Patent application number | Description | Published |
20090024750 | MANAGING REMOTE HOST VISIBILITY IN A PROXY SERVER ENVIRONMENT - Embodiments of the present invention address deficiencies of the art in respect to the visibility of an IP address for a remote resource behind a proxy server and provide a novel and non-obvious method, system and computer program product for managing remote host visibility in a proxy server environment. In one embodiment of the invention, a method for managing remote resource visibility in a proxy server environment can be provided. The method can include establishing a secure connection between a proxy server and a destination server, proxying different connections between different remote hosts and the destination server through the proxy server, providing remote host information for each of the different remote hosts, including IP address, port and protocol, for example, to the destination server over the secure connection, and mapping each provided IP address to an IP address for a corresponding one of the proxied different connections. | 01-22-2009 |
20090025078 | SECURE SHARING OF TRANSPORT LAYER SECURITY SESSION KEYS WITH TRUSTED ENFORCEMENT POINTS - Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session. | 01-22-2009 |
20090169005 | SELECTIVELY LOADING SECURITY ENFORCEMENT POINTS WTH SECURITY ASSOCIATION INFORMATION - A method, network element, and computer storage program product, are provided for selectively loading a communication network security enforcement point (“SEP”) with security association (“SA”) information for inspection of encrypted data in a secure, end-to-end communications path. At least one encrypted data packet is received. It is determined that SA information for decrypting the at least one encrypted data packet fails to exist locally at the SEP. A request is sent to a communication network key server for SA information associated with the at least one encrypted data packet. The SA information associated with the at least one encrypted data packet is received from the communication network key server. | 07-02-2009 |
20100071025 | SECURING LIVE MIGRATION OF A VIRTUAL MACHINE WITHIN A SERVICE LANDSCAPE - In an embodiment of the invention, a method for secure live migration of a virtual machine (VM) in a virtualized computing environment can include selecting a VM in a secure virtualized computing environment for live migration to a different virtualized computing environment and blocking data communications with the selected VM and other VMs in the secure virtualized computing environment. The selected VM can be live migrated to the different virtualized computing environment and the VM cna be restarted in the different virtualized computing environment. Notably, a secure communicative link can be established between the restarted VM and at least one other of the VMs in the secure virtualized computing environment. Finally, data communications between the restarted VM and the at least one other of the VMs can be enabled over the secure communicative link. | 03-18-2010 |
20110126194 | SHARED SECURITY DEVICE - A mechanism is provided for sharing one or more security appliances. A trusted system component associated with an application of a plurality of applications in a logically partitioned data processing system sets a destination address of a received packet to an address of a security appliance shared by the plurality of applications. The trusted system component sends the received packet to the security appliance. The trusted system component receives a response from the security appliance. The trusted system component determines whether the response indicates permitting the received packet to proceed to the intended recipient. The trusted system component sends the received packet to the recipient in response to the response indicating permitting the received packet to proceed. | 05-26-2011 |
20110219442 | Policy-Based Security Certificate Filtering - Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific. | 09-08-2011 |
20110239290 | SECURE SHARING OF TRANSPORT LAYER SECURITY SESSION KEYS WITH TRUSTED ENFORCEMENT POINTS - Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session. | 09-29-2011 |
20120198542 | Shared Security Device - A mechanism is provided for sharing one or more security appliances. A trusted system component associated with an application of a plurality of applications in a logically partitioned data processing system sets a destination address of a received packet to an address of a security appliance shared by the plurality of applications. The trusted system component sends the received packet to the security appliance. The trusted system component receives a response from the security appliance. The trusted system component determines whether the response indicates permitting the received packet to proceed to the intended recipient. The trusted system component sends the received packet to the recipient in response to the response indicating permitting the received packet to proceed. | 08-02-2012 |
20120222087 | APPLICATION BASED INTRUSION DETECTION - Intrusion detection is performed by communicating an initialization request from an intrusion detection system enabled application to an intrusion module to begin intrusion detection. Also, a request is communicated to a policy transfer agent to provide an intrusion detection system policy specifically configured for the application. The application identifies where in the application code the intrusion detection system policy is to be checked against an incoming or outgoing communication. Information obtained by the application program is selectively evaluated against information in the intrusion detection system policy. A conditional response is made based upon information in the intrusion detection system policy if an intrusion associated with the application program is detected. | 08-30-2012 |
20130013915 | INTERNET PROTOCOL SECURITY (IPSEC) PACKET PROCESSING FOR MULTIPLE CLIENTS SHARING A SINGLE NETWORK ADDRESS - Embodiments of the present invention address deficiencies of the art in respect to secure communications for multiple hosts in an address translation environment and provide a method, system and computer program product for IPsec SA management for multiple clients sharing a single network address. In one embodiment, a computer implemented method for IPsec SA management for multiple hosts sharing a single network address can include receiving a packet for IPsec processing for a specified client among the multiple clients sharing the single network address. A dynamic SA can be located among multiple dynamic SAs for the specified client using client identifying information exclusive of a 5-tuple produced for the dynamic SA. Finally, IPsec processing can be performed for the packet. | 01-10-2013 |
Patent application number | Description | Published |
20100050229 | VALIDATING NETWORK SECURITY POLICY COMPLIANCE - The present invention may provide the ability to determine the actions triggered by a network security policy given a set of conditions. Embodiments of the invention involve testing the security policy at specified times, documenting and analyzing the test results for compliance, recording the results for auditing purposes, writing events to warn of non-compliance findings, and dynamically taking defensive action to prevent security breaches as the result of non-compliance findings. | 02-25-2010 |
20110239301 | TECHNIQUE OF DETECTING DENIAL OF SERVICE ATTACKS - The invention detects a denial of service attack at a node by monitoring the number of discarded packets in relationship to the number of inbound packets. When an attack is detected, relevant inbound packet information is collected during the attack to help characterize the attack and at least to pinpoint the source of the last hop to the attacked node. | 09-29-2011 |
20130219167 | NETWORK NODE WITH NETWORK-ATTACHED STATELESS SECURITY OFFLOAD DEVICE EMPLOYING IN-BAND PROCESSING - A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol. | 08-22-2013 |
20130219168 | NETWORK NODE WITH NETWORK-ATTACHED STATELESS SECURITY OFFLOAD DEVICE EMPLOYING OUT-OF-BAND PROCESSING - A network node for communicating data packets secured with a security protocol over a communications network includes a host information handling system (IHS) and one or more external security offload devices coupled by a secure data link. The host IHS communicates state information about data packets, and the external offload security device provides stateless secure data encapsulation and decapsulation of packets using a security protocol. An external network interface controller or internal network interface controller communicates encapsulated data packets over the communications network to a final destination. Encapsulation and decapsulation of packets by the external security offload device reduces network latency and reduces the computational load on the processor in the host IHS. Maintaining state information in the host IHS allows hot-swapping of external security offload devices without information loss. The external security offload device may be included in a firewall, or intrusion detection device, and may implement IPsec protocol. | 08-22-2013 |
20140244862 | Preventing Duplicate Sources from Clients Served by a Network Address Port Translator - Preventing duplicate sources on a protocol connection that uses network addresses, protocols and port numbers to identify connections that include port number translation. In response to an inbound IPsec packet from a remote source client, a determination is made as to whether or not a port number is available within a range of port numbers that comply with a security association governing the connection. If so, an available port number is assigned to the connection, thereby avoiding a possibility of a duplicate source. If a port number is not available, the packet is rejected. | 08-28-2014 |