Patent application number | Description | Published |
20080270785 | Security approach for transport equipment - An apparatus comprising encryption logic that provides security for fiber-based communications may be implemented in accordance with an embodiment of the present invention. A data super frame is created by the encryption logic to comprise two or more data frames. Each of the data frames contains a payload portion. The encryption logic may receive one or more data payloads that are associated with a client signal. Using a single set of security control parameters, the encryption logic encrypts and stores a different encrypted payload in a payload portion of a different frame of the data frames in the data super frame. Instead of storing the set of security control parameters in a single data frame, the encryption logic stores the set of security control parameters in different sets of unused bytes associated with at least two different frames of the data frames. | 10-30-2008 |
20080320143 | METHOD AND APPARATUS FOR ROLE-BASED ACCESS CONTROL - Methods and devices are provided for role-based access control of network devices. The network devices may constitute the fabric of a storage area network (“SAN”) that has been logically partitioned into virtual storage area networks (“VSANs”) that are allocated to various administrators. Roles assigned according to preferred aspects of the invention do not need to be hierarchical, but are customized according to administrators' needs. | 12-25-2008 |
20130145152 | SECURE PREFIX AUTHORIZATION WITH UNTRUSTED MAPPING SERVICES - In one embodiment, a first router associated with a first network node sends a first map lookup that includes a particular device identifier associated with a second network node to a mapping service that maintains a plurality of mappings that associate device identifiers with device locations. The first router receives, from a second router associated with the second network node, a map response that includes a particular device location that corresponds to the particular device identifier for the second network node. The first router establishes a secure session with the second router, and determines, based on the secure session, whether the second router is authorized to reply for the particular device identifier associated with the second network node. | 06-06-2013 |
20140044262 | Low Latency Encryption and Authentication in Optical Transport Networks - Data to be transmitted across an Optical Transport Network (OTN) is encrypted with a non-malleable encryption algorithm. An authentication code configured to allow authentication of the data with a low latency encryption algorithm is generated. A packet is generated which is configured to be transferred across the OTN and contains the encrypted data and the authentication code. The packet is transmitted across the OTN. Non-malleable encryption, origin authentication, data integrity and anti-replay protection are provided for OTNs over Dense Wavelength Division Multiplexed (DWDM) links. In one example, XTS-AES encryption and GMAC authentication techniques are combined to secure OTN frames. | 02-13-2014 |
20140112349 | OVERLAY SERVICES IN COMMUNICATION NETWORKS - In one embodiment, a method includes receiving a packet from a first host at a first edge device, the packet comprising a layer 3 address of a second host in communication with a second edge device, using the layer 3 address of the second host to receive a layer 2 address and a location identifier for the second host from a database accessible from a core network, the database comprising a mapping of layer 3 host addresses to layer 2 host addresses and location identifiers, and storing a mapping of the layer 2 address to the location identifier at the first edge device for use in forwarding packets to the second host. The first edge device is in communication with the second edge device in an overlay network defined by the edge devices interconnected by the core network. An apparatus and logic are also disclosed herein. | 04-24-2014 |
20150063351 | INTER-DOMAIN NETWORK TENANT IDENTIFIER - In one embodiment, a method includes receiving a packet at a tunnel end point in a multi-tenant network, the packet comprising a destination, performing a lookup for the destination in a database comprising a mapping of global identifiers to local tenant identifiers for different hosting locations, each of the global identifiers uniquely identifying a tenant across all of the hosting locations, identifying a destination tunnel end point and a local tenant identifier for the destination, and inserting the destination tunnel end point and the local tenant identifier into the packet and forwarding the packet. An apparatus and logic are also disclosed herein. | 03-05-2015 |
Patent application number | Description | Published |
20090172816 | DETECTING ROOTKITS OVER A STORAGE AREA NETWORK - Embodiments of the invention improve the detection of malicious software applications, such as a rootkit, on hosts configured to access storage volumes over a storage area network (SAN). A rootkit detection program running on a switch may be configured to detect rootkits present on the storage volumes of the SAN. Because the switch may mount and access storage volumes independently from the (possibly comprised) hosts, the rootkit is not able to conceal itself from the rootkit detection program running on the switch. | 07-02-2009 |
20090287892 | EPOCH-BASED MUD LOGGING - In one embodiment, a MUD logger receives a notification from another MUD logger maintaining another MUD log for a volume, the notification indicating one or more modifications to be made to a MUD log maintained by the MUD logger receiving the notification, wherein the MUD log includes information for one or more epochs, wherein the information for each of the epochs indicates a set of one or more regions of the volume that have been modified during the corresponding epoch. The MUD logger updates the MUD log associated with the volume, wherein updating the MUD log is performed in response to the notification. | 11-19-2009 |
20100169645 | KEY TRANSPORT IN AUTHENTICATION OR CRYPTOGRAPHY - A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message. | 07-01-2010 |
20110219438 | METHODS AND APPARATUS FOR SECURITY OVER FIBRE CHANNEL - Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented. | 09-08-2011 |
20110293097 | VIRTUAL MACHINE MEMORY COMPARTMENTALIZATION IN MULTI-CORE ARCHITECTURES - Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines. | 12-01-2011 |
20110296201 | METHOD AND APPARATUS FOR TRUSTED EXECUTION IN INFRASTRUCTURE AS A SERVICE CLOUD ENVIRONMENTS - The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor). | 12-01-2011 |
20110302400 | SECURE VIRTUAL MACHINE BOOTSTRAP IN UNTRUSTED CLOUD INFRASTRUCTURES - Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure. | 12-08-2011 |
20130298184 | SYSTEM AND METHOD FOR MONITORING APPLICATION SECURITY IN A NETWORK ENVIRONMENT - A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port. | 11-07-2013 |
20140321459 | ARCHITECTURE FOR AGENTLESS SERVICE INSERTION - An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic. | 10-30-2014 |
20140380442 | SYSTEM AND METHOD FOR ENABLING SECURE TRANSACTIONS USING FLEXIBLE IDENTITY MANAGEMENT IN A VEHICULAR ENVIRONMENT - A method in one embodiment includes authenticating a first agent to an on board unit (OBU) of a vehicle if the first agent validates a first set of one or more authentication requirements and identifying a first identity profile corresponding to the first agent. The method also includes determining a role of the first agent in the vehicle and configuring the vehicle with the first identity profile, where the vehicle is configured based, at least in part, on the role of the first agent. In this embodiment, the first identity profile is one of a plurality of identity profiles provisioned on the OBU. In specific embodiments, each one of a plurality of agents corresponds to a respective one of the plurality of identity profiles, and includes one or more of a human agent, a machine device, a software agent, an authorized entity, and a mobile device. | 12-25-2014 |
20150029987 | SYSTEM AND METHOD FOR WIRELESS INTERFACE SELECTION AND FOR COMMUNICATION AND ACCESS CONTROL OF SUBSYSTEMS, DEVICES, AND DATA IN A VEHICULAR ENVIRONMENT - A method in one embodiment includes intercepting a message in an on-board unit (OBU) of a vehicular network environment between a source and a receiver in the vehicular network environment, verifying the message is sent from the source, verifying the message is not altered, evaluating a set of source flow control policies associated with the source, and blocking the message if the set of source flow control policies indicate the message is not permitted. In specific embodiments, the message is not permitted if a level of access assigned to the source in the set of source flow control policies does not match a level of access tagged on the message. In further embodiments, the method includes evaluating a set of receiver flow control policies associated with the receiver, and blocking the message if the set of receiver flow control policies indicates the message is not permitted. | 01-29-2015 |
20150101029 | METHODS AND APPARATUS FOR SECURITY OVER FIBRE CHANNEL - Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented. | 04-09-2015 |
20150222708 | SYSTEM AND METHOD FOR APPLICATIONS MANAGEMENT IN A NETWORKED VEHICULAR ENVIRONMENT - A method in one example embodiment includes identifying a power state and a battery level of a vehicle. The method also includes allocating power to critical applications (for example) in response to determining that the battery level is above a reserve threshold while the power state of the vehicle is engine-off. The method also includes allocating remaining power in excess of the reserve threshold to non-critical applications according to a power management policy. The power management policy may comprise at least one of a user power preference index and an application power preference index. | 08-06-2015 |