an intrusion prevention system for intrusion analysis. When the gateway receives the tagged packet from the intrusion prevention system, the gateway forwards the tagged packet according to the indication of origin of the tagged packet. | 04-26-2012 |
20120110655 | DATA TRANSMISSION MANAGEMENT SERVER AND METHOD - A data transmission management server for managing a terminal device to access a network resource providing server by a source gateway in a virtual private network (VPN) obtains current resource information of a plurality of gateways in the VPN periodically. The data transmission management server selects one from the gateways as a destination gateway according to the resource information, transmits an internet protocol address of the destination gateway to the source gateway to make the source gateway establish a secure communication tunnel to the selected destination gateway and access the network resource providing server over the secure communication tunnel. | 05-03-2012 |
20120117641 | METHODS AND APPARATUSES FOR PROVIDING INTERNET-BASED PROXY SERVICES - A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server. | 05-10-2012 |
20120124660 | VIRTUAL PRIVATE NETWORK NODE INFORMATION PROCESSING METHOD, RELEVANT DEVICE AND SYSTEM - A Virtual Private Network (VPN) node information processing method and a VPN node information processing device are provided, in which the method comprises: receiving an access request message sent by a node, in which the access request message at least carries authentication information, a current real Internet Protocol (IP) address, a node name and information indicating whether to accept extranet connection of the node; allocating a virtual IP address for the node when the authentication information of the node is correct; and registering the current real IP address, the node name, the information indicating whether to accept the extranet connection, and the virtual IP address of the node as registration information. Through the method and the device, when a node is added into a VPN, configuration of other nodes does not need to be adjusted. | 05-17-2012 |
20120137357 | SYSTEM AND METHOD FOR TESTING NETWORK FIREWALL FOR DENIAL-OF-SERVICE (DOS) DETECTION AND PREVENTION IN SIGNALING CHANNEL - A device may measure a first performance, associated with legitimate traffic without attack traffic, of a Session Initiation Protocol (SIP)-based protection device implementing authentication; measure a second performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication; and measure a third performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication and return routability filtering. The device may also measure a first performance associated with legitimate traffic of a Session Initiation Protocol (SIP)-based protection device implementing rate-limiting filtering; measure a second performance associated with legitimate traffic and attack traffic of the SIP-based protection device implementing scheme filtering; and measure a third performance associated with legitimate traffic of the SIP-based protection device not implementing rate-limiting filtering without attack traffic. | 05-31-2012 |
20120159606 | CODE DOMAIN ISOLATION - A method for achieving code domain isolation. A first set of data is received in a first domain format. The first set of data is changed to a second domain format. The first set of data in the second domain format is captured. The first set of data in the second domain format is changed to a third domain format. The first set of data in the third domain format is prepared for receipt by a user computer system. | 06-21-2012 |
20120192263 | ACCESS GATEWAY AND METHOD FOR PROVIDING CLOUD STORAGE SERVICE - An access gateway establishes a link with at least one terminal device via a user interface module, and obtains a cloud storage service list from a backend server. The access gateway selects one cloud storage service from the cloud storage service list, and authenticates one cloud storage service provider server corresponding to the selected cloud storage service to obtain a backend uniform resource locator (URL). The access gateway downloads backend software from the one cloud storage service provider server according to the backend URL, and installs the backend software. The access gateway provides cloud storage service from the one cloud storage service provider server to the at least one terminal device according to the installed backend software. | 07-26-2012 |
20120204252 | SYSTEM AND METHOD FOR ENABLING VPN-LESS SESSION SETUP FOR CONNECTING MOBILE DATA DEVICES TO AN ENTERPRISE DATA NETWORK - A mobile application gateway configured to interconnect mobile communication devices on a cellular network with an enterprise network is provided. The mobile application gateway includes a voice and data signaling gateway configured to provide routing functionalities, service functionalities and admission control. A gateway GPRS support node (GGSN) is configured to establish a secure data session between one or more of the mobile communication devices and the enterprise network by establishing a GPRS tunneling protocol (GTP) tunnel between a carrier-hosted serving GPRS support node (SGSN) and the GGSN. | 08-09-2012 |
20120204253 | METHOD AND APPARATUS FOR EXCHANGING DATA BETWEEN A USER EQUIPMENT AND A CORE NETWORK VIA A SECURITY GATEWAY - The present invention concern a methods and an apparatus for exchanging data between a user equipment and a core network via a security gateway. The invention concerns the establishment of an inactive pair of tunnel mode security associations between the UE and the security gateway, as well as the application of the pair of security associations when the UE detects attachment to or need to attach to an untrusted access network. | 08-09-2012 |
20120210417 | DISTRIBUTED FIREWALL ARCHITECTURE USING VIRTUAL MACHINES - A distributed firewall of a gateway device includes at least one IO module for performing IO functionality of the distributed firewall, at least one security processing module for performing security functionality of the distributed firewall and a firewall controller for managing the IO module and the security processing module. Each of the at least one IO and security processing modules is executed within a virtual machine. In response to a packet received from an ingress interface, the at least one IO module is to identify a security processing module corresponding to a connections session associated with the packet, to transmit the packet to the identified security processing module to perform a security process on the packet, and in response to a signal received from the identified security processing module indicating that the security process has been completed, to transmit the packet to the egress interface. | 08-16-2012 |
20120216271 | SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY - A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel. | 08-23-2012 |
20120216272 | ROUTING VOIP CALLS THROUGH MULTIPLE SECURITY ZONES - Call setup signaling is performed across at least a first security zone, a second security zone, and a third security zone to set up a call. At least one gate is then established between the first security zone and the third security zone to enable traffic flow for the call between the first security zone and the third security zone. | 08-23-2012 |
20120222107 | METHOD AND APPARATUS FOR PROVIDING PROXY-BASED ACCESS CONTROLS - An approach is provided for proxy-based access controls. A proxy platform causes, at least in part, designation of at least one monitoring client of a proxy server. The proxy platform receives an input for associating one or more accessing clients with the at least one monitoring client. The at least one monitoring client manages access to one or more resources of the proxy server by the one or more accessing clients. | 08-30-2012 |
20120227101 | Method for providing media communication across firewalls - The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network. | 09-06-2012 |
20120240213 | GATEWAY DEVICE AND METHOD FOR USING THE SAME TO PREVENT PHISHING ATTACKS - A gateway device that is in electronic connection with at least one client computer, a first domain name system (DNS) server located in a first communication network, and a second DNS server located in a second communication network separated from the first communication network. When a domain name is transmitted to both the first DNS server and the second DNS server, the first DNS server and the second DNS server respectively resolve the domain name into two groups of internet protocol (IP) addresses, and the gateway device compares the two groups of IP addresses with each other to select one of the two groups of IP addresses that is identified as all IP addresses of which are safe, and allows the client computer to access websites within the first communication network via the selected group of IP addresses to prevent the client computer from phishing attacks. | 09-20-2012 |
20120240214 | SYSTEM, METHOD OF AUTHENTICATING INFORMATION MANAGEMENT, AND COMPUTER-READABLE MEDIUM STORING PROGRAM - In response to a service request designating a service identifier, a proxy server reads out at least two processing system identifiers corresponding to the designated service identifier from a first storage unit, and transmits an acquisition request containing the read-out at least two processing identifiers to a management server. The management server acquires respective authentication information items corresponding to the at least two processing identifiers contained in the received acquisition request from a second storage unit, and transmits the acquired authentication information items to the proxy server. The proxy server transmits user authentication requests for respective processing systems containing the received authentication information items to the at least two processing systems, respectively. | 09-20-2012 |
20120246711 | PORTABLE MULTI-MEDIA AUTOMATIC AUTHENTICATING ROUTER AND METHOD FOR AUTOMATICALLY ROUTING STORED DATA - A computer program product and automatic authenticating router device for automatically routing stored data from a single device to at least one remote storage location is provided. The router device includes the computer program product. The computer program product includes a computer readable medium bearing software instructions for enabling predetermined operations. The predetermined operations include detecting an availability of a proximal network; automatically establishing a connection with the at least one remote storage device based on the availability of the proximal network; automatically recognizing a data type of a data file stored on the single device; associating routing information with the data file based on the data type; and automatically uploading the data file from the single device to the remote storage device based on the routing information. | 09-27-2012 |
20120254977 | METHOD, DEVICE, AND SYSTEM FOR NETWORK ATTACK PROTECTION - The present invention discloses a method for network attack protection, a device, and a system thereof. The method includes: receiving information about attack source, in which the information about the attack source carries address information about an attacker; obtaining address information about a gateway corresponding to the attacker according to the address information about the attacker and a preset mapping relationship between the attacker and the gateway corresponding to the attacker; and sending a first control message to the gateway corresponding to the attacker according to the address information about the gateway corresponding to the attacker, wherein the first control message instructs the gateway corresponding to the attacker to control traffic of the attacker. The present invention may be used on a communications network to prevent the attacker from attacking victim hosts on the network from the root, avoid blockage on the upstream network of the victim hosts. | 10-04-2012 |
20120254978 | POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection. The content processing configuration schemes each include multiple content processing configuration settings for each of one or more network service protocols. Application-level content of a packet stream associated with the network connection is then processed by the proxy module reassembling the application-level content from multiple packets of the packet stream and scanning the application-level content based on the retrieved content processing configuration schemes. | 10-04-2012 |
20120266231 | Secure Network Cloud Architecture - Apparatuses, computer readable media, methods, and systems are described for requesting creation of virtual machine (VM) in a cloud environment comprising a virtual private cloud. Through various communications between a cloud DMZ, cloud provider, and/or company's network, a VM instance may be securely created, initialized, booted, unlocked, and/or monitored through a series of interactions building, in some examples, upon a root of trust. | 10-18-2012 |
20120278877 | Takeover Processes In Security Network Integrated With Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller. | 11-01-2012 |
20120304276 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ADAPTIVE ASSIGNMENT OF AN ACTIVE SECURITY ASSOCIATION INSTANCE IN A REDUNDANT GATEWAY CONFIGURATION - According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance. | 11-29-2012 |
20120304277 | System and Method for Building Intelligent and Distributed L2 - L7 Unified Threat Management Infrastructure for IPv4 and IPv6 Environments - A security gateway appliance is configured to evaluate network traffic according to security rules that classify traffic flows according to specifically identified application programs responsible for producing and/or consuming the network traffic and to enforce policies in accordance with network traffic classifications. The appliance includes an on-box anti-virus/anti-malware engine, on-box data loss prevention engine and on-box authentication engine. One or more of these engines is informed by an on-box dynamic real tie rating system that allows for determined levels of scrutiny to be paid to the network traffic. Security gateways of this type can be clustered together to provide a set of resources for one or more networks, and in some instances as the backbone of a cloud-based service. | 11-29-2012 |
20120311691 | SYSTEMS AND METHODS FOR DECOY ROUTING AND COVERT CHANNEL BONDING - Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination. | 12-06-2012 |
20120317637 | COMMUNICATION BETWEEN PRIVATE NETWORK AND PUBLIC NETWORK - A first device in a private network is assigned a public network address that is shared in the private network, and a port number range that uniquely identifies the first device in the private network. The first device sends a network device an outgoing packet which is intended for a second device in the public network. The outgoing packet includes the assigned public network address as a source network address, a port number within the assigned port number range as a source port number, and a public network address of the second device as a destination network address. The packet is transmitted by the network device to the second device, according to the destination network address. | 12-13-2012 |
20120324565 | NEURAL NETWORK DATA FILTERING AND MONITORING SYSTEMS AND METHODS - Systems and methods are disclosed for filtering data in a neural network environment to filter out inappropriate content. In some embodiments, a data signal including a sensible representation is received. The sensible representation included in the data signal is produced in a sensible format. From the sensible representation in the sensible format, a clean copy of the sensible representation can be generated such that any inappropriate content present within the received data signal is not reproduced in the clean copy. Optionally, additional filtering can occur before and/or after the generating of the clean copy. The (filtered) clean copy of the sensible representation is sent to a network. Embodiments can permit the filtering of input to and/or output from a network. | 12-20-2012 |
20120324566 | Takeover Processes In Security Network Integrated With Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller. | 12-20-2012 |
20120324567 | Method and Apparatus for Home Network Discovery - Methods of remotely discovering information of hosts connected to a local area network (LAN) are provided. Electronic communications sent from a gateway behind which the LAN is configured are received by a remote server connected to a wide area network (WAN). The electronic communications include information of a list of hosts connected to the LAN, a log of LAN events, or diagnostic data concerning the LAN. Apparatus for remotely discovering information of hosts or devices connected to a LAN behind a gateway are also disclosed. | 12-20-2012 |
20130007871 | MIGRATING CONFIGURATION INFORMATION BASED ON USER IDENTITY INFORMATION - Techniques are provided for the configuration of a home-networking system. Home-networking configuration information may be stored on a host system in a manner accessible to the home-networking system and migrated to a home-networking gateway or router that has not yet been configured. Wireless configuration information may be stored on a home-networking gateway or router and used to configure one or more wireless access points through the use of a physical connection, such as a wired communications pathway. One or more wireless home-networking devices may be configured based on wireless configuration information stored in a central repository on a host system or a home-networking system. The wireless configuration information may be accessible only through the use of a security code. | 01-03-2013 |
20130024928 | SECURE NETWORK COMMUNICATIONS FOR METERS - A system and method are provided for secure network communications. A proxy server receives meter data, from a meter of a set of meters via a local network, for an energy management server. The proxy server uses secure communications to send the meter data via a non-secure network to the energy management server. | 01-24-2013 |
20130047249 | Method And Apparatus For Token-Based Packet Prioritization - According to one embodiment, an apparatus may receive a hard token that identifies a device and a subject token indicating that a user is a high priority user. The subject token may include a user identifier associated with the high priority user. The apparatus may apply a token-based rule that facilitates packet prioritization in response to receiving the subject token. In response to applying the token-based rule, the apparatus may communicate a notification token to at least one network component. The notification token may include the user identifier associated with the high priority user, the device identifier associated with the device, and instructions to prioritize any packet communications associated with the user identifier or the device identifier. The apparatus may then communicate at least one token to facilitate the provisioning of a container to the device associated with the high priority user. | 02-21-2013 |
20130074174 | FIREWALL ACCESS CONTROL WITH BORDER GATEWAY PROTOCOL ATTRIBUTES - Packets are routed from at least one internet protocol (IP) address in accordance with border gateway protocol (BGP); while carrying out the routing in accordance with the border gateway protocol (BGP), at least one border gateway protocol (BGP) attribute associated with the at least one internet protocol (IP) address is noted. A firewall policy is applied to the packets from the at least one internet protocol (IP) address based on the at least one border gateway protocol (BGP) attribute associated with the at least one internet protocol (IP) address. Techniques may be implemented, for example, on a router or on a separate firewall device coupled to a router. | 03-21-2013 |
20130074175 | Methods, Systems, and Computer Program Products for Protecting Against IP Prefix Hijacking - A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each, of the at least one potential hijack AS. | 03-21-2013 |
20130091560 | SEAMLESS DATA NETWORKING - A roaming client in communication with an enterprise site through a virtual private network (VPN) gateway maintains an address for a virtual network interface upon becoming a resident client at the enterprise site. A physical interface for the resident includes two valid addresses. Seamless data networking is achieved while promoting routing efficiency by reducing the amount of local traffic addressed to and from the virtual address that is unnecessarily routed through VPN gateways. | 04-11-2013 |
20130104222 | NETWORK RESOURCE CONTROL SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 04-25-2013 |
20130104223 | NETWORK RESOURCE COMMUNICATION SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 04-25-2013 |
20130104224 | NETWORK RESOURCE COMMUNICATION SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 04-25-2013 |
20130104225 | SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 04-25-2013 |
20130104226 | METHOD AND SYSTEM FOR SECURING A THIRD PARTY COMMUNICATION WITH A HOSTING WEB PAGE - A method and system for securing hosting web pages from malicious third party modules. The method includes uploading a third party module to a hosting web page; validating a proxy API call received from the third party module, wherein the proxy API call includes at least a payload parameter provided by the third party module; generating an engine API call including at least the payload parameter; validating the engine API call; and executing the payload parameter if the engine API call is validated. | 04-25-2013 |
20130117836 | AUTO DISCOVERY OF VIRTUAL MACHINES - A method and apparatus is disclosed herein for performing auto discovery of virtual machines. In one embodiment, the method comprises monitoring, using an interface of the device, one or more packets being sent from one or more virtual machines, the one or more packets being sent determining, using a processor of the device, if one of the monitored packets comprises a discovery packet from one virtual machine of the one or more virtual machines, wherein the discovery packet includes an address of a destination location; sending, using the interface of the device, a reply packet to the one virtual machine using an address in the discovery packet identified in the monitored packets, the reply packet including an Internet Protocol (IP) address of the device. | 05-09-2013 |
20130133057 | SYSTEM FOR MANAGING VIRTUAL PRIVATE NETWORK AND METHOD THEREOF - Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks. | 05-23-2013 |
20130133058 | SECURITY BRIDGING - A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns. | 05-23-2013 |
20130133059 | REVERSE PROXY DATABASE SYSTEM AND METHOD - A system and method for providing a comprehensive security solution for databases through a reverse proxy, optionally featuring translating database queries across a plurality of different database platforms. | 05-23-2013 |
20130152188 | PORT ALLOCATION IN A FIREWALL CLUSTER - A firewall cluster having three or more firewall processing nodes sharing the same shared IP address. Port numbers are assigned to the firewall processing nodes within the cluster and are used to distinguish between traffic sent to the cluster. Each network connection is assigned a destination port number. Each node receives the network connection and its assigned port number and determines if the assigned destination port number matches one of its assigned port numbers. If so, the node processes the network connection. If the assigned destination port number does not match one of its assigned port numbers, the network connection is discarded. | 06-13-2013 |
20130185786 | WIRELESS INTERNET PRODUCT SYSTEM - Low resource internet devices such as consumer electronics products connect to web service by means of a proxy method where the connected device does not need to maintain the expensive and fragile web service interface itself, but rather uses simple low level protocols to communicate through a gateway that executes software to translate a low level proprietary wireless protocol to a proprietary low level internet protocol that can pass through a firewall to proxy servers that translate the low level protocols thus presenting an interface that makes the internet device appear to have a full web service interface to enable communication between the internet devices and the web server. | 07-18-2013 |
20130198830 | ACCESS RELAY METHOD AND ACCESS GATEWAY DEVICE - A gateway device disposed at front stage before a server has a dispersion rule of data dispersed on server side and analyzes communication data to specify a server to be accessed finally, so that identification information of the specified server is added to packet option of IP layer to thereby omit higher-rank routing processing than IP layer of gateway devices on the way. Consequently, transfer processing of a gateway device at back stage can be performed at high speed and access passing through a network route intended by manager is possible. | 08-01-2013 |
20130212669 | Detecting and Combating Attack In Protection System of an Industrial Control System - A method for detecting and combating an attack in an industrial control system includes sending a command stream from a protection network of an industrial control system to at least one zone, the command stream comprising at least one command; concatenating the at least one command into at least one sequential command package comprising units or work; passing the at least one sequential command package to a crypto hash generator; generating at least one of unit of work hash codes or sequence hash codes; comparing the generated hash codes against a database of existing valid unit of work hash codes and sequence hash codes; and if a command stream fault is detected, generating an alert and accessing a database comprising emergency procedures. | 08-15-2013 |
20130227672 | NEXT GENERATION SECURE GATEWAY - A system includes a cloud-computing infrastructure to provide multitenant access from a public Internet Protocol (IP) network and multiple instances of a virtualized secure gateway operating on one or more physical devices within the cloud-computing infrastructure. The multiple instances of the virtualized secure gateway provide a point of entry to a private IP network. Each instance of the multiple instances of the virtualized secure gateway is configured to terminate multiple virtual private network (VPN) tunnels from a single customer accessing the private IP network via the public IP network, and each instance of the multiple instances of the virtualized secure gateway resides on a different processing core of the physical devices within the cloud-computing infrastructure. | 08-29-2013 |
20130239198 | MANAGING REMOTE NETWORK ADDRESSES IN COMMUNICATIONS - A method for managing routing information in a communications system comprises-defining, in a client network apparatus, a unique private IP address, the unique private IP address uniquely identifying a terminal and the corresponding remote network. The client apparatus defines an IP routing address for the remote network. The client apparatus routes a data packet to a VPN tunnel having the IP routing address defined for the remote network, the data packet being directed to the remote network identified by the unique private IP address. The unique private IP address is translated into a corresponding customer IP address of the terminal in order the data packet to be routable to the terminal in the remote network. | 09-12-2013 |
20130239199 | WALLED GARDEN PROVIDING ACCESS TO ONE OR MORE WEBSITES THAT INCORPORATE CONTENT FROM OTHER WEBSITES - A cleared sites list includes one or more hostname descriptors. A firewall includes rules associated with a cleared IP list including cleared IP addresses, and permits transfer of a cleared HTTP request from a user device to a cleared destination IP address that matches one of the cleared IP addresses. A controller examines a non-cleared HTTP request from the user device to a non-cleared destination IP address that does not match one of the cleared IP addresses, and acts as a transparent proxy between the user device and the non-cleared destination IP address when a destination host header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list. The controller further acts as a transparent proxy between the user device and the non-cleared destination IP address when a referrer header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list. | 09-12-2013 |
20130247168 | Scalable Virtual Appliance Cloud (SVAC) and Devices Usable in an SVAC - According to one embodiment, a system includes a scalable virtual appliance cloud (SVAC) comprising: at least one distributed line card (DLC); at least one switch fabric coupler (SFC) in communication with the at least one DLC; and at least one controller in communication with the at least one DLC, wherein one or more of the at least one DLC is an appliance DLC, wherein one or more of the at least one SFC is a central SFC, and wherein the SVAC appears to a device external of the SVAC as a single appliance device applying various services to a traffic flow. | 09-19-2013 |
20130247169 | METHOD AND SYSTEM FOR MANAGEMENT OF SECURITY RULE SET - There are provided a method of automated managing an ordered set of security rules implemented at a plurality of security gateways and a system thereof. The method comprises obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request; analyzing routing tables of the plurality of the security gateways; generating ranking the security gateways in accordance with their relevance to the unfitting connectivity request; selecting one or more security gateways with the highest ranking; and implementing a configuration change required in order to facilitate allowance of the unfitting connectivity request at the one or more selected security gateways. | 09-19-2013 |
20130254871 | DISTRIBUTED COMPUTER NETWORK ZONE BASED SECURITY ARCHITECTURE - A method and apparatus is disclosed herein for distributed zone-based security. In one embodiment, the method comprises: determining an ingress security zone associated with an ingress of a first network device based on a first key and a media access control (MAC) address of a source of a packet; determining an egress security zone of a second network device based on a MAC address of a destination for the packet and a second key; performing a policy lookup based on the ingress security zone and the egress security zone to identify a policy to apply to the packet; and applying the policy to the packet. | 09-26-2013 |
20130263245 | DISTRIBUTED TCP SYN FLOOD PROTECTION - A method and apparatus is disclosed herein for TCP SYN flood protection. In one embodiment, a TCP SYN flood protection arrangement comprises a first device operable to process packet input and output functions, including performing sender verification with respect to a connection initiation from a sender for a first TCP connection between the sender and a destination server and a second device, separate from the first device, to perform one or more security processing operations on packets of the first TCP connection from the sender after the first device verifies the sender is legitimate. | 10-03-2013 |
20130263246 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module. | 10-03-2013 |
20130269021 | NAMED SOCKETS IN A FIREWALL - A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections. | 10-10-2013 |
20130283364 | DISTRIBUTED VIRTUAL SWITCH ARCHITECTURE FOR A HYBRID CLOUD - In one embodiment, a secure transport layer tunnel may be established over a public network between a first cloud gateway in a private cloud and a second cloud gateway in a public cloud, where the secure transport layer tunnel is configured to provide a link layer network extension between the private cloud and the public cloud. In addition, a cloud virtual Ethernet module (cVEM) may be executed (instantiated) within the public cloud, where the cVEM is configured to switch inter-virtual-machine (VM) traffic between the private cloud and one or more private application VMs in the public cloud connected to the cVEM. | 10-24-2013 |
20130298219 | Secure Layered Iterative Gateway - In methods and a device for mitigating against cyber-attack on a network, a distributed intermediary device is placed into a network between computers or network nodes of the network to mitigate cyber-attacks between the computers or nodes of a network from remote systems. Threats are assessed by utilizing internal information assurance mechanisms of the device to detect such cyber-attacks without requiring external modification of the software and/or hardware of the computers or nodes of the network to be protected. The device prevents attacks at the platform level against the OS and network resources. | 11-07-2013 |
20130298220 | SYSTEM AND METHOD FOR MANAGING FILTERING INFORMATION OF ATTACK TRAFFIC - The present disclosure relates to a system and a method for managing filtering information of attack traffic, and more particularly, to a system and a method for managing filtering information of attack traffic that may block attack traffic in a front end from which the attack traffic is transmitted by transmitting traffic filtering information, to a first autonomous system of the front end from which the attack traffic is transmitted, through a border gateway protocol (BGP) and by applying, to a relevant router, the transmitted traffic filtering information in the corresponding first autonomous system, when an edge router of a second autonomous system (AS) positioned in a rear end sets the traffic filtering information by detecting the attack traffic. | 11-07-2013 |
20130305344 | ENTERPRISE NETWORK SERVICES OVER DISTRIBUTED CLOUDS - Various exemplary embodiments relate to a method and related network node including one or more of the following: determining that a new virtual gateway location should be created; selecting a data center of a plurality of data centers to host the new virtual gateway location; and establishing a virtual gateway at the selected data center, wherein the virtual gateway is configured to provide at least one device with connectivity to a Virtual Private Network (VPN) and connectivity to the Internet. | 11-14-2013 |
20130305345 | SYSTEM AND METHOD FOR SECURE MACHINE-TO-MACHINE COMMUNICATIONS - Embodiments of the present invention include a method for providing a secure domain name system (DNS) for machine to machine communications. In one embodiment, the method includes storing policy information for machine to machine communications in a global DNS registry database server. The method further includes communicating the policy information for machine to machine communications from the global DNS registry database server to a machine DNS registry server located in an Internet service provider (ISP) network, wherein a control signaling gateway located in the ISP network is configured to utilize the policy information for machine to machine communications to allow only registered controllers associated with a machine to communicate with the machine. | 11-14-2013 |
20130305346 | COMPUTERIZED SYSTEM AND METHOD FOR ADVANCED NETWORK CONTENT PROCESSING - A computerized system and method for processing network content in accordance with at least one content processing rule. In accordance with the inventive method, the network content is received at a first interface. The inventive system identifies a transmission protocol information of the received network content and uses the identified transmission protocol information to intercept at least a portion of the received network content formatted in accordance with a transmission protocol. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning. The processed portion of network content may be forwarded using the second interface. | 11-14-2013 |
20130305347 | Methods, Systems, and Computer Readable Media for Adaptive Assignment of an Active Security Association Instance in a Redundant Gateway Configuration - According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance. | 11-14-2013 |
20130312080 | System and Method for Providing a Secure Network on Another Secure Network - The present invention provides a system and method for providing a closed or secure network on another closed or secure network. The system enables linking at least one acquirer network operating a closed network to at least one operator by a central server. The acquirer network includes one or more terminals and optionally an acquirer server. The central server is linked to the acquirer network and to the operator. The central server is configurable to communicate with at least a subset of the one or more terminals, and also with the operator, and to establish one or more serve; communication links between the operator and the one or more terminals. The central server acts as a trusted intermediary between the acquirer network and the operator for enabling the operator to communicate with the one or more terminals via the closed acquirer network. | 11-21-2013 |
20130340065 | OFFLINE AND ONLINE PLATFORM FOR SOCIAL NETWORKING VIA A PROXY - The present solution may be implemented to provide a connectivity platform where children are provided the power of connectivity they seek in a safe, fun and simple online and offline form that children and parents can both embrace. In one implementation, the disclosure provides children a toy, game, application, and online platform under a single overarching platform. This platform connects online and offline interaction by letting children discover people, places and things in the real world and track them online. The platform provides children with a game for collecting friends, while providing parents a way to monitor the activity of their children. At the same time, the platform provides parents, teachers, and brand partners the ability to incentivize children and teach social responsibility, thereby providing a learning experience that existing social networks do not and cannot provide. | 12-19-2013 |
20140007214 | GATEWAY FOR CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES | 01-02-2014 |
20140007215 | MOBILE APPLICATIONS PLATFORM | 01-02-2014 |
20140013413 | VIDEO AND AUDIO CONFERENCE SCHEDULING - A method and system for enabling scheduling resources including associating a first client hosted on a first computer platform using a conference scheduling module, with a second client hosted on a second computer platform. The method including initiating a client software program on a first computer on a first platform for a first client, wherein the client software program including a conference scheduling module. The method further including generating a first private cloud using the client software on the first computer communicating with a first gateway module, the first gateway module being embodied on a first gateway computer not on the first platform. Further, the method includes joining the private cloud by initiating the client software on a second computer on a second platform for a second client. | 01-09-2014 |
20140026206 | SYSTEM AND METHOD FOR SUPPORTING WEB AUTHENTICATION - A method is provided in one example embodiment and includes receiving a discover message over a network; determining that the discover message is associated with an unauthenticated client (e.g., identifying a media access control (MAC) address); communicating a proxy binding update (PBU) having a binding type value set to a temporary status; and establishing a bidirectional tunnel for transporting traffic for the client. | 01-23-2014 |
20140026207 | METHOD, DEVICE, AND COMMUNICATION SYSTEM FOR ESTABLISHING CONNECTION WITH NETWORK MANAGEMENT SYSTEM - The present disclosure relates to the field of communications technologies and discloses a method, a device, and a communication system for establishing a connection with a network management system. The method includes: obtaining, by a relay node, a first IP address of the relay node; obtaining, by the relay node, an IP address of a security gateway by using the first IP address of the relay node; establishing, by the relay node, an IP security tunnel with the security gateway according to the IP address of the security gateway; obtaining, by the relay node, a second IP address of the relay node and an IP address of the network management system through the IP security tunnel; and establishing, by the relay node, a connection with the network management system by using the second IP address of the relay node and the IP address of the network management system. | 01-23-2014 |
20140033294 | Content review with proxy comment management - Techniques for content review with proxy comment management are presented. Comments associated with content review are managed separately from the content itself. Some comments are associated with participants internal to a secure network where the comments are managed while other comments are originally received from external participants located outside the secure network. The external comments are adopted by one or more of the internal participants that act as proxies for the external participants and their supplied comments. The proxy relationship permits the external comments to be added to the comments for the content review within the secure network. | 01-30-2014 |
20140059667 | IMAGE EXCHANGE METHOD AND SYSTEM FOR REMOTE SUPPORT - An image exchange method and system for remote support that can effectively provide remote support are provided. A manager terminal, after completing authentication through an authentication server, connects to a gateway server. A user terminal executes an application and receives gateway server connection information from the authentication server through a password input, connects to the gateway server based on the gateway server connection information, and transmits an image to the manager terminal. Accordingly, the manager can diagnose a problem regarding which the user has requested support, in real-time through the image, and the user can receive remote support through an image from the manager, thereby avoiding unnecessary costs. | 02-27-2014 |
20140059668 | METHODS AND APPARATUSES FOR PROVIDING INTERNET-BASED PROXY SERVICES - A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server. | 02-27-2014 |
20140068749 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - Systems, methods, and software for processing received network traffic content in view of content detection data and configuration data to either block, permit, or to further evaluate network traffic content when entering a network. | 03-06-2014 |
20140075534 | DIRECTORY SERVER FOR AUTOMATIC NETWORK INFORMATION ACCESS SYSTEMS - Systems, apparatus and methods are described for providing information access to network devices. A directory server registers identification information about a first network device coupled to a first network. The first network and the directory server may be coupled to a second network, which may include a wide area network, public network, or the Internet. The identification information may include a network address of the first network device on the first network, or a network address of the first network on the second network. The directory server may receive and process requests for identification information about registered network devices, and may selectively reply to the requests based on status information of the first network device. | 03-13-2014 |
20140090046 | SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE DEVICES - A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy. | 03-27-2014 |
20140101748 | Adaptive System Behavior Change on Malware Trigger - A hardware secured flag mechanism which is activated by trusted Anti-Malware (AM) software. Upon being activated, the information handling system takes action to reduce user exposure even if the AM software is subsequently subverted. In certain embodiments, the flag mechanism is only reset by user intervention at a BIOS or other off-line mechanism. In certain embodiments, the flag mechanism may only be reset via a signed unlock key stored on an external memory device such as a universal serial bus (USB) key. | 04-10-2014 |
20140101749 | METHOD FOR PROVIDING MEDIA COMMUNICATION ACROSS FIREWALLS - The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network. Information packets addressed to the communication device inside the firewall are received by the trusted entity, which replaces address header information in the information packet with the address for the pinhole. The information packet is routed to the pinhole where it passes onto the network for routing to the communication device inside the firewall. Information packets transmitted from the network are also routed to the trusted entity for routing toward the communication device outside the firewall. | 04-10-2014 |
20140101750 | SUPERVISED DATA TRANSFER - An apparatus and method are provided for controlling a transfer of data between data communications networks. In a preferred implementation, an apparatus is provided comprising: a data store; computer providing, in a first computing environment, a first network interface for accessing a first data communications network and a first user interface for receiving a first data transfer request to download data from a data source linked to the first data communications network to the data store; computer providing, in a second computing environment isolated from the first computing environment, a second network interface for accessing a second data communications network and a second user interface for receiving a second data transfer request to transfer downloaded data from the data store to a recipient device linked to the second data communications network; and data transfer controller with access to resources in both the first and second computing environments for controlling downloads and transfers of data according to the first and second requests, further comprising a supervisory controller arranged to determine, prior to implementing the second request, that at least the second request originates from a human user. | 04-10-2014 |
20140137230 | PROVISIONING PROXY FOR PROVISIONING DATA ON HARDWARE RESOURCES - A processing device receives an unauthenticated provisioning request from a hardware, wherein the processing device is in a first network zone that is accessible to the hardware resource. The processing device determines whether the hardware resource satisfies one or more provisioning criteria. Responsive to determining that the hardware resource satisfies the one or more provisioning criteria, the processing device forwards the provisioning request to a server residing behind a firewall in a second network zone that is inaccessible to the hardware resource, receives provisioning data from the server by the provisioning proxy, and forwards the provisioning data to the hardware resource. | 05-15-2014 |
20140143850 | PENALTY BOX FOR MITIGATION OF DENIAL-OF-SERVICE ATTACKS - A security gateway of a computer network receives incoming packets at one or more network interfaces. One or more security functions are applied to the packets. Reports of security function violations are recorded. The reports include the source addresses of the packets, the times that the packets were received, and descriptions of the violations. The descriptions include weights, and if the sum of the weights, for packets of a common source address that are received within a first time interval, exceeds a threshold, subsequent packets from that source address are dropped. Alternatively, in a “monitor only” mode, the common source address is logged but packets are not dropped. Optionally, encrypted packets and/or packets received at some network interfaces but not at other network interfaces are not dropped. | 05-22-2014 |
20140143851 | FORMING A SECURITY NETWORK INCLUDING INTEGRATED SECURITY SYSTEM COMPONENTS AND NETWORK DEVICES - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home. | 05-22-2014 |
20140143852 | SECURE NETWORK PRIVACY SYSTEM - The invention provides a method and system of receiving communications from a network device in a network to a source of network data and establishing a secure and/or authenticated network connection between the network device and the source that appears to the network device as a direct connection to the source of network data. Broadly conceptualized, the method and system may also include a parsing module that modifies the network data passing back and forth between the network device and the source of network data. | 05-22-2014 |
20140150082 | Net-Based Email Filtering - A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery. | 05-29-2014 |
20140157395 | METHOD AND APPARATUS FOR ESTABLISHING TUNNEL DATA SECURITY CHANNEL - Sending an authentication request message to an authentication device, receiving an authentication response message sent by the authentication device, where the authentication response message includes a trust relationship information element which is used for indicating a trust relationship of a current access, and establishing an S2c tunnel security association according to the trust relationship of the current access. The trust relationship when the non-3GPP access side accesses the EPS network may be obtained, thereby ensuring establishment of a correct S2c tunnel security data channel. | 06-05-2014 |
20140165182 | SYSTEM FOR SECURE TRANSFER OF INFORMATION FROM AN INDUSTRIAL CONTROL SYSTEM NETWORK - A system for securely transferring information from an industrial control system network, including, within the secure domain, one or more remote terminal units coupled by a first network, one or more client computers coupled by a second network, and a send server coupled to the first and second networks. The send server acts as a proxy for communications between the client computers and the remote terminals and transmits first information from such communications on an output. The send server also transmits a poll request to a remote terminal unit via the first network and transmits second information received in response to the poll on the output. The system also includes, outside the secure domain, a receive server having an input coupled to the output of the send server via a one-way data link. The receive server receives and stores the first and second information provided via the input. | 06-12-2014 |
20140181950 | Performance Optimization in a Secured Computing Environment - Systems and methods for associating a first process with a first state and a first computing environment initialized according to a first set of parameters, wherein a first task is to be performed under a first security context. The method further comprising associating a second process with a second state and a second computing environment initialized according to a second set of parameters; in response to the first process submitting a first request, the second process spawning a third process which has the second state; wherein the third process sets a security context for the third process to the first security context and the third process sets the computing environment for the third process according to a first a set of parameters; executing the third process under the first security context and in association with the second state; and executing the first task in the first computing environment. | 06-26-2014 |
20140181951 | Method for Remotely Servicing a Field Device of Automation Technology - A method for remotely servicing a field device of automation technology located in a first network secured by a first firewall, wherein remote servicing occurs via a servicing device associated with a second network secured by a second firewall comprising the steps of: establishing a first communication connection between the field device and a gateway associated with the first network; establishing a second communication connection; reporting of the first gateway; granting a unique identifier by a broker server for the first communication connection; transmitting the unique identifier to a second gateway associated with the second network; establishing a third communication connection between the second gateway and the broker server using the unique identifier; and establishing a communication connection between the second gateway and the first gateway, wherein: the broker server logically connects the second communication connection and the third communication connection with one another, so that communication connection between the servicing device and the field device is produced. | 06-26-2014 |
20140189845 | AUTHENTICATION OF APPLICATIONS THAT ACCESS WEB SERVICES - Systems and methods for authenticating applications that access web services. In one embodiment, a web service gateway intercepts a request for a web service from an application, and determines if the application is authorized by a service provider based on information provided in the web service request. If the application is authorized, then the web service gateway identifies a profile for an end user that initiated the web service using the application, and determines if the web service is allowed for the end user based on the profile. If the web service is allowed for the end user, then the web service gateway determines that the application is authenticated, converts the web service request to a protocol used by a server that provides the web service, and transmits the web service request to the server. | 07-03-2014 |
20140215598 | NETWORK SECURITY DEVICE - Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described. | 07-31-2014 |
20140223537 | Securing Communication over a Network Using Client System Authorization and Dynamically Assigned Proxy Servers - A method for securing communication over a network is disclosed. A trust broker system receives a request to connect to applications and resources from a client system. The trust broker system determines whether the client system is authorized to connect to the requested applications and resources. In response to determining the client system has authorization to connect to the requested applications and resources, the trust broker system determines, from a plurality of potential proxy servers, a proxy server associated with the requested server system and transmits an identification value for the client system to the requested server system. The trust broker system then transmits the identification value to the client system and transmits contact information for the determined proxy server to the client system, wherein all communication between the client system and the requested server system passes through the proxy server. | 08-07-2014 |
20140223538 | METHOD AND APPARATUS FOR PROVIDING NETWORK ACCESS TO A USER ENTITY - A method for providing network access to a plurality of user entities through an access point, said access point comprising a LAN interface and a broadband network interface, the method comprising the following steps at a gateway device: establishing a second secure communication link with said access point; receiving an IP address allocation request from one of said plurality of user entities via said second secure communication link; accessing a AAA server to verify whether a successful authentication of said one of said plurality of user entities on the basis of data related to a mobile subscription associated with said one of said plurality of user entities has already taken place; and upon successful verification, completing an IP address allocation scheme with said one of said plurality of user entities and enabling relaying of data between said one of said plurality of user entities and a PDN; wherein said gateway device is adapted to aggregate a plurality of instances of second secure communication links from different access points towards said PDN. | 08-07-2014 |
20140223539 | INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING METHOD, AND COMPUTER PROGRAM PRODUCT - An information processing system includes a receiving unit and a determining unit. The receiving unit receives an application request to request an application for a service. The application request includes first information identifying a type of the service. When the receiving unit receives the application request, the determining unit determines third information indicating an authority to use the service by combining the first information included in the application request and second information used for identifying a user to whom the service is to be provided. | 08-07-2014 |
20140245423 | Peripheral Firewall System for Application Protection in Cloud Computing Environments - User input including an application profile is received. The profile specifies a first server group, a second server group, and computing flows between the first and second server groups. User input identifying at least the first server group to include in a cloud chamber is received. Internet Protocol (IP) addresses assigned to virtual machines provisioned into the first and second server groups are obtained. Based on the computing flows specified in the application profile and the IP addresses assigned to the virtual machines, a set of firewall rules are generated for each virtual machine in the cloud chamber. | 08-28-2014 |
20140245424 | DISTRIBUTED SYSTEM AND METHOD FOR TRACKING AND BLOCKING MALICIOUS INTERNET HOSTS - Disclosed are systems and methods to perform coordinated blocking of source addresses, such as an Internet Protocol (IP) addresses, across a plurality of network appliances (e.g., gateways). In one disclosed embodiment the method and system temporarily alter a configuration of one or more network appliances (based on user defined configuration parameters) to allow communication from a “blocked” IP address for a period of time. A network appliance can then “receive” an email and perform analysis and provide results of the analysis to a reputation service. Thereby, the temporarily allowed communication can be used to learn information about a threat which would not have been available if all communication from that IP address had actually been blocked at the network appliance. | 08-28-2014 |
20140259144 | Systems And Methods For Providing Services - Systems and methods for providing one or more services via a remote device are disclosed. One method can comprise identifying one or more services available at a location, transmitting identification data to a remote device disposed remotely from the location, the identification data relating to the one or more services identified, receiving a selection of the one or more services available, and providing the selected one or more services available to the remote device. | 09-11-2014 |
20140282999 | SECURE ACCESS TO APPLICATIONS BEHIND FIREWALL - A user having remote device wants to access an application executing on an application server computer that is behind a firewall. During a set-up phase, another firewall and a gateway computer are configured in front of the original firewall, creating a demilitarized zone (DMZ) having the gateway computer. During a registration phase, users' remote devices are configured with security data. The security data includes user authentication cryptographic credentials, for establishing secure channels, and may include user application cryptographic credentials as needed by individual applications executing on the application server. After set-up and registration, i.e., during operation, the user provides a password to an application program executing on his/her remote device. The password enables use of the security information on the remote device. The user uses the security information to establish a secure channel to the application, and then conducts a data session with the application. If the application needs to verify the identity of the user, the user's remote device performs a cryptographic operation using the user application cryptographic credentials, and sends the result to the application. | 09-18-2014 |
20140283000 | Proxy that Switches from Light-Weight Monitor Mode to Full Proxy - The packets of a communication session between a first device and a second device are monitored at proxy device. A determination is made that full proxy services should be applied to the communication session at the proxy device. After the determination, a packet of a first exchange, the first exchange being initiated prior to the determination, is passed through the proxy device. After the determination, full proxy services are applied to a packet of a second exchange, the second exchange being initiated after the determination. | 09-18-2014 |
20140283001 | SEAMLESS AUTHENTICATION WITH PROXY SERVERS - A computer can be configured to provide seamless access to a proxy server by, upon connection to a computer network, determining whether a proxy server using authentication is connected to the computer network, and then prompting a user of the computer to enter authentication information for that proxy server. This authentication information for the proxy server then can be stored in a manner accessible by applications on the computer to use the authentication information to connection with requests by the applications to access the second computer network. For example, the operating system can store the authentication information. It also can include a module that processes all requests from applications that access the proxy server, and then includes in such requests the stored authentication information. | 09-18-2014 |
20140283002 | METHOD AND SYSTEM FOR ANONYMOUS CIRCUMVENTION OF INTERNET FILTER FIREWALLS WITHOUT DETECTION OR IDENTIFICATION - An improvement invention for a method and system for web users to circumvent web censorship and do so anonymously is presented. The web user is routed through a proxy network that automatically removes code and commands that could be employed to identify the web user, or the Internet address (IP) of the web user. The content of the traffic is also examined for potential advertisement revenue. The improvement is a step that automatically removes code or text that could, upon execution, be employed to identify the web user. | 09-18-2014 |
20140283003 | Self-Configuring Local Area Network Security - Technologies for providing electronic security to a first network are disclosed. The system may include a user equipment, a gateway device configured to mediate communication between a first network and a second network for the user equipment, and an electronic security device communicatively coupled to the gateway device. The electronic security device may include a gateway interface module configured to assume an identity associated with the gateway device, a network interface module configured to present the identity to the second network, and a traffic inspection module configured to monitor traffic without substantially affecting a topology of the first network, wherein the electronic security device is configured to identify undesirable traffic; and implement a security policy. | 09-18-2014 |
20140298444 | SYSTEM AND METHOD FOR CONTROLLING ACCESS TO A DEVICE ALLOCATED TO A LOGICAL INFORMATION PROCESSING DEVICE - A logical information-processing device is allocated based on a request from a terminal device. In an information-processing device, one of plural storage devices is connected to one of plural processing devices each including a managing unit. First correspondence information stores physical identification information identifying the information-processing device in association with address information of the managing unit. Second correspondence information stores the physical identification information in association with logical identification information identifying the logical information-processing device. A managing device obtains address information of the managing unit of the information-processing device corresponding to the logical information-processing device allocated to the terminal device, by using the physical identification information obtained, based on the logical identification information included in the request, from the second correspondence information. A proxy device accesses the managing unit of the corresponding information-processing device based on the address information obtained by the managing device. | 10-02-2014 |
20140310794 | NETWORK SYSTEM AND CONTROL METHOD THEREOF - Disclosed is a network system and a control method thereof, the network system including a gateway connected to a plurality of home appliances through a home area network, an outdoor apparatus connected to the gateway through a network, and a dynamic domain name system (DDNS) server to manage dynamic internet protocol (IP) address information about an apparatus using a dynamic IP address. A communication connection is achieved through a dynamic IP between a gateway inside the home and an apparatus outside the home in a smart grid network environment, so a user can easily access in-home services based on a dynamic IP. In addition, unauthorized traffic, which may be introduced into the home, is automatically blocked, so that the quality of the home network service is improved. | 10-16-2014 |
20140310795 | MANAGEMENT APPARATUS AND CONTROL METHOD OF MANAGEMENT APPARATUS - When a plurality of user terminals request a plurality of contents, the numbers of user terminals which request the content are managed. For each of the plurality of contents, the number of content servers which provide that content is decided using the managed numbers. For each of the plurality of contents, the content is installed in content servers as many as the number decided in association with that content, and user terminals which request the content are permitted to access the content servers which provide the content. | 10-16-2014 |
20140317719 | Cloud-Based Gateway Security Scanning - Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter. | 10-23-2014 |
20140331308 | Combination of Remote Triggered Source and Destination Blackhole Filtering - A method for remote triggered black hole filtering can include advertising a first modified next hop address for a destination address of network traffic, and advertising a second modified next hop address for a source address of network traffic. The first next hop address of the destination address might be overwritten with the first modified next hop address. Filtered traffic then can be forwarded to the first modified next hop address, wherein filtered traffic comprises only network traffic addressed to the destination address or from the source address. In some cases, the filtered traffic is transported and received via a sinkhole tunnel. A second next hop address of the source address can be overwritten to a second modified next hop address. The attack traffic, which can be filtered traffic that is both addressed to the destination address and from the source address, might be forwarded to a discard interface. | 11-06-2014 |
20140331309 | Secure Network Cloud Architecture - Apparatuses, computer readable media, methods, and systems are described for requesting creation of virtual machine (VM) in a cloud environment comprising a virtual private cloud. Through various communications between a cloud DMZ, cloud provider, and/or company's network, a VM instance may be securely created, initialized, booted, unlocked, and/or monitored through a series of interactions building, in some examples, upon a root of trust. | 11-06-2014 |
20140331310 | SIGNED EPHEMERAL EMAIL ADDRESSES - Architecture for generating a temporary account (e.g., an email address) with a user-supplied friendly name and a secret used to the sign the temporary account. For example, when a user wishes to create a temporary email address to use with an online organization, a friendly name is provided and the system generates a temporary email address including the friendly name. A signing component signs the temporary email address with a secret. One or more of these secrets can be provisioned prior to the user's creation of a friendly name, which eliminates propagation delay. During use, only incoming email messages having the temporary email address signed with the secret are validated. When the user revokes the temporary email address, the secret is revoked and the revocation is propagated to network gateways, rejecting any email sent to that address. | 11-06-2014 |
20140337961 | SYSTEM FOR IMPLEMENTING DYNAMIC ACCESS TO PRIVATE CLOUD ENVIRONMENT VIA PUBLIC NETWORK - A system for implementing dynamic access to a private cloud environment via a public network is provided. The private cloud environment includes a gateway device linking to the public network and a plurality of storage devices connected to the gateway device. The system includes an intermediary server and a user terminal. The user terminal is linked to the intermediary server, via the public network, for acquiring a public IP address associated with the gateway device and a port information associated with the storage devices after being authenticated by the intermediary server. Then, the user terminal is linked to the gateway device in accordance with the public IP address, and is connected to the storage devices in accordance with the port information to access data from the storage devices. | 11-13-2014 |
20140337962 | COMPUTER COMMUNICATION SYSTEM FOR COMMUNICATION VIA PUBLIC NETWORKS - A computer communication system including a client computer with an installed virtual private network (VPN) client and located in a public network, a server computer located in a corporate network, a web server remote from the client computer, a gateway computer located in the corporate network, and a VPN server computer located in the corporate network. The computer communication system is adapted to run following steps of providing a safe VPN communication connection between the client and the server computers: the client computer, using a WEB browser, downloads an application from the VPN server computer, and the downloaded application automatically configures the VPN client installed on the client computer and establishes a tunnelled connection from the client computer to the corporate network. All packets generated by the installed VPN client are forwarded through the tunnelled connection via the gateway computer to the VPN server in the corporate network. | 11-13-2014 |
20140344915 | Secure Network Communications for Meters - A system and method are provided for secure network communications. A proxy server receives meter data, from a meter of a set of meters via a local network, for an energy management server. The proxy server uses secure communications to send the meter data via a non-secure network to the energy management server. | 11-20-2014 |
20140351918 | POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol. Policy-based content filtering of network sessions is performed by: (i) identifying a firewall security policy matching traffic associated with the network session; (ii) identifying content filtering processes to be performed on the traffic based on the configuration scheme associated with the matching firewall security policy; and (iii) applying the identified content filtering processes to the traffic. | 11-27-2014 |
20140351919 | Automated Hybrid Connections Between Multiple Environments In A Data Center - A multi-tenant data center environment includes a dedicated domain having at least one dedicated server associated with a client and a cloud domain having at least one cloud server associated with the client. The cloud server may have a public interface to a public network and a private interface to a private network. In turn, a network device is coupled between the dedicated domain and the public network, and is further coupled to the cloud server via the private network. A controller of the data center may be used to determine presence of the cloud server, and configure the network device to allow certain traffic to pass directly to the dedicated domain, while preventing other traffic from this direct path, based on access controls of the network device. | 11-27-2014 |
20140366118 | CLOUD BASED LOGGING SERVICE - Methods and systems are provided for providing access to a cloud-based logging service to a user without requiring user registration. Methods and systems are also provided for providing cloud-based logging service to users by integrating the cloud-based logging service within a network security gateway appliance, thereby enabling the users to use the cloud-based logging service by accessing the gateway appliance. The cloud-based logging service can be accessed via an Application Programming Interface (API) without requiring user registration and allows easy and efficient access to log files, viewing of log files, and data security to stored log files and generated reports. Methods and systems of the present invention can also be used for multiple other purposes apart from using the cloud-based logging service without registration including, but not limited to, reducing the complexity of a network architecture, providing better and more effective GUI representation and minimizing distribution of data over a controlled network, among other such purposes. | 12-11-2014 |
20140373129 | System and Method for Building Intelligent and Distributed L2 - L7 Unified Threat Management Infrastructure for IPv4 and IPv6 Environments - A security gateway appliance is configured to evaluate network traffic according to security rules that classify traffic flows according to specifically identified application programs responsible for producing and/or consuming the network traffic and to enforce policies in accordance with network traffic classifications. The appliance includes an on-box anti-virus/anti-malware engine, on-box data loss prevention engine and on-box authentication engine. One or more of these engines is informed by an on-box dynamic real tie rating system that allows for determined levels of scrutiny to be paid to the network traffic. Security gateways of this type can be clustered together to provide a set of resources for one or more networks, and in some instances as the backbone of a cloud-based service. | 12-18-2014 |
20150026793 | SESSION INITIATION PROTOCOL DENIAL OF SERVICE ATTACK THROTTLING - In one implementation, the number of half open session initiation protocol (SIP) sessions per-destination (e.g., SIP device) or globally is limited by SIP application layer gateway (ALG) as a SIP DoS/DDoS countermeasure. Compared with traditional SIP DoS/DDoS countermeasures, the proposed solution is simple to implement and, thus, less likely to degrade SIP ALG performance. Moreover, this solution automatically adapts to DoS/DDoS attack arrival rate, while at the same time not degrading legal SIP traffic even if throttling is enforced for the SIP device. | 01-22-2015 |
20150033321 | CONSTRUCT LARGE-SCALE DVPN - A Dynamic Virtual Private Network (DVPN) includes Virtual Private Network (VPN) Address Management (VAM) clients and a VAM server, and each VAM client includes a private gateway address, public address and subnet of the VAM client that are provided to the VAM server when registering in the VAM server. When a source VAM client receives a packet that is sent by a subnet of the source VAM client to a subnet of a destination VAM client, the source VAM client requests the VAM server to provide a next-hop address of subnet, a private gateway address, a public address and subnet of the destination VAM client to establish a DVPN tunnel between the source VAM client and the destination VAM client. | 01-29-2015 |
20150040207 | METHODS AND APPARATUS TO FORM SECURE CROSS-VIRTUAL PRIVATE NETWORK COMMUNICATION SESSIONS - Example methods and apparatus to form secure cross-VPN (virtual private network) communication sessions in multiprotocol label switching (MPLS)-based networks are disclosed. An example method comprises sending a first border gateway protocol route advertisement to a first provider edge router associated with a first one of two multiprotocol label switched-based virtual private networks in response to receiving a cross-virtual private network link setup request from an application server, the route advertisement comprising a flow-spec parameter, and the setup request identifying a communication path between two user devices associated with the first and second multiprotocol label switched-based virtual private networks, sending a second border gateway protocol route advertisement to a second provider edge router associated with the second multiprotocol label switched-based virtual private network, and restricting a communication session between the two user devices of the first and second multiprotocol label switched-based virtual private networks to a first protocol for a threshold period of time based on a restriction parameter shared by the communication path. | 02-05-2015 |
20150040208 | METHOD FOR OPERATING MULTI-DOMAIN PROVIDER ETHERNET NETWORKS - A method of enabling extension of a network service of a first domain to a remote customer site hosted by an Access Gateway (AG) in a Provider Ethernet domain. In the first domain, the remote customer site is represented as being hosted by a border gateway (BG) connected to the Provider Ethernet domain, such that subscriber packets associated with the network service are forwarded to or from the remote customer site via the BG. In the Provider Ethernet domain, a trunk connection is instantiated through the Provider Ethernet domain between the host AG and the BG. A trunk cross-connection function is installed in the host AG, for transferring subscriber packets associated with the network service between a respective attachment virtual circuit (AVC) through which the remote customer site is connected to the host AG and an extended AVC tunnelled through the trunk connection. A common service instance identifier (I-SID) is used to identify both the AVC between the host AG and the remote customer site and the extended AVC between the host AG and the BG. | 02-05-2015 |
20150047011 | METHOD FOR SWITCHING GATEWAYS, AND APPARATUS THEREFOR - The present invention relates to a converged personal network service (CPNS). More particularly, the present invention relates to a method for switching a personal network (PN) gateway in a PN from a first device to a second device, including the steps of: the first device transmitting, to the second device, a first message requesting PN gateway switching; the first device receiving a second message from the second device in response to the first message; and the first device authenticating the PN gateway when the second message includes a value indicating success, as well as to an apparatus therefor. | 02-12-2015 |
20150047012 | SYSTEM AND METHOD FOR DISTRIBUTED MULTI-PROCESSING SECURITY GATEWAY - A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided. | 02-12-2015 |
20150052599 | GATEWAY DEVICE FOR TERMINATING A LARGE VOLUME OF VPN CONNECTIONS - A VPN gateway device is able to assign, manage, and terminate a large volume of connections from apps executing on devices, enabling a large scale per-app VPN mobile environment. When a mobile device user opens an app on a mobile device, a VPN gateway transmits a unique IP address to the app. The gateway also transmits an app federation cookie to the app. The app shares the app federation cookie with a second app. The VPN gateway then assigns the second app the same unique IP address. The gateway then transmits a range of ports to the first app. The app uses a port in the range of ports for data transmission from the device to the VPN gateway. The gateway receives a data transmission from the first app via a VPN and determines that the data transmission originated from the first app based on the source port. | 02-19-2015 |
20150058968 | PROXY METHODS FOR SUPPRESSING BROADCAST TRAFFIC IN A NETWORK - Some embodiments use proxies on host devices to suppress broadcast traffic in a network. Each host in some embodiments executes one or more virtual machines (VMs). In some embodiments, a proxy operates on each host between each VM and the underlying network. For instance, in some of these embodiments, a VM's proxy operates between the VM and a physical forwarding element executing on the VM's host. The proxy monitors the VM's traffic, and intercepts broadcast packets when it knows how to deal with them. The proxy connects to a set of one or more controllers that provides a directory service that collects and maintains global information of the network. By connecting to the controller cluster, the proxy can obtain information that it can use to resolve broadcast requests. In some embodiments, the connection between the proxy and the controller cluster is encrypted and authenticated, to enhance the security. Also, in some embodiments, the connection is an indirect connection through an agent that executes on the host device and connects the proxies of the host device with the controller cluster. | 02-26-2015 |
20150067819 | System and Method for Improving Internet Communication by Using Intermediate Nodes - A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device access an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both. The partition into slices may be overlapping or non-overlapping, and the same slice (or the whole content) may be fetched via multiple tunnel devices. | 03-05-2015 |
20150067820 | SECURITY GATEWAY COMMUNICATION - A gateway device and methods performed therein to prevent unauthorized client devices from connecting to the host network of the gateway device is described. The gateway device does not respond right away to an individual client message sent to the gateway device. Instead, the gateway device only responds to a predetermined sequence of the client messages, which is only known to the gateway device and authorized client devices. Because the gateway device will not respond to random client messages and the likelihood that an unauthorized client device can correctly guess the predetermined sequence of the client messages is low, the risk of a malicious party being able to hack into the host network, for example, by using port scanning techniques, can be mitigated. | 03-05-2015 |
20150074789 | SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 03-12-2015 |
20150074790 | NETWORK RESOURCE COMMUNICATION SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 03-12-2015 |
20150074791 | NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 03-12-2015 |
20150082413 | NETWORK RESOURCE CONTROL SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data. | 03-19-2015 |
20150082414 | CONTROLLING DATA ROUTING AMONG NETWORKS - An integrated security system integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network having remote connectivity and access. The integrated security system delivers remote premise monitoring and control functionality to conventional monitored premise protection and complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices can be added, enabling users to remotely see live video or pictures and control home devices via a personal web portal or other client device. Camera management enables automatic configuration and management of cameras in the premise network. The camera management extends to remote control and monitoring from outside the firewall of the premise network to include routing of images or video from a streaming source device to a requesting client device. | 03-19-2015 |
20150082415 | METHOD AND SYSTEM FOR PROVIDING SECURE TRANSACTIONS VIA A BROADBAND GATEWAY - A broadband gateway may be used to authorize transactions associated with one or more accounts, which may be associated with a user of the broadband gateway. The transaction may be handled by the broadband gateway. The authorizations may be performed based on information associated with the accounts, whose storage may be controlled by the broadband gateway. The broadband gateway may block and/or terminate transactions failing authentication and/or validation, which may be performed based on the stored information. The transactions may be initiated within a network serviced by the broadband gateway. The transactions may also be initiated outside the serviced network. The stored information may comprise a user profile, which may comprise a plurality of settings for controlling and/or managing authorization performed by the broadband gateway. The user profiles may be configurable by users, wherein configuration may comprise initializing and/or modifying one or more of the transaction related settings. | 03-19-2015 |
20150082416 | SECURING USER DATA IN CLOUD COMPUTING ENVIRONMENTS - Systems and methods for obfuscating user data in a remote web-based application are disclosed. According to one method, user inputs to a displayed web page of the remote web-based application are received at a first web browser that is used by the user, wherein at least a portion of the user inputs comprise user-inputted data intended to be stored at the web-based application. The user inputs are transmitted to a management component that is configured to interact with a second web browser that communicates with the web-based application. The management component obfuscates at least a portion of the user-inputted data and forwards the obfuscated and un-obfuscated portions of the user inputs to the second web browser, which correspondingly transmits the obfuscated and un-obfuscated portions of the user inputs to the remote web-based application. | 03-19-2015 |
20150089626 | SYSTEM AND METHOD PROVIDING MARKETPLACE FOR BIG DATA APPLICATIONS - The embodiments herein disclose a system and method for providing a marketplace for Big Data applications. The system facilitates a repository of applications, data sets, process compositions and extension modules received from the various vendors. The assets provided by the marketplace are deployed upon receiving the requests on public and private clouds. The marketplace comprises the algorithms, data sets and software systems to generate, share and save the insights for a plurality of cloud users. The system provides Big Data applications on demand from the cloud users and installs the requested application on a dedicated platform adopted for online Big Data processing. | 03-26-2015 |
20150089627 | SECURING EMAIL COMMUNICATIONS - Methods and systems are provided for securing email communications. According to one embodiment, a network device receives an outbound email originated by a computing device of an internal network and directed to a target recipient. It is determined whether a domain name of the target recipient is present in a global doppelganger database. When the domain name is determined to be present in the global doppelganger database, transmission of the outbound email to the target recipient is prevented if the domain name is an unacceptable domain name and transmission of the outbound email to the target recipient is permitted if the domain name is an acceptable domain name. | 03-26-2015 |
20150106909 | CONFIGURING AND MANAGING REMOTE SECURITY DEVICES - Techniques for configuring and managing remote security devices are disclosed. In some embodiments, configuring and managing remote security devices includes receiving a registration request for a remote security device at a device for configuring and managing a plurality of remote security devices; verifying the registration request to determine that the remote security device is an authorized remote security device for an external network; and sending a response identifying one or more security gateways to the remote security device, in which the remote security device is automatically configured to connect to each of the one or more security gateways using a distinct Layer 3 protocol tunnel (e.g., a virtual private network (VPN)). | 04-16-2015 |
20150106910 | METHOD AND APPARATUS FOR REDUCING UNWANTED TRAFFIC BETWEEN PEER NETWORKS - A method and apparatus for enabling peer networks to reduce the exchange of unwanted traffic are disclosed. For example, the method receives at least one of: a source Internet Protocol (IP) address or a source IP address prefix that has been identified as a source of the unwanted traffic, by an originating peer network from a terminating peer network. The method then blocks the unwanted traffic destined to the terminating peer network by the originating peer network. | 04-16-2015 |
20150106911 | PROVISIONING PROXY FOR PROVISIONING DATA ON HARDWARE RESOURCES - A processing device receives an unauthenticated provisioning request from a hardware resource. Responsive to determining that the hardware resource satisfies one or more provisioning criteria, the processing device forwards the provisioning request to a server residing behind a firewall, receives provisioning data from the server, removes sensitive information from the provisioning data to create modified provisioning data, and forwards the modified provisioning data to the hardware resource. | 04-16-2015 |
20150128245 | MANAGEMENT OF ADDRESSES IN VIRTUAL MACHINES - Methods for managing an address on a switching device, managing an address on a network switch, and screening addresses in a cloud computing environment are provided. One embodiment is directed towards a computer-implemented method for managing an address on a switching device that is communicatively coupled to a plurality of virtual machines. The method includes accessing an address pool that includes an assigned address for each virtual machine from the plurality of virtual machines. The method includes determining, on the switching device, a used address for the virtual machine from the plurality of virtual machines. The method includes determining whether the used address is matching the assigned address for each virtual machine. The method also includes routing traffic from the virtual machine to a hypervisor in response to the used address matching the assigned address. | 05-07-2015 |
20150135301 | METHOD OF AND SYSTEM FOR ENCRYPTION AND AUTHENTICATION - The invention provides a method of and system for networked security, involving multiple clients and servers. Rather than relying on single server based authentication and/or single stream based data transmission, the invention breaks apart information before if leaves the User's computer so that intercepting any single electronic message does not provide the hacker with sufficient information to gain access. The invention splits the values (i.e. password, User name, card number for authorization; encrypted text for encryption, etc.) at the point of sender/external authorization client. These split values are encrypted with different keys and transmitted to multiple external authorization servers. The invention can be applied to any secure transmission, storage or authentication of data over a data network. | 05-14-2015 |
20150135302 | CLOUD SERVICE SECURITY BROKER AND PROXY - This application relates generally to a system operating on network traffic between a network-based software as a service (SaaS) provider and a client. The system can be configured as a managed communications network proxy and take action on the network traffic based on predefined policies and rules. The system can include a suffix proxy configured for captive page processing by processing SaaS server responses so that subsequent requests are handled by the suffix proxy dependent on file type and response type | 05-14-2015 |
20150150113 | ISOLATION PROXY SERVER SYSTEM - An isolation proxy server system separates a typical proxy server or reverse proxy server into two physical computing platforms. A first physical platform, a front end proxy server, receives requests from clients on an external network, but is unable to relay requests by originating corresponding requests on an internal network. A second physical platform, a back end proxy client, originates distinct work requests to the front end proxy server. The front end proxy server forward client requests to the back end proxy client in responses to the distinct work requests it receives from the back proxy client. The back end proxy client relays the client requests to a target server. Thus, the front end proxy server may not originate new requests to the server(s) in the protected zone, and the back end proxy client may not receive new requests from clients or from the front end proxy server. | 05-28-2015 |
20150312214 | SECURING EMAIL COMMUNICATIONS - Methods and systems are provided for securing email communications. According to one embodiment, a network device receives an outbound email originated by a computing device of an internal network and directed to a target recipient. It is determined whether a domain name of the target recipient is present in a global doppelganger database. When the domain name is determined to be present in the global doppelganger database, transmission of the outbound email to the target recipient is prevented if the domain name is an unacceptable domain name and transmission of the the outbound email to the target recipient is permitted if the domain name is an acceptable domain name. | 10-29-2015 |
20150312220 | POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is received at a networking subsystem of a firewall. The connection is characterized by a source IP address, a destination IP address and a network service protocol. The network service protocol of the network connection is determined. A matching firewall policy is identified for the connection. When the connection is allowed, it is redirected to a proxy module that is configured to support the network service protocol. A content processing configuration scheme identified by the matching firewall policy is retrieved that includes multiple content processing configuration settings, specifying whether a particular type of content filtering is to be performed, for each of multiple network service protocols. Application-level content of a packet stream associated with the network connection is reconstructed and filtered based on the applicable content processing configuration settings. | 10-29-2015 |
20150312272 | PROTECTING COMPUTING ASSETS FROM RESOURCE INTENSIVE QUERYING ATTACKS - A method and system for managing data traffic and protecting computing assets. The method and system includes intercepting queries and messages, such as EDNS0 queries, and sending probe queries and reply queries to the originating computing device to determine whether the originating computing device may be sufficiently validated so as to justify forwarding resource-intensive queries and messages to the targeted computing device. | 10-29-2015 |
20150326529 | GATEWAY DEVICE, AND SERVICE PROVIDING SYSTEM - Provided are a control device, system, and method capable of controlling an accessible range of information on an individual external device basis even in the case of a valid access for the information from an external device. An ACL management server is installed to introduce an ACL associating a service provider ID identifying a service provider accessing an ECU mounted on an automobile with an attribute of an ECU that the service provider can access or with an ASIL determined for the ECU, and to manage the ACL safely and in the latest state. Also, a service providing server is installed for providing services for reading and rewriting ECU control information in accordance with a request from a user. A gateway is installed for determining, using the ACL, whether access to the ECU should be granted with respect to access instruction execution information received from the service providing server. | 11-12-2015 |
20150334087 | TAKEOVER PROCESSES IN SECURITY NETWORK INTEGRATED WITH PREMISE SECURITY SYSTEM - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller. | 11-19-2015 |
20150334091 | Method and System for Providing Secure Access to Private Networks - Improved approaches for providing secure remote access to resources maintained on private networks are disclosed. According to one aspect, predetermined elements, such as applets, can be modified to redirect all communications to and from an application server through an intermediate server. The intermediate server in turn communicates with the application servers. According to another aspect, a communication framework can be provided to funnel communication between an applet and a server through a communication layer so as to provide managed and/or secured communications there between. | 11-19-2015 |
20150350162 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a proxy, implemented within a network gateway device of a private network, monitors remote file-system access protocol sessions involving client computer systems and a server computer system associated with the private network. For each file on a share of the server computer system being accessed by one or more of the client computer systems: (i) a shared holding buffer corresponding to the file is created within a shared memory of the network gateway device; (ii) data being read from or written to the file by the monitored remote file-system access protocol sessions is buffered into the shared holding buffer; and (iii) responsive to a predetermined event, content filtering is performed on the shared holding buffer to determine whether malicious, dangerous or unauthorized content is contained within the shared holding buffer. | 12-03-2015 |
20150358279 | DESTINATION ADDRESS REWRITING TO BLOCK PEER-TO-PEER COMMUNICATIONS - Systems and methods for protecting a network including providing a mapping between internal addresses as seen by devices of the protected network and external addresses; providing devices with a mapped address for a destination in response to a lookup request; rewriting, at a gateway, destination addresses of packets exiting the protected network based on the mapping; and rewriting, at the destination-network gateway, source addresses of packets entering the protected network based on the mapping. Embodiments include a gateway coupled to a protected network, an external network, and a name server. The name server, in response to a hostname lookup request, configured to provide a network device with the internal address; and the gateway with a mapping including the internal address, the addresses of the device, and the hostname. The gateway configured to rewrite destination addresses of outbound packets, and source addresses of inbound packets, based on the mapping. | 12-10-2015 |
20150358280 | METHOD AND SYSTEM FOR DYNAMIC APPLICATION LAYER GATEWAYS - A method and system are disclosed for providing functionality on a network. A mobile agent moves from a first node to a target node and, at the target node, performs as an application layer gateway. | 12-10-2015 |
20150358281 | METHOD, APPARATUS, AND NETWORK SYSTEM FOR TERMINAL TO TRAVERSE PRIVATE NETWORK TO COMMUNICATE WITH SERVER IN IMS CORE NETWORK - Embodiments of the present invention provide a method, an apparatus, and a network system for a terminal to traverse a private network to communicate with a server in an IMS core network. The method includes: the terminal sets a source address of service data to be sent as a virtual IP address, sets a destination address of the service data to be sent as an address of an internal network server, and obtains a first service packet, where the virtual IP address is an address allocated by the IMS core network to the terminal, encapsulate the first service packet into a first tunnel packet, and send the first tunnel packet to the security tunnel gateway over a VPN tunnel between the terminal and a security tunnel gateway, then the security tunnel gateway sends the first service packet in the first tunnel packet to the internal network server. | 12-10-2015 |
20150358285 | DESTINATION ADDRESS CONTROL TO LIMIT UNAUTHORIZED COMMUNICATIONS - Systems and methods for protecting a network including preventing data traffic from exiting the network unless a domain name request has been performed by a device attempting to transmit the data traffic. In an embodiment, a device within the protected network attempting to send data outside the protected network requests an address for a destination outside the protected network from a domain name server (DNS). In response, the DNS provides an address of the destination to the device and a gateway. In response to receiving the address, the gateway temporarily allows access to the address. In an embodiment, a DNS is coupled to a protected network and the gateway, the DNS provides an external address to a device in response to a request; and a mapping to the gateway; the gateway, coupled to a protected network and an external network, allows traffic according to the mapping. | 12-10-2015 |
20150358348 | Method of DDos and Hacking Protection for Internet-Based Servers Using a Private Network of Internet Servers by Executing Computer-Executable Instructions Stored On a Non-Transitory Computer-Readable Medium - A method of DDoS and hacking protection for internet-based servers using a private network of internet servers utilizes multiple data streams sent over a network of proxy servers to mitigate malicious attacks and ensure fast connections from a user to a destination server. The destination server is hidden from the user and the redundancy of the proxy network serves to maintain security and connection quality between the user and the destination server. | 12-10-2015 |
20150358816 | GROUP AUTHENTICATION IN BROADCASTING FOR MTC GROUP OF UES - Each of a group of MTC UEs ( | 12-10-2015 |
20150372975 | INFORMATION PROCESSING DEVICE AND INFORMATION PROCESSING METHOD - An information processing device is connected to a plurality of networks and performs information processing. The networks include a control network connected to a control device in a mobile object, an information network connected to an information device in the mobile object, and an external network connected to an external device outside of the mobile object. The information processing device includes firewalls each connected to one of the networks, and a processor connected to each network via the corresponding firewall. The information processing device isolates at least the control network from the other networks. | 12-24-2015 |
20150372983 | METHOD AND APPARATUS FOR RESOURCE LOCATOR IDENTIFIER REWRITE - A method and apparatus for resource locator identifier rewrite have been presented. A security device receives from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session. The response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol. The URL is located in the response and modified to designate the secure resource access protocol. After modification, the response is transmitted via the secure resource access protocol session to the client. | 12-24-2015 |
20150381567 | CLEARTEXT GATEWAY FOR SECURE ENTERPRISE COMMUNICATIONS - A gateway computing system includes a memory storing cleartext gateway software and a programmable circuit communicatively connected to the memory. The programmable circuit is configured to execute computer-executable instructions including the cleartext gateway software. Execution of the cleartext gateway software by the programmable circuit causes the gateway computing system to instantiate at the gateway computing system a virtual device router including a cleartext interface configured to send and receive data packets from a cleartext endpoint and a secured interface configured to exchange data packets with one or more secured endpoints within a secured enterprise network, and load the virtual device router with community of interest material from an authentication server, the community of interest material associated with one or more communities of interest configured to allow access to the cleartext endpoint. | 12-31-2015 |
20150381570 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource. | 12-31-2015 |
20150381597 | ENTERPRISE MANAGEMENT FOR SECURE NETWORK COMMUNICATIONS OVER IPSEC - Methods and systems for managing a secure enterprise are disclosed. One method includes initiating a management service at a server within the secure enterprise, the management service including a web interface providing administrative access to configuration settings associated with the secure enterprise, the management service initializing a secure communications protocol and managing access to a credential store, the credential store including a plurality of credentials defining communities of interest within the secure enterprise, each of the communities of interest defining a collection of authenticated endpoints having common access and usage rights. The method includes initiating an object management service at the server defining an interface to a configuration database, and accessing the configuration database to obtain data defining a configuration of the enterprise according to a configuration profile. The method includes applying configuration settings to the secure enterprise based on the data defining the configuration of the secure enterprise. | 12-31-2015 |
20160006695 | Secure Remote Computer Network - Systems and methods to provide improved secure, high speed networking between two or more computers is disclosed. The invention provides a robust and flexible means to readily establish a secure connection between two or more computers using insecure public or private network connections, while eliminating most of the difficulties and issues a user typically experiences with varying virtual private networks (“VPN”) and firewall configurations. The inventive system can be adapted to route traffic across multiple network connections based on a variety of criteria, including without limitation, the importance of any given data, the cost of each means of connection, and/or the performance of each possible means of connecting to the client system. | 01-07-2016 |
20160006698 | SYSTEM, METHOD, AND APPARATUS FOR INSPECTING ONLINE COMMUNICATION SESSIONS VIA POLYMORPHIC SECURITY PROXIES - The disclosed computer-implemented method may include (1) detecting an online communication session established between a plurality of computing devices, (2) identifying at least one application involved in the online communication session established between the plurality of computing devices, (3) determining a security mode for a security proxy that inspects the online communication session based at least in part on the application involved in the online communication session, and then (4) configuring the security proxy to inspect the online communication session in accordance with the determined security mode. Various other systems, methods, and apparatuses are also disclosed. | 01-07-2016 |
20160014078 | COMMUNICATIONS GATEWAY SECURITY MANAGEMENT | 01-14-2016 |
20160014079 | APPLICATION ACCELERATION AS A SERVICE SYSTEM AND METHOD | 01-14-2016 |
20160014086 | SECURE DATA EXCHANGE BETWEEN DATA PROCESSING SYSTEMS | 01-14-2016 |
20160014087 | INTERNET-BASED PROXY SERVICE TO LIMIT INTERNET VISITOR CONNECTION SPEED | 01-14-2016 |
20160014088 | CONNECTION CONTROL SYSTEM, MANAGEMENT SERVER, CONNECTION SUPPORT METHOD, AND NON-TRANSITORY COMPUTER-READABLE RECORDING MEDIUM ENCODED WITH CONNECTION SUPPORT PROGRAM | 01-14-2016 |
20160014090 | INTEGRATED SECURITY SWITCH | 01-14-2016 |
20160014125 | DETECTING PROXY-BASED COMMUNICATION | 01-14-2016 |
20160014146 | NETWORK MONITORING APPARATUS, NETWORK MONITORING METHOD, AND NETWORK MONITORING PROGRAM | 01-14-2016 |
20160028688 | ON-PREMISES AGENT FOR MOBILE CLOUD SERVICE - Systems, devices, and methods are disclosed for an agent device within a company's network firewall to initiate an HTTP connection with a cloud-based gateway and then upgrade the connection to a WebSockets protocol in order to have an interactive session. Over this interactive session, a mobile device, which connects to the cloud-based intermediary, can request data from servers inside the company's firewalls. Because the firewall is traversed using HTTP protocols (with WebSockets), it can be as safe as letting employees browse the web from inside the company's network. | 01-28-2016 |
20160028693 | APPARATUS AND METHOD FOR SECURITY OF INDUSTRIAL CONTROL NETWORKS - Approaches for providing security for a programmable logic controller (PLC) are provided and include cloning a security module as a PLC proxy by copying at least one of a media access control (MAC) address and an internet protocol (IP) address of the PLC and determining, based on a predetermined security criteria, whether to route the message to the PLC. Based on the determination, the message is selectively routed to the PLC. So configured, by cloning the security module as the PLC proxy is effective to route network traffic intended for the PLC to the security module. | 01-28-2016 |
20160028694 | Securing Communication over a Network Using Client System Authorization and Dynamically Assigned Proxy Servers - A method for securing communication over a network is disclosed. A trust broker system receives a request to connect to applications and resources from a client system. The trust broker system determines whether the client system is authorized to connect to the requested applications and resources. In response to determining the client system has authorization to connect to the requested applications and resources, the trust broker system determines, from a plurality of potential proxy servers, a proxy server associated with the requested server system and transmits an identification value for the client system to the requested server system. The trust broker system then transmits the identification value to the client system and transmits contact information for the determined proxy server to the client system, wherein all communication between the client system and the requested server system passes through the proxy server. | 01-28-2016 |
20160028695 | SYSTEM AND METHOD FOR ROUTING-BASED INTERNET SECURITY - Method and system for improving the security of storing digital data in a memory or its delivery as a message over the Internet from a sender to a receiver using one or more hops is disclosed. The message is split at the sender into multiple overlapping or non-overlapping slices according to a slicing scheme, and the slices are encapsulated in packets each destined to a different relay server as an intermediate node according to a delivery scheme. The relay servers relay the received slices to another other relay server or to the receiver. Upon receiving all the packets containing all the slices, the receiver combines the slices reversing the slicing scheme, whereby reconstructing the message sent. | 01-28-2016 |
20160036779 | SYSTEM AND METHOD FOR RESPONDING TO AGGRESSIVE BEHAVIOR ASSOCIATED WITH WIRELESS DEVICES - An embodiment of the invention describes a wireless device comprising a Subscriber Identity Module (SIM) further comprising a memory for storing program code for performing a plurality of operations, and a processor for processing the program code to execute the plurality of operations, the operations including receiving over-the-air instructions via a wireless network from a control center to create a rules set in the SIM, wherein the rules set defines an acceptable behavior of the wireless device, monitoring requests from a wireless modem of the wireless device for access files stored in the SIM, detecting an aggressive behavior of the wireless device based on the rules set, and blocking the wireless modem from generating traffic in the wireless network. | 02-04-2016 |
20160036781 | EXTENSIBLE ACCESS CONTROL ARCHITECTURE - Software for managing access control functions in a network. The software includes a host that receives access control commands or information and calls one or more methods. The methods perform access control functions and communicate access control results or messages to be transmitted. The host may be installed in a network peer seeking access to the network or in a server controlling access to the network. When installed in a peer, the host receives commands and exchanges information with a supplicant. When installed in an access control server, the host receives commands and exchanges information with an authenticator. The host has a flexible architecture that enables multiple features, such as allowing the same methods to be used for authentication by multiple supplicants, providing ready integration of third party access control software, simplifying network maintenance by facilitating upgrades of authenticator software and enabling access control functions other than peer authentication. | 02-04-2016 |
20160036804 | TRUSTED COMMUNICATION SESSION AND CONTENT DELIVERY - Methods and systems for configuring a network are disclosed. An example method can comprise receiving a first token and an encryption key from a first device. A second token can be received from a second device. A determination can be made as to whether the first token matches the second token. Configuration information can be provided to the second device if the second token matches the first token. The configuration information can comprise information for connecting to a proxy configured on the first device. A request for content can be received from the proxy on behalf of the second device. The request for content can comprise the encryption key. | 02-04-2016 |
20160036827 | Access Requests at IAM System Implementing IAM Data Model - Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification. | 02-04-2016 |
20160043994 | METHOD AND SYSTEM FOR SUPPORTING VISITOR ACCESS VIA A BROADBAND GATEWAY - A method and system are provided in which a broadband gateway may enable a guest or visitor to access content available to the broadband gateway. The content may be received by the broadband gateway through one or more of a plurality of network access service providers that may provide separate physical layer access to the broadband gateway. After a visitor's device is connected to the broadband gateway, the broadband gateway may classify the device. Based on the classification, the device may be authorized to access a portion of the content received. Once the authorization process is complete, the appropriate content may be made available and transferred to the device. The authorization process may include the authentication of a device identifier and/or a user identifier. The authorized access may be time-limited, but may be renewed or enabled when a request is received within a determined period of time. | 02-11-2016 |
20160043999 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR EFFICIENT CACHING OF HIERARCHICAL ITEMS - Embodiments disclosed herein provide a “lazy” approach in caching a hierarchical navigation tree with one or more associated permission trees. In one embodiment, only a portion of a cached permission tree is updated. One embodiment of a method may comprise determining whether a dirty node exists by comparing tree timestamps of the permission tree and the master tree. If the tree timestamp of the master tree is temporally more recent than the tree timestamp of the permission tree, the permission tree has a dirty node and the method may operate to check node timestamps of the master and permission trees. This process may be repeated until the dirty node is found, at which time a portion of the permission tree associated with the dirty node may be reconstructed, rather than the entire permission tree itself, thereby eliminating or significantly reducing access time to the cached permission tree. | 02-11-2016 |
20160050179 | METHOD AND APPARATUS FOR PROVISIONING TRAVERSAL USING RELAYS AROUND NETWORK ADDRESS TRANSLATION (TURN) CREDENTIAL AND SERVERS - Various disclosed embodiments include methods and systems for provisioning traversal using relays around network address translation (TURN) credentials and servers for network address translation/firewall (NAT/FW) traversal via a Voice-over-Internet-protocol/Web Real-Time Communication (VoIP/WebRTC) signaling channel. The method comprises receiving, at a signaling gateway, a signaling message from a first electronic device (ED) when the first electronic device registers with the signaling gateway or sends other signaling messages for requesting a TURN credential. The signaling message comprises one or more signaling message parameters. The signaling message further comprises a request that the signaling gateway generate a TURN credential for the first electronic device, the TURN credential associated with the one or more signaling message parameters. The method comprises sending, from the signaling gateway, the TURN credential to the first electronic device. | 02-18-2016 |
20160050232 | SECURITY INFORMATION INTERACTION SYSTEM, DEVICE AND METHOD BASED ON ACTIVE COMMAND OF SECURE CARRIER - The invention proposes a security information interaction system, apparatus and method based on security carrier's active command. The method comprises: an information interaction terminal, based on a user's command, establishes a security dialogue channel between the information interaction terminal and a security carrier so as to perform a security information interaction process, wherein the user's command indicates a target application associated with the security information interaction process; and the security carrier activates the target application during the establishment of the security dialogue channel and then executes the security information interaction process based on the security dialogue channel. In the security information interaction system, apparatus and method based on security carrier active command disclosed in the invention, the security carrier can initiate an active command to the information interaction terminal. | 02-18-2016 |
20160057109 | SECURE COMMUNICATION CHANNEL USING A BLADE SERVER - Systems and methods to manage a network include a security blade server configured to perform a security operation on network traffic, and a controller configured to virtualize a plurality of network devices. The controller is further configured to program the network traffic to flow through the security blade server to create a secure network channel. A software defined environment may includes an application program interface (API) used to program the flow of the network traffic. The controller may use the API to virtually and selectively position the security blade server as waypoint for the network traffic. | 02-25-2016 |
20160057171 | SECURE COMMUNICATION CHANNEL USING A BLADE SERVER - Systems and methods to manage a network include a security blade server configured to perform a security operation on network traffic, and a controller configured to virtualize a plurality of network devices. The controller is further configured to program the network traffic to flow through the security blade server to create a secure network channel. A software defined environment may includes an application program interface (API) used to program the flow of the network traffic. The controller may use the API to virtually and selectively position the security blade server as waypoint for the network traffic. | 02-25-2016 |
20160065538 | WIRELESS COMMUNICATION SYSTEMS AND METHODS - Embodiments of the invention provide methods, devices and computer programs arranged to facilitate access to device-to-device (D2D) communication services in a communication network. One embodiment includes an apparatus for use in controlling access to a D2D communication service in a communication network, the apparatus including a processing system arranged to cause the apparatus to: receive a D2D discovery signal including data indicative of said D2D communication service; determine a verification state for the D2D communication service as one of a first verification state and a second, different, verification state, on the basis of said received D2D discovery signal, the first verification state being one in which said D2D communication service can be verified by the apparatus; and in the event that said D2D communication service is determined to be in the second verification state, transmit data indicative of said D2D communication service for verification by the communication network. | 03-03-2016 |
20160072769 | NETWORK VERIFICATION DEVICE, NETWORK VERIFICATION METHOD, AND PROGRAM - In order to contribute to the improvement in the efficiency of an exhaustive verification of a network, a network verification device is provided with: a verification information input unit which accepts an input of verification information that defines the configuration of a network to be verified and the operation model of a device included in the network; a model checking execution unit which, in model checking using the verification information, performs a state transition without concretely dealing with the contents of a packet from a terminal connected to the network, sends information relating to the past transition path of each state to a search necessity/unnecessity confirmation unit before a state search of a next state, and performs the model checking while inquiring whether or not the search of the next state can be omitted or not; the search necessity/unnecessity confirmation unit which, based on the information relating to the past transition path of the state and received from the model checking execution unit, determines whether or not the search of the next state can be omitted, and responds as to whether or not the search of the next state can be omitted; and a verification result output unit which, based on an output from the model checking execution unit, outputs the result of a verification. | 03-10-2016 |
20160072850 | METHOD AND SWITCH FOR LAWFUL INTERCEPTION - The present disclosure relates to methods and devices, of activating lawful interception. According to the present disclosure, a gateway comprises a controller for controlling, using a flow control protocol, the flow of packets through a switch controlled by the gateway. The switch receives (S | 03-10-2016 |
20160080353 | SECURITY CONTROLLER SC RESTORATION METHOD AND APPARATUS - Embodiments of the present disclosure disclose a security controller SC restoration method. The method provided by the embodiments of the present disclosure includes: designating, by a master node, a node to which a backup SC belongs, where the master node includes an original DM or a backup DM; sending, by the master node to a first node, a message indicating the backup SC, where the message indicating the backup SC includes an identifier of the node to which the backup SC belongs; in a case in which a node to which an original SC belongs is disconnected, sending, by the master node to the first node, a message for enabling an SC function, for performing authentication, according to the message for enabling an SC function. | 03-17-2016 |
20160087941 | TECHNIQUES FOR PROVIDING SERVICES TO MULTIPLE TENANTS VIA A SHARED END-POINT - A service is provided that supports a plurality of tenants. Server(s) of the service are communicatively coupled with a plurality of gateways of the service. Each gateway is configured to support at least one tenant. The server(s) of the service include a network interface, a tenant mapper, and a gateway interface. The network interface is configured to receive connection strings from client devices. Each received connection string includes a service portion that maps to the same public IP address of the service, and also includes a corresponding tenant portion that identifies a tenant. The tenant mapper maps the tenant portions of the connection strings to corresponding gateways. The gateway interface is configured to enable the gateways to establish tunnels between the corresponding client devices and identified tenants. Accordingly, clients are enabled to access multiple tenants of the service via a same public IP address. | 03-24-2016 |
20160094520 | NETWORK GATEWAY APPARATUS - A network gateway apparatus which adds encryption to easily implement secure communication without affecting network environment settings includes two network interface cards to communicate on two networks. The processor of the network gateway apparatus initializes communications through the network interface cards and uses a TCP/IP protocol stack to communicate through the network interface cards. When a packet is received by one of the network interface cards, the processor replaces the origin MAC and IP addresses and the destination MAC and IP addresses with temporary values. Then the processor encrypts the payload. The packet is sent to the TCP/IP protocol stack, which sends the packet to one of the two network interface cards according to the temporary values. The MAC an IP addresses of the final destination of the packet are rewritten to the packet and the packet is transmitted. | 03-31-2016 |
20160099916 | SYSTEMS AND METHODS FOR PROTECTING NETWORK DEVICES - Embodiments of the present disclosure help protect network devices from unauthorized access. Among other things, embodiments of the disclosure allow full access to application servers and other network devices that a client is allowed to access, while preventing all access (or even knowledge) of network devices the client is not allowed to access. | 04-07-2016 |
20160099917 | MULTI-TUNNELING VIRTUAL NETWORK ADAPTER - Among other things, embodiments of the present disclosure allow multiple virtual private network connections to be created without the need for administrative privileges, and allow network traffic to be routed using a single virtual adapter instead of a dedicated virtual adapter for each virtual network connection. | 04-07-2016 |
20160105398 | SECURE DEVICE AND PROXY FOR SECURE OPERATION OF A HOST DATA PROCESSING SYSTEM - Secure device and proxy operation include generating, using a processor, a first proxy and a first proxy companion paired with the first proxy and providing the first proxy to a host data processing system for installation therein. The first proxy in the host data processing system and the first proxy companion communicate. A proxy change event for the host data processing system is detected. Responsive to the detecting, a second proxy and a second proxy companion paired with the second proxy are generated. The second proxy is provided to the host data processing system for installation therein. | 04-14-2016 |
20160105452 | Filtering Network Traffic Using Protected Filtering Mechanisms - Concepts and technologies are disclosed herein for filtering network traffic using protected filtering mechanisms. An indication that traffic is to be filtered can be received, and a hash key, a signature representation, and an obfuscated signature can be identified or generated. The hash key and the signature representation can be provided to a first device without exposing the contents of the signature to the second device, and the obfuscated signature can be provided to a second device without exposing the contents of the signature to the second device. The first device and the second device can execute independent operations to collectively determine if the traffic is to be filtered. | 04-14-2016 |
20160112375 | METHOD AND SYSTEM FOR PROTECTING CLOUD-BASED APPLICATIONS EXECUTED IN A CLOUD COMPUTING PLATFORM - A method and system for protecting cloud-based applications executed in a cloud computing platform are presented. The method includes intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application; extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application; determining based on, the at least one parameter and at least a set of parameters combining cloud-based application risk factors for a provider of the cloud computing platform, a risk indicator for the user attempting to access the cloud-based application; and performing an action to mitigate a potential risk to the cloud computing platform based on the determined risk indicator. | 04-21-2016 |
20160119284 | REMOTE GRANT OF NETWORK ACCESS - Systems and techniques for granting of network access to a new network device are described. Specifically, various techniques and systems are provided for connecting a new network device to a network and limiting access of the network device while authenticating the new network device. Exemplary embodiments of the present invention include a computer-implemented method. The method comprises receiving, at a gateway on a network, a communication including a request for a new network device to join the network; establishing a connection between the new network device and the gateway; generating a firewall configured to prevent the new network device from communicating with an additional device on the network; transmitting a query, wherein the query includes a request to determine whether the new network device is associated with the network; receiving a communication including a response to the query indicating that the new network device is associated with the network; removing the firewall so as to allow the new network device to communicate with the additional network device. | 04-28-2016 |
20160119287 | OPTIMIZED TRANSPORT LAYER SECURITY - A method for establishing a secure communication session over communication paths between one or more client devices and one or more server computers according to a communication protocol includes initiating the session including passing communication through a proxy on a device on the communication paths, passing session initiation information between the client devices and the server computers via the proxy, passing encrypted content between the client devices and the server computers over secure communication sessions, each established for exclusive access from one client device and one server computer based on the exchanged session initiation information between said client device and said server computer whereby the proxy does not have access to the content, and modifying, using the proxy, at least some information passing between a client device and a server computer such that the communication to and from the server computer adheres to the communication protocol. | 04-28-2016 |
20160119288 | METHOD AND APPARATUS FOR CONTENT FILTERING ON SPDY CONNECTIONS - The present disclosure discloses a method and a network device for performing content filtering on SPDY connections. Specifically, a network device receives, from a client device, a first control frame identifying a first maximum number of unsolicited unacknowledged messages related to a web resource that can be transmitted by a web server. The network device transmits to the web server a second control frame identifying a second and different maximum number of unsolicited unacknowledged messages related to the web resource that can be transmitted by the web server. In some embodiments, the network device establishes a first connection with the client device without forwarding the request to the web server, and a second connection with the web server. Further, the network device inspects data in the unsolicited unacknowledged messages and forwards at least portion of the data to the client device using the first connection. | 04-28-2016 |
20160119289 | DATA COMPUTATION IN A MULTI-DOMAIN CLOUD ENVIRONMENT - A gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and is configured to receive encoded data and a set of operations from the server device in response to a request for cloud services from the client device. The gateway device is configured to decode the encoded data, and to provide the decoded data and the set of operations to the client device. The client device is configured to perform the set of operations on the decoded data, and to incorporate the operation results into an application or interface corresponding to the requested cloud service. The gateway device is configured to encode the operation result data, and to provide the encoded operation result data to the server device for storage. | 04-28-2016 |
20160119365 | SYSTEM AND METHOD FOR A CYBER INTELLIGENCE HUB - A method for defining and forming a cyber intelligence channel communicating with consumers is facing cyber threats in real time. The method includes collecting information, such that web crawlers and scrapers. The method also includes filtering the collected information, by filtering mechanisms founded on advanced algorithms. The method goes on to categorize the information into groups based on their unique characteristics, collecting capabilities and input and output constraints. The method further includes mapping the information and putting it into context and targeting and pinpointing the information, such that the data collected in the data intelligence collection unit is gathered through innovative technologies that enable automated and massive, yet targeted collection of the data that exists in the cyber space. | 04-28-2016 |
20160119377 | Cognitive Honeypot - An electronic communication evaluating device determines a suspicion level for an initial electronic communication. The initial electronic communication is addressed to an addressed entity that is associated with an electronic communication receiver. In response to the suspicion level exceeding a predetermined level, a communication switching device reroutes the initial electronic communication from the addressed entity to a cognitive honeypot. The cognitive honeypot transmits, to the electronic communication transmitting system, emulation electronic communications that emulate the addressed entity until a predefined state of the communication session occurs. | 04-28-2016 |
20160127314 | Front End Processor for Short Message Service Centers - A communication gateway which includes a short-message-system network element is disclosed. The communication gateway includes a short-message-system network element to transmit short-message data to a plurality of session-initiation-protocol endpoints and a front-end processor coupled with the short-message-system network element to provide session-initiation-protocol services for translating the short-message data transmitted between the plurality of session-initiation-protocol endpoints. | 05-05-2016 |
20160127315 | FIREWALL BASED PREVENTION OF THE MALICIOUS INFORMATION FLOWS IN SMART HOME - A system for preventing malicious attacks on a device in a Smart Home network comprises logical circuitry suitable to compare information flows in said network with legal information flows stored in memory means. | 05-05-2016 |
20160127316 | HIGHLY SECURE FIREWALL SYSTEM - A firewall system with closed ports configured to reject the data packets and create a readable log of rejected data packets. A port listening processor utilizes multiple daemon processors to receive and process information from the data packets to open ports using the dynamically modifiable port specific data structures. | 05-05-2016 |
20160127320 | Proxy Forwarding of Local Traffic by Edge Devices in a Multi-Homed Overlay Virtual Private Network - A first provider edge network device that is configured in a multi-homed virtual private network for a data center in which there are one or more peer edge network devices including a second edge network device, receives from the second edge network device a message indicating that a link for a particular Ethernet segment of the second edge network device in the data center is down. Information is stored at the first edge network device indicating state of links for Ethernet segments associated with each of the one or more other edge network devices at the data center. The first edge network device forwards of traffic for the particular Ethernet segment locally on Ethernet segments in the data center on behalf of the second edge network device. The proxy forwarding is performed for traffic for the particular Ethernet segment that originates from the data center, that is, for “same-site” traffic. | 05-05-2016 |
20160127415 | SYSTEM AND METHOD FOR PROVIDING ERROR HANDLING IN AN UNTRUSTED NETWORK ENVIRONMENT - An example method is provided and may include receiving a DIAMETER-based error over an SWm interface by a first evolved packet data gateway (ePDG) for a user equipment (UE) attempting to connect to the first ePDG; determining an Internet Key Exchange version two (IKEv2) error type corresponding to the DIAMETER-based error; and communicating the IKEv2 error type to the UE over an SWu interface. In some cases, the IKEv2 error type can be included in a notify payload or in a vendor ID payload for an IKE authentication response (IKE_AUTH_RESP) message. By distinguishing the IKEv2 error type, the UE can determine whether the error is a temporary or a permanent type and can determine whether to attempt to connect again to the first ePDG after a period of time or attempt to connect to another ePDG, which can help to reduce unnecessary signaling and provide better connectivity and user experience. | 05-05-2016 |
20160142372 | Preventing Browser-originating Attacks - A method and device for preventing a browser-originating attack in a local area network. A security device in the local area network intercepts a message from a first device in the local area network towards a second device in the local area network. The message requests connection between the first device and the second device. The security device prompts a user of the first device to approve the connection. In the event that the user approves the connection the first device is allowed to connect to the second device, and in the event that the user does not approve the connection the connection attempt is terminated. | 05-19-2016 |
20160142376 | STREAMING MEDIA FOR PORTABLE DEVICES - A system and method for allowing hand-held/wireless device devices to (1) provide audio/video conferencing; (2) access AV content through streaming and cloud transfer; and (3) offer hand-held and computer access to cameras and sensors for surveillance using ordinary personal computers as proxy servers is described. In a first aspect, a remote view streaming system which comprises a webcam server which enables streaming video over a network is disclosed. The system includes a portable device. The portable device includes a client application. The portable device is configured to receive the streaming video from the network and display it on a screen. The system includes a proxy server for authenticating a connection between the webcam server and the portable device. In a second aspect, a portable device is disclosed. The portable device comprises a client application; wherein the client application includes authentication information to allow connection to the proxy server and in turn can be connected directly to a webcam server if the webcam server has proper authentication. | 05-19-2016 |
20160142914 | METHOD OF AUTHENTICATING A TERMINAL BY A GATEWAY OF AN INTERNAL NETWORK PROTECTED BY AN ACCESS SECURITY ENTITY PROVIDING SECURE ACCESS - One embodiment is an authentication method comprising on receiving a request from the web browser of the terminal, the request including a user identifier, obtaining authentication data that is associated with the user identifier and that is stored in a database of the internal network, configuring a proxy server authorizing access via the access security entity to the internal network for a determined set of connection parameters, generating a first application from the connection parameters of the set, which application is protected using at least one determined portion of the authentication data and being configured to, on being executed by the web browser, set up a connection between the terminal and the proxy server using the parameters, this being done in response to the at least determined portion of the authentication data being supplied and transmitting the first application to the web browser of the terminal. | 05-19-2016 |
20160149858 | TRANSPARENT TUNNELING ARCHITECTURE FOR A SECURED DATABASE - A method and associated systems for a transparent tunneling architecture for a secured database. A tunneling driver captures a user's database-access request before it can be blocked by a security gateway. The driver translates the request into a Web-service request, where the requested Web service is implemented by means of classes or objects that correspond to database operations. The request is formatted into a standard database-independent form that the security gateway allows to pass to the database server intact. A Web-service runtime environment interprets the requested Web service, thereby instructing the server-side database-management application to respond to the user's access request. In a reverse procedure, the database's response is translated into a Web-service response to the requested Web service that may similarly tunnel through the security gateway, and that is then translated back into a form that may be properly interpreted by the requesting user's client application. | 05-26-2016 |
20160164699 | METHOD FOR IMPLEMENTING RESIDENTIAL GATEWAY SERVICE FUNCTION, AND SERVER - A method for implementing a residential gateway service function, and a server are disclosed. The method may include: receiving, by a server, a data packet forwarded by a residential gateway (RGW) or a network side; identifying, by the server, a service type of the data packet according to information carried in the data packet; and providing, by the server, based on the service type of the data packet, a virtual residential gateway service for a user terminal connected to the RGW. | 06-09-2016 |
20160164832 | AUTONOMIC LOCATOR/IDENTIFIER SEPARATION PROTOCOL FOR SECURE HYBRID CLOUD EXTENSION - A method is provided in one example embodiment and includes configuring a local network element as an autonomic registrar for a designated network domain; establishing an autonomic control plane (“ACP”) between the local network element and one or more remote network elements identified by local network element as a remote neighbor; designating a locally-defined subnet at the local network element to be extended to each of the one or more remote network elements; and executing an ACP command at the local network element, wherein the executing triggers a message to each of the one or more remote network elements, the message including information regarding the designated local subnet. The information included in the message is used by each of the remote network elements to auto-resolve its Locator/Identifier Separation Protocol (“LISP”) configuration, enabling the designated local subnet to be extended to each of the one or more remote network elements. | 06-09-2016 |
20160164840 | NETWORK SECURITY PROCESSING - A method, and associated system, for security processing of a request for a resource in a network security system. The request for the resource is received from a client device. A duplicate of the received request is created. The received request and its duplicate are forwarded to a first proxy server and a second proxy server, respectively. A first output including the received request, and a second output including the duplicate of the received request, are received from first proxy server and the second proxy server, respectively. A determination is made of whether the first output and the second output differ; if not the received request or the duplicate of the received request is transmitted to a web server for satisfying the request; if so a first alarm is generated and transmission to the web server of the received request and the duplicate of the received request is blocked. | 06-09-2016 |
20160164841 | MEDIA DISTRIBUTION SYSTEM WITH MANIFEST-BASED ENTITLEMENT ENFORCEMENT - A method for enforcing entitlements includes configuring a wide variety of entitlements at a server; determining applicable combination of entitlements for a given client request; sending entitlements to the requesting client securely; handling entitlement information securely on a plurality of client devices at run time; storing entitlement information securely on a plurality of client devices for offline use; and enforcing entitlements on a plurality of client devices. The method employs manipulation of manifest files by a proxy that may be included in the client device or located in the network. | 06-09-2016 |
20160165439 | Dynamic Configuration for a Wireless Peripheral Device - A peripheral device for establishing a network connection with a gateway is disclosed, and includes a request module and a configuration logic. The request module sends a request for identification and receives an authenticator responsive to sending the request for identification. The authenticator includes data indicative of predefined settings of the gateway. The configuration logic is in data communication with a plurality of configurations stored within a memory of the peripheral device. In response to receiving the predefined settings from the request module, the configuration logic selects a specific configuration from the plurality of configurations, where the specific configuration defines a set of attributes that correspond to the predefined settings of the gateway. The configuration logic also activates the specific configuration once the specific configuration has been selected. The configuration logic also establishes a network connection with the gateway based on a wireless communication protocol. | 06-09-2016 |
20160173449 | ASSET MANAGEMENT VIA VIRTUAL TUNNELS | 06-16-2016 |
20160173452 | MULTI-CONNECTION SYSTEM AND METHOD FOR SERVICE USING INTERNET PROTOCOL | 06-16-2016 |
20160173517 | DDOS PROTECTION INFRASTRUCTURES USING IP SHARING ACROSS WIDE AREA NETWORKS | 06-16-2016 |
20160182449 | SYSTEM AND METHOD FOR N PORT ID VIRTUALIZATION (NPIV) LOGIN LIMIT INTIMATION TO CONVERGED NETWORK ADAPTOR (CNA) IN NPIV PROXY GATEWAY (NPG) MODE | 06-23-2016 |
20160182451 | DYNAMIC RE-ORDERING OF SCANNING MODULES IN SECURITY DEVICES | 06-23-2016 |
20160182456 | System and Method to Associate a Private User Identity with a Public User Identity | 06-23-2016 |
20160182571 | Lawful Interception and Security for Proximity Service | 06-23-2016 |
20160182619 | DIAMETER ROUTING AGENT TESTING | 06-23-2016 |
20160191467 | METHODS AND SYSTEMS FOR SECURELY MANAGING VIRTUALIZATION PLATFORM - Virtualization platforms and management clients therefor are communicatively coupled to one another via a control layer logically disposed therebetween. The control layer is configured to proxy virtualization management commands from the management clients to the virtualization platforms, but only after successful authentication of users (which may include automated agents and processes) issuing those commands and privileges of those users as defined by access control information accessible to the control layer. The control layer may be instantiated as an application running on a physical appliance logically interposed between the virtualization platforms and management clients, or a software package running on dedicated hardware logically interposed between the virtualization platforms and management clients, or as an application encapsulated in a virtual machine running on a compatible virtualization platform logically interposed between the virtualization platforms and management client. | 06-30-2016 |
20160197881 | Method for Setting Up a Secure Communication Connection, a Communication Device and Connection Controller | 07-07-2016 |
20160205069 | METHOD, DEVICE, AND SYSTEM FOR MONITORING A SECURITY NETWORK INTERFACE UNIT | 07-14-2016 |
20160205073 | ONE-CLICK REPUTATION ADJUSTMENT | 07-14-2016 |
20160255049 | SECURING EMAIL COMMUNICATIONS | 09-01-2016 |
20160255052 | DEVICE CLASSIFICATION FOR MEDIA DELIVERY | 09-01-2016 |
20160255053 | Repackaging Demographic Data with Anonymous Identifier | 09-01-2016 |
20160380975 | Domain Name Service Redirection for a Content Delivery Network with Security as a Service - In one implementation, a cloud connector obtains location information for a proxy server of a security as a service (SecaaS) function. The cloud connector receives a content request from a user device for content hosted in a content delivery network (CDN). A domain name service (DNS) request, with location information, is forwarded to a DNS authoritative server. An identification of a downstream CDN server is received from the DNS authoritative server. The identification of the downstream CDN is based on the location information for the proxy server of the SecaaS function. The content is obtained from the downstream CDN server through the proxy server of the SecaaS function. | 12-29-2016 |
20160380977 | ENTERPRISE REPUTATIONS FOR UNIFORM RESOURCE LOCATORS - There is disclosed in an example a computing apparatus configured to operate as an enterprise threat intelligence server, and including: a network interface configured to communicatively couple to a network; and one or more logic elements providing a reputation engine, operable for: receiving a first uniform resource locator (URL) identifier; determining that a first URL identified by the first URL identifier has an unknown enterprise reputation; and establishing a baseline reputation for the URL. There is further disclosed a method of providing the reputation engine, and one or more computer-readable mediums having stored thereon executable instructions for providing the reputation engine. | 12-29-2016 |
20170237708 | TELECOMMUNICATION SYSTEM AND METHOD FOR TRAVERSING AN APPLICATION LAYER GATEWAY FIREWALL DURING THE ESTABLISHMENT OF AN RTC COMMUNICATION CONNECTION BETWEEN AN RTC CLIENT AND AN RTC SERVER | 08-17-2017 |
20170237709 | UNOBTRUSIVE PROTECTION FOR LARGE-SCALE DATA BREACHES UTILIZING USER-SPECIFIC DATA OBJECT ACCESS BUDGETS | 08-17-2017 |
20170237813 | DATA TRANSMISSION SYSTEM AND METHOD FOR TRANSMITTING DATA | 08-17-2017 |
20180026945 | SCALABLE SECURE GATEWAY FOR VEHICLE | 01-25-2018 |
20180026946 | DEVICE AND METHOD FOR ESTABLISHING SECURITY ASSOCIATION IN COMMUNICATION SYSTEM | 01-25-2018 |
20180026998 | Incident Detection System | 01-25-2018 |
20190149513 | PACKET TRANSMISSION METHOD, APPARATUS, AND SYSTEM | 05-16-2019 |