| FORTINET, INC. Patent applications |
| Patent application number | Title | Published |
|---|
| 20120131215 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Methods are provided for managing hierarchically organized subscriber profiles. According to one embodiment, a connection for a subscriber is created based on a service context of the subscriber. A connection request is received from a subscriber of a network service delivery environment. The subscriber is associated with a first-level profile identifier indicative of a service context for the subscriber. One or more other subscribers can be associated with the first-level profile identifier. Lower-level profile identifiers are determined using the first-level profile identifier. The lower-level profile identifiers indicate a set of services that is available to the subscriber during the connection. Creating a connection for the subscriber that enables forwarding of packets based on the lower-level profile identifiers. | 05-24-2012 |
| 20120102196 | CONTENT PATTERN RECOGNITION LANGUAGE PROCESSOR AND METHODS OF USING THE SAME - A device for detecting network traffic content is provided. The device includes a processor configured to receive a signature associated with content desired to be detected, and execute one or more functions based on the signature to determine whether network traffic content matches the content desired to be detected. The signature is defined by one or more predicates. A computer readable medium for use to detect network traffic content is also provided. The computer readable medium includes a memory storing one or more signatures, each of the one or more signatures associated with content desired to be detected. Each of the one or more signatures is defined by one or more predicates, and each of the one or more predicates can be compiled into a byte code stream that controls a logic of a network traffic screening device. | 04-26-2012 |
| 20120099596 | METHODS AND SYSTEMS FOR A DISTRIBUTED PROVIDER EDGE - Methods and systems for a distributed provider edge are provided. According to one embodiment, a one-to-one association is formed between a Virtual Routing and Forwarding device (VRF) of a provider edge device (PE) of a service provider and a customer site. The VRF includes a routing information base (RIB) and a forwarding information base (FIB). A network interface module is instantiated within the VRF for each network interface employed, such as an intranet, extranet, Virtual Private Network (VPN) and/or Internet interface. A first packet is received at the PE via a first network interface. A first network interface module associated with the first network interface accesses the RIB to acquire routing information for the first packet. A second packet is received via a second network interface. A second network interface module associated with the second network interface accesses the RIB to acquire routing information for the second packet. | 04-26-2012 |
| 20120078863 | APPLICATION CONTROL CONSTRAINT ENFORCEMENT - Systems and methods for performing application control constraint enforcement are provided. According to one embodiment, file system or operating system activity of a computer system is intercepted relating to a code module. A cryptographic hash value of the code module is checked against a local whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code. The local whitelist database also contains execution constraint information. When the cryptographic hash value matches one of the cryptographic hash values of approved code modules, authority of the computer system or an end user of the computer system to execute the code module is further validated if the execution constraint information so indicates by performing a constraint check regarding the code module. If the authority is affirmed by the constraint check, then allowing the code module to be executed. | 03-29-2012 |
| 20120072568 | SWITCH MANAGEMENT SYSTEM AND METHOD - Methods and systems for managing a service provider switch are provided. According to one embodiment, a network operating system (NOS) is provided on each processor element (PE) of the switch. The NOS includes an object manager (OM) responsible for managing global software object groups, managing software object configurations, managing local software objects and groups and routing control information between address spaces based on locations of software objects. The OM performs management plane communications among software objects by way of system calls. The OM performs data plane communications among software objects by way of object-to-object channels. The switch is provisioned with a network-based managed IP service for a particular customer of the service provider by pushing the service onto an object-to-object channel that has been established between a first software object and a second software object of the software objects. | 03-22-2012 |
| 20120069850 | NETWORK PACKET STEERING VIA CONFIGURABLE ASSOCIATION OF PACKET PROCESSING RESOURCES AND NETWORK INTERFACES - Methods and systems are provided for steering network packets. According to one embodiment, a dynamically configurable steering table is stored within a memory of each network interface of a networking routing/switching device. The steering table represents a mapping that logically assigns each of the network interfaces to one of multiple packet processing resources of the network routing/switching device. The steering table has contained therein information indicative of a unique identifier/address of the assigned packet processing resource. Responsive to receiving a packet on a network interface, the network interface performs Layer 1 or Layer 2 steering of the received packet to the assigned packet processing resource by retrieving the information indicative of the unique identifier/address of the assigned packet processing resource from the steering table based on a channel identifier associated with the received packet and the received packet is processed by the assigned packet processing resource. | 03-22-2012 |
| 20120057460 | SERVICE PROCESSING SWITCH - Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a load associated with multiple virtual routing processing resources of an IP service generator of a virtual router (VR) based switch is monitored. Packets are load balanced among the virtual routing processing resources. A packet flow cache is maintained with packet flow entries containing information indicative of packet processing actions for established packet flows. Deep packet classification is performed to determine whether a packet is associated with an established packet flow. If so, the packet is directed to one of multiple virtual services processing resources representing application-tailored engines configured to provide network-based IP services including one or more of virtual private network (VPN) processing, firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing. If the packet is allowed, it is returned to the source virtual routing processing resource for forwarding. | 03-08-2012 |
| 20120023557 | METHOD, APPARATUS, SIGNALS, AND MEDIUM FOR MANAGING TRANSFER OF DATA IN A DATA NETWORK - A method and apparatus for managing a transfer of data in a data network identifies data associated with a communication session between a first node and a second node in the data network. Further processing of the communication session occurs when a portion of the communication session meets a criterion and the communication session is permitted to continue when the portion of the communication session does not meet the criterion. | 01-26-2012 |
| 20120023228 | METHOD, APPARATUS, SIGNALS, AND MEDIUM FOR MANAGING TRANSFER OF DATA IN A DATA NETWORK - A method and apparatus for managing a transfer of data in a data network identifies data associated with a communication session between a first node and a second node in the data network. Further processing of the communication session occurs when a portion of the communication session meets a criterion and the communication session is permitted to continue when the portion of the communication session does not meet the criterion. | 01-26-2012 |
| 20120017277 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module. | 01-19-2012 |
| 20120005741 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) are provided. According to one embodiment, a firewall prevents unauthorized network-lawyer access to internal hosts by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall facilitates concurrent management of multiple incoming VoIP calls by providing multiple VoIP ports and advertising multiple IP address/VoIP port pairs corresponding to internal hosts. When incoming VoIP packets are received, the packets are directed to an appropriate internal host by the firewall performing port forwarding based on a port indication contained within the packets to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 01-05-2012 |
| 20110235649 | HETEROGENEOUS MEDIA PACKET BRIDGING - Methods and systems for bridging network packets transmitted over heterogeneous media channels are provided. According to one embodiment, a network-computing device comprises multiple network interfaces (netmods) and a shared processing resource. The shared processing resource executes a virtual bridging application representing a single bridging domain for all network packets received by the network-computing device. A translation data structure defines translations between a first framing media format and an intermediate format and between the intermediate format and a second framing media format. If the virtual bridging application determines a network packet is to be relayed between a netmod operable to receive network packets encapsulated within the first framing media format and a netmod operable to transmit network packets encapsulated within the second framing media format, then it uses the translation data structures to translate the network packet before relaying the network packet. | 09-29-2011 |
| 20110235639 | MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK - Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. A border component interposed between a network of switches and multiple local hosts receives from a first local host a first packet destined for a first destination host. The first local host has a first layer 2 (L2) address and a first layer 3 (L3) address associated therewith. The first packet includes the first L2 address as a source L2 address for the first packet, and includes the first L3 address as a source L3 address for the first packet. The border component shields the first L2 address from the network of switches by replacing the source L2 address for the first packet with a substitute L2 address associated with a communication channel of the border component before sending the first packet to the network of switches. | 09-29-2011 |
| 20110235548 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Methods are provided for managing hierarchically organized subscriber profiles. According to one embodiment, a policy engine of a VR defines services available to subscribers in terms of profile identifiers. A scalable subscriber profile database is established having a memory requirement dependent upon the number of available service contexts by hierarchically organizing profile identifiers as leaf profile identifiers, which explicitly define services, and intermediate profile identifiers, which indirectly represent services. The policy engine receives a first-level profile identifier and determines whether it is among those stored in the database. If not, then it obtains service profile information associated with the first-level profile identifier. If the first-level profile identifier is an intermediate profile identifier having leaf profile identifiers, then it further obtains them and associated profile information and stores this information in the database. The first-level profile identifier and the associated service profile information are also stored in the database. | 09-29-2011 |
| 20110231402 | SYSTEMS AND METHODS FOR CATEGORIZING NETWORK TRAFFIC CONTENT - A method for categorizing network traffic content includes determining a first characterization of the network traffic content determining a first probability of accuracy associated with the first characterization, and categorizing the network traffic content based at least in part on the first characterization and the first probability of accuracy. A method for use in a process to categorize network traffic content includes obtaining a plurality of data, each of the plurality of data representing a probability of accuracy of a characterization of network traffic content, and associating each of the plurality of data with a technique for characterizing network traffic content. A method for categorizing network traffic content includes determining a characterization of the network traffic content, determining a weight value associated with the characterization, and categorizing network traffic content based at least in part on the characterization of the network traffic content and the weight value. | 09-22-2011 |
| 20110225646 | POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection. The content processing configuration schemes each include multiple content processing configuration settings for each of one or more network service protocols. Application-level content of a packet stream associated with the network connection is then processed by the proxy module reassembling the application-level content from multiple packets of the packet stream and scanning the application-level content based on the retrieved content processing configuration schemes. | 09-15-2011 |
| 20110219086 | ELECTRONIC MESSAGE AND DATA TRACKING SYSTEM - Systems and methods for tracking electronic messages and data are provided. According to one embodiment, a linking object insertion routine identifies an electronic mail (email) message as a candidate for user feedback based on the email message having been previously classified as spam by a real-time email spam scanning routine associated with a commercial anti-spam service. The linking object insertion routine facilitates user submission of the user feedback regarding the email message to the commercial anti-spam service by embedding a linking object within the email message. The linking object is configured to automate communication of one or more digital signatures of the email message generated by the real-time email spam scanning routine to the commercial anti-spam service by performing out-of-band signaling with the commercial anti-spam service. | 09-08-2011 |
| 20110200057 | Virtual Memory Protocol Segmentation Offloading - Methods and systems for a more efficient transmission of network traffic are provided. According to one embodiment, a method is provided for performing transport layer protocol segmentation offloading. Multiple buffer descriptors are stored in a system memory of a network device. The buffer descriptors contain information indicative of a starting address of a payload buffer stored in a user memory space of the system memory. The payload buffers contain payload data originated by a user process running on a host processor of the network device. The payload data is retrieved from the payload buffers on behalf of a network processor of the network device without copying the payload data from the user memory space to a kernel memory space of the system memory by performing direct virtual memory addressing of the user memory space. Finally, the payload data is segmented across one or more transport layer protocol packets. | 08-18-2011 |
| 20110200044 | HARDWARE-ACCELERATED PACKET MULTICASTING IN A VIRTUAL ROUTING SYSTEM - Methods and systems are provided for hardware-accelerated packet multicasting in a virtual routing system. According to one embodiment, a virtual routing engine (VRE) including virtual routing processors and corresponding memory systems are provided. The VRE implements virtual routers (VRs) operable on the virtual routing processors and associated routing contexts utilizing potentially overlapping multicast address spaces resident in the memory systems. Multicasting of multicast flows originated by subscribers of a service provider is simultaneously performed on behalf of the subscribers. A VR is selected to handle multicast packets associated with a multicast flow. A routing context of the VRE is switched to one associated with the VR. A packet of the multicast flow is forwarded to multiple destinations by reading a portion of the packet from a common buffer for each instance of multicasting and applying transform control instructions to the packet for each instance of multicasting. | 08-18-2011 |
| 20110185221 | FAULT TOLERANT ROUTING IN A NON-HOT-STANDBY CONFIGURATION OF A NETWORK ROUTING SYSTEM - Methods and systems for facilitating fault tolerance in a non-hot-standby configuration of a network routing system are provided. According to one embodiment, a failover method is provided. One or more processing engines of a network routing system are configured to function as active processing engines, each of which having one or more software contexts. A control blade is configured to monitor the active processing engines. One or more of the processing engines are identified to function as non-hot-standby processing engines, each of which having no pre-created software contexts corresponding to the software contexts of the active processing engines. The control blade monitors the active processing engines. Responsive to detecting a fault associated with an active processing engine the active processing engine is dynamically replaced with a non-hot-standby processing engine by creating one or more replacement software contexts within the non-hot-standby processing engine corresponding to those of the active processing engine. | 07-28-2011 |
| 20110176552 | MANAGING INTERWORKING COMMUNICATIONS PROTOCOLS - Systems and methods for managing interworking protocols are provided. According to one embodiment, a service management system (SMS) communicatively coupled with multiple service processing switches of a service provider provisions transport network interfaces of the service processing switches to provide a transport between subscriber interfaces of the service processing switches. The subscriber interfaces are configured to communicate data in accordance with a first protocol. The transport network interfaces configured to communicate data in accordance with a second protocol. The SMS causes a first-protocol-over-second-protocol (FPoSP) Virtual Private Network (VPN) to be created through which subscriber sites securely exchange data by establishing a virtual router (VR) within the service processing switches corresponding to each subscriber interface. The VRs communicate the data among the service processing switches by encapsulating packets received from the subscriber sites within packets of the second protocol and transmitting the encapsulated packets through the transport network interfaces. | 07-21-2011 |
| 20110167261 | SELECTIVE AUTHORIZATION OF THE LOADING OF DEPENDENT CODE MODULES BY RUNNING PROCESSES - Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, file system or operating system activity relating to a first code module is initiated by a running process associated with a second code module. The file system or operating system activity is intercepted by a kernel mode driver of a computer system. The kernel mode driver selectively authorizes loading of the first code module by the running process based at least in part on one or more attributes of the second code module. | 07-07-2011 |
| 20110167260 | COMPUTER SYSTEM LOCK-DOWN - Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, a method is provided for locking down a computer system. A customized, local whitelist database is stored with a memory of the computer system. The whitelist database forms a part of an authentication system operable within the computer system and contains therein cryptographic hash values of code modules expressly approved for execution by the computer system. A kernel mode driver of the authentication system intercepts file system or operating system activity relating to a code module. The authentication system determines whether to authorize the request by causing a cryptographic hash value of the code module to be authenticated against the whitelist database. The authentication system allows the code module to be loaded and executed within the computer system if the cryptographic hash value matches one of the cryptographic hash values. | 07-07-2011 |
| 20110167259 | SOFTWARE LICENSE ENFORCEMENT - Systems and methods for performing software license enforcement are provided. According to one embodiment, file or operating system activity relating to a code module are intercepted by a kernel mode driver of a computer system. The kernel mode driver causes a cryptographic hash value of the code module to be authenticated with reference to a local whitelist containing cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist also contains licensing control information. If the cryptographic hash value matches a cryptographic hash value of an approved code module, then (i) authority to execute the code module is further validated if the licensing control information so indicates by performing a license check regarding the code module; and (ii) the code module is allowed to be loaded and executed within the computer system if the authority is affirmed by the license check. | 07-07-2011 |
| 20110167050 | SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE - Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, file or operating system activity relating to a code module is intercepted. A cryptographic hash value of the code module is authenticated with reference to a multi-level whitelist, which includes a remote global whitelist and a local whitelist. The remote global whitelist is maintained by a trusted service provider and contains cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist is accessible by computer systems within the LAN and contains cryptographic hash values of a subset of the approved code modules. The cryptographic hash value is checked against the local whitelist. If no match is found, it is checked against the global whitelist. The code module is allowed to be loaded and executed if the cryptographic hash value corresponds to an approved code module. | 07-07-2011 |
| 20110128891 | MANAGING AND PROVISIONING VIRTUAL ROUTERS - Methods and systems are provided for provisioning and managing network-based virtual private networks (VPNs). According to one embodiment, a routing configuration for each of multiple network-based customer VPNs is generated for multiple customers based on (i) site reachability information for multiple service processing switches and (ii) a global customer routing profile for a network-based customer VPN of the plurality of network-based customer VPNs. Multiple virtual routers (VRs) distributed among the service processing switches are provisioned to support the network-based customer VPNs based on the routing configurations. A custom routing profile, identifying one or more routing protocols to be used for one or more segments of the network-based customer VPN profile, is received for the network-based customer VPN. The network-based customer VPN is automatically reconfigured by programmatically generating appropriate routing configurations for VRs partitioned to the network-based customer VPN based on the site reachability information and the custom routing profile. | 06-02-2011 |
| 20110125869 | NETWORK ADVERTISING SYSTEM - Systems and methods for transmitting content to a client via a communication network are provided. According to one embodiment, a system includes a content server, an insertion server and a policy server. The content server stores and selects substitute or supplemental content. The insertion server monitors client traffic, detects client TCP/IP requests or destination TCP/IP responses and sends the selected substitute or supplemental content retrieved from the content server to the client in lieu of or in addition to content requested by the client TCP/IP requests or provided by the destination TCP/IP responses. The policy server provides instructions to the insertion server with respect to timing of detecting the client TCP/IP requests or destination TCP/IP responses and a delay associated with completing the client TCP/IP requests or destination TCP/IP responses. The system operates independently of respective destinations of the client TCP/IP requests and respective sources of the destination TCP/IP responses. | 05-26-2011 |
| 20110122872 | SCALABLE IP-SERVICES ENABLED MULTICAST FORWARDING WITH EFFICIENT RESOURCE UTILIZATION - Methods, apparatus and data structures are provided for managing multicast IP flows. According to one embodiment, a network switch module includes a memory and multiple processors partitioned among multiple virtual routers (VRs). Each VR maintains a data structure including information relating to multicast sessions handled by the VR and including a first pointer for each multicast session, a chain of blocks of second pointers and one or more TCBs. Each first pointer points to a chain of blocks of second pointers. Each second pointer corresponds to an OIF of the VR participating in the multicast session defined by the first pointer and defines how many times to replicate packets associated with the multicast session. The TCBs store control information relevant to processing or routing packets. Each second pointer points to a TCB, which identifies the OIF out which packets of the multicast session are transmitted from the VR. | 05-26-2011 |
| 20110078331 | MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK - Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. According to one embodiment, a border component of a network of switches receives a first packet intended for a first host having a first L2 address and a first L3 address associated therewith. The first packet includes the first L3 address and a substitute L2 address as destination addresses. The substitute L2 address is associated with a communication channel of the border component. A data structure including information regarding an association between the first L3 address and the first L2 address is accessed by the border component. A determination is made that the destination L2 address for the first packet should be the first L2 address. A first updated packet is derived from the first packet by replacing the substitute L2 address with the first L2 address and sent to the first host. | 03-31-2011 |
| 20110069715 | ACCELERATING DATA COMMUNICATION USING TUNNELS - Methods and systems are provided for increasing application performance and accelerating data communications in a WAN environment. According to one embodiment, packets are received at a flow classification module operating at the Internet Protocol (IP) layer of a first wide area network (WAN) acceleration device via a shared connection-oriented tunnel, which is operable to convey application layer data for connection-oriented applications between WAN acceleration devices. Packets that are classified as being associated with an existing connection-oriented flow are passed to a WAN socket operating at the transport layer. Based on the application protocol, the packets are passed to an application handler of multiple application handlers operating at the application layer each of which implements one or more application acceleration techniques for a particular poorly behaved WAN protocol. The existing connection-oriented flow is securely accelerated by performing one or more application acceleration techniques and applying one or more security functions. | 03-24-2011 |
| 20110032942 | FAST PATH COMPLEX FLOW PROCESSING - Methods and systems for processing complex flows are provided. According to one embodiment, a packet associated with a complex flow is received. A first flow-based packet classification is performed based on a first set of attributes of the packet. A first flow processing operation is identified by performing a first flow cache lookup based on the first flow-based packet classification and the first flow processing operation is performed on the packet. After performing the first flow processing operation on the packet, a second flow-based packet classification of the packet is performed based on a second set of attributes of the packet. A second flow processing operation is identified by performing a second flow cache lookup based on the second flow-based packet classification and the second flow processing operation is performed on the packet. Finally, the packet is sent to an egress interface. | 02-10-2011 |
| 20110023121 | DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES - Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching all of or certain parts of the archive for content consistent with a current archive type. Based on the identified type, for each contained file, descriptive information is extracted from corresponding local file headers and a threat evaluation is performed by comparing the descriptive information to signatures of known malicious or undesired files. If the treat evaluation concludes a particular contained file is a threat, then appropriate defensive actions are taken in relation to the archive. | 01-27-2011 |
| 20110016530 | DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES - Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary identification bytes of the archive. Based on the type and structure, descriptive information regarding a contained file is obtained. The descriptive information includes a hash value of the contained file in uncompressed format. If the descriptive information matches a signature of a known undesired computer file, then a clean version of the archive is produced by removing the contained file and regenerating the archive. Finally, the clean version of the archive is delivered. | 01-20-2011 |
| 20100309811 | DETERMINING A CONGESTION METRIC FOR A PATH IN A NETWORK - Methods and systems for determining a congestion metric for a path in a network are provided. According to one embodiment, multiple paths are provided between each pair of multi-path load balancing (MPLB) components within a Layer 2 network by establishing overlapping loop-free topologies in which each MPLB component is reachable by any other via each of the overlapping topologies. A first MPLB component associated with a first network device sends a latency request packet, including a first timestamp provided by a first clock associated with the first MPLB component, to a second MPLB component associated with a second network device via the path. Responsive thereto, the first MPLB component receives, from the second MPLB component, a latency response packet, including a second timestamp provided by a second clock associated with the second MPLB component. The first MPLB component derives a one-way latency value for the path based upon the timestamps. | 12-09-2010 |
| 20100296392 | DETERMINING LINK FAILURE WITHIN A NETWORK - Methods and systems for determining link failure in a network are provided. According to one embodiment, multiple paths are provided between each pair of multi-path load balancing (MPLB) components within a Layer 2 network by establishing overlapping loop-free topologies in which each MPLB component is reachable by any other via each loop-free topology. A first MPLB component sends latency requests to a second MPLB component via a particular path. Responsive thereto, the first MPLB component receives latency responses. Based on timestamp information in the latency responses, an estimated latency between the first and second MPLB components is determined. A link failure timeout period is derived based upon the estimated latency. An additional latency request is sent. If an additional latency response is not received by the first MPLB component prior to expiration of the link failure timeout period, then it is concluded that a link failure has occurred. | 11-25-2010 |
| 20100290343 | PERFORMING RATE LIMITING WITHIN A NETWORK - Methods and systems for performing rate limiting are provided. According to one embodiment, multiple paths are provided between each pair of multi-path load balancing (MPLB) components within a Layer 2 network by establishing overlapping loop-free topologies in which each MPLB component is reachable by any other via each overlapping topology. A first MPLB component receives packets associated with a flow sent by a source component at a particular rate. The first MPLB component forwards the packets to a second MPLB component along a particular path in a network. A congestion metric for the particular path is determined. Based upon the congestion metric for the particular path, it is determined whether the particular path has reached a congestion threshold. In response to an affirmative determination, the source component is instructed to limit the rate at which it sends packets associated with the flow. | 11-18-2010 |
| 20100281296 | FAULT TOLERANT ROUTING IN A NON-HOT-STANDBY CONFIGURATION OF A NETWORK ROUTING SYSTEM - Methods and systems for facilitating fault tolerance in a non-hot-standby configuration of a network routing system are provided. According to one embodiment, a failover method is provided. A fault manager executing on a control blade of multiple server blades of a network routing system actively monitors an active processing engine of multiple processing engines within the network routing system. Responsive to detecting a fault associated with the active processing engine, the active processing engine is dynamically replaced with a non-hot-standby processing engine of the multiple processing engines by (i) determining one or more software contexts that were associated with the active processing engine prior to detection of the fault, and (ii) creating one or more replacement software contexts within the non-hot-standby processing engine corresponding to the one or more software contexts. | 11-04-2010 |
| 20100269172 | FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Session Initiation Protocol (SIP) server within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts. | 10-21-2010 |
| 20100220741 | HETEROGENEOUS MEDIA PACKET BRIDGING - Methods and systems for bridging Ethernet frames transmitted over heterogeneous media channels are provided. According to one embodiment, multiple Ethernet frames encapsulated within multiple in-bound media transmissions having different media formats are received via a first set of multiple network interfaces of a network-computing device. The multiple in-bound media transmissions are relayed via a switch fabric of the network-computing device to a virtual bridge application running on a processing resource shared by the network interfaces and which acts as a single bridging domain for all Ethernet frames. The virtual bridge application encapsulates the multiple Ethernet frames within multiple out-bound media transmissions by performing media agnostic Ethernet bridging of the multiple Ethernet frames. The multiple Ethernet frames are transmitted by relaying, via the switch fabric, the out-bound media transmissions to a second set of the multiple network interfaces. | 09-02-2010 |
| 20100220732 | SERVICE PROCESSING SWITCH - Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a system includes a switch fabric and a line interface/network module, multiple virtual routing engines (VREs) and a virtual services engine (VSE) coupled with the switch fabric. The line interface/network module receives packets, steers ingress packets to a selected VRE and transmits egress packets according to their relative priority. VREs determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results. The VSE includes a central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing. If the packet is determined to require processing by the VSE, then the packet is steered to the VSE for firewall, URL filtering and/or anti-virus processing. | 09-02-2010 |
| 20100205502 | ENABLING MEMORY TRANSACTIONS ACROSS A LOSSY NETWORK - Methods and systems for enabling remote programmed I/O to be carried out across a “lossy” network are provided. According to one embodiment, a node maps a portion of a remote memory of a remote node into its physical address space. MTMs conforming to a processor bus protocol are received by a network interface of the node. The MTMs destined for the remote node are encapsulated within network packets. Each network packet is assigned a sending priority based upon a transaction type of the encapsulated MTM and based upon ordering rules associated with the processor bus protocol. The network packets are organized into groups based upon sending priority and transmitted to the remote node via a lossy network according to the sending priorities. It is ensured that a particular subset of the network packets having a particular sending priority is received by the remote node in a proper sequence. | 08-12-2010 |
| 20100199353 | VULNERABILITY-BASED REMEDIATION SELECTION - A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between a remediation, at least one action, and at least two vulnerabilities. A method of selecting a remediation, that is appropriate to a vulnerability which is present on a machine to be remediated, may include: providing a machine-actionable memory as mentioned above; and indexing into the memory using: a given vulnerability identifier to determine (A) at least one of a remediation mapped thereto and (B) at least one action mapped to the given vulnerability identifier; and/or a given remediation to determine at least two vulnerabilities mapped thereto. | 08-05-2010 |
| 20100189016 | IDENTIFYING NODES IN A RING NETWORK - Methods, systems and data structure for facilitating identification of nodes in a ring network are provided. According to one embodiment, a data structure is stored on a computer-readable storage media of a node (e.g., a blade) participating in a ring network, within a multi-blade system, for example. The data structure includes a packet-ring master field, a control-node master field, a node characteristics field, a connection state field, a node identification field and a marker field. The packet-ring master field indicates whether the node is a current packet-ring master. The control-node master field indicates whether the node is a control-node master. The node characteristics field specifies per-node characteristics. The connection state field indicates a current connection state of the node. The node identification field specifies the node. The marker field indicates whether the data structure is a node discovery marker. | 07-29-2010 |
| 20100154064 | SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS - A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module. | 06-17-2010 |
| 20100153507 | SYSTEMS AND METHODS FOR PROCESSING ELECTRONIC DATA - A method of processing electronic data includes receiving electronic data, and scanning at least a portion of the electronic data against a first signature, wherein the first signature is not data-type dependent. A method of processing electronic data includes receiving electronic data to be scanned, identifying a portion of the electronic data, wherein the portion is represented as an object, and assigning one or more procedures to scan the portion based at least in part on the object. A system for processing electronic data includes an input for receiving electronic data, a processor configured for identifying one or more portions of the electronic data, each of the one or more portions represented as a typed object, and a buffer configured to store data associated with no more than one object at a time. | 06-17-2010 |
| 20100153490 | CENTRALIZED DATA TRANSFORMATION - A method of facilitating transformation of survey data from being in at least one foreign format used by a survey-tool to being in a desired format may include: receiving instances of foreign data from survey-tools, the foreign data being in foreign format used by the survey-tools, respectively; and appending, to the instances of foreign data, service-keys to identify the service tools which gathered the foreign data, respectively, to produce a data block that includes key-and-foreign-data pairs. Another such method may include: receiving such a data block; culling from the block key-and-foreign-data pairs; and operating upon the pairs to transform respective chunks of foreign data from being in respective foreign formats into being in corresponding desired formats according to corresponding service-keys, respectively. | 06-17-2010 |
| 20100146627 | ELECTRONIC MESSAGE AND DATA TRACKING SYSTEM - Systems and methods for tracking electronic messages and data are provided. In one embodiment, the invention consists of a method of tracking email messages. In various embodiments, steps may include a) identifying an email message for tracking and b) inserting a linking object, into a tracked email message. Responsive to activation by a receiver of the email message, the linking object enables the receiver to submit information to a commercial anti-spam service or a commercial anti-virus service. The method can be used to identify and track email messages defined as spam or defined as containing viruses. The receiver's privacy may be preserved with respect to content of the email message by limiting the information submitted to signatures of the electronic message and other information associated with the electronic message that are reasonably required for spam or virus analysis. | 06-10-2010 |
| 20100142527 | Scalable IP-Services Enabled Multicast Forwarding with Efficient Resource Utilization - Methods and apparatus are provided for managing multicast Internet Protocol (IP) flows. According to one embodiment, a multicast IP flow is identified at an interface of a network device using information from a packet header. For any newly identified multicast IP flow, if flow-specific services are required, a new first transmit control block (TCB), which includes one or more attributes relating to flow-specific services required by the newly identified multicast IP flow, is created for the newly identified multicast IP flow. Otherwise, if flow-specific services are not required by the newly identified multicast IP flow, a default second TCB, which excludes any attributes relating to flow-specific services and which includes one or more attributes related to a virtual interface (VI) serving as an outbound interface (OIF) for the newly identified multicast IP flow, is used. | 06-10-2010 |
| 20100125898 | USE OF AUTHENTICATION INFORMATION TO MAKE ROUTING DECISIONS - Methods and systems for utilizing authentication attributes to determine how to direct traffic flows are provided. According to one embodiment, a program storage device readable by a network device associated with a service provider is provided. The program storage device tangibly embodies a program of instructions executable by a processor of the network device to perform method steps for authenticating users and establishing appropriate service sessions. An end user from whom a connection request is received is caused to be prompted for login credentials. The received login credentials are then caused to be authenticated by an authentication server. Responsive to successful authentication, a service session is established for the end user and customer separation is maintained among the multiple customers by creating a routing entry, according to which subsequent packets associated with the service session are routed, based on authentication attributes returned by the authentication server. | 05-20-2010 |
| 20100122344 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 05-13-2010 |
| 20100095377 | DETECTION OF SUSPICIOUS TRAFFIC PATTERNS IN ELECTRONIC COMMUNICATIONS - Methods and systems for detecting suspicious traffic patterns in electronic communications are provided. According to one embodiment, an electronic mail (email) message is received by a mail filter (milter), which evaluates a traffic pattern represented by the email message by scanning information associated with the email message and comparing it to information associated with one or more traffic analysis profiles. If the email message is identified by the milter as being inconsistent with normal email traffic patterns as represented by the one or more traffic analysis profiles, then the milter causes the email message to be handled in accordance with an email security policy associated with suspicious traffic patterns. For example, in the context of an outbound message, the originator may be alerted to a factor contributing to the identification and the originator may be provided with an opportunity to address the factor. | 04-15-2010 |
| 20100094980 | MANAGING AND PROVISIONING VIRTUAL ROUTERS - Methods and systems are provided for provisioning and managing network-based virtual private networks (VPNs). According to one embodiment, virtual routers (VRs) distributed among service processing switches are provisioned by a service management system (SMS) to support network-based customer virtual private networks (VPNs) by generating a routing configuration based on (i) site reachability information for the service processing switches and (ii) a global customer routing profile for at least one customer. A custom routing profile is received by the SMS from a customer network management system (CNMS), the custom routing profile identifies one or more routing protocols to be used for one or more segments of a network-based customer VPN. The network-based customer VPN is reconfigured by the SMS generating appropriate routing configurations for VRs partitioned to the customer based on a subset of the site reachability information associated with sites of the customer and the custom routing profile. | 04-15-2010 |
| 20100011245 | FAULT TOLERANT ROUTING IN A NON-HOT-STANDBY CONFIGURATION OF A NETWORK ROUTING SYSTEM - Methods and systems for facilitating fault tolerance in a non-hot-standby configuration of a network routing system are provided. According to one embodiment, a method is provided for replacing an active processing engine with a non-hot-standby processing engine. Multiple processing engines within a network routing system are configured. The processing engines include an active processing engine having one or more software contexts, representative of a set of objects implementing a virtual router, for example, and a non-hot-standby processing engine having no pre-created software contexts corresponding to the one or more software contexts. Responsive to determining a fault associated with the active processing engine, the active processing engine is dynamically replaced with the non-hot-standby processing engine by creating replacement software contexts within the non-hot-standby processing engine corresponding to the one or more software contexts. | 01-14-2010 |
| 20100011124 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 01-14-2010 |
| 20090303994 | INTEGRATED SECURITY SWITCH - An integrated security switch and related method for managing connectivity and security among networks. The integrated security switch includes a security function connectable with a first network and at least one switching function connectable with a second network. A common management interface driven by both command line interface and graphic user interface protocols manages the switching function via a management path dedicated between the security function and the switching function. The common management interface enables secure switching of traffic to flow via a traffic path dedicated between the switching function and the security function. Typically, the traffic is a flow of data between the Internet and a group of networked users such as a wide area network. | 12-10-2009 |
| 20090300159 | MANAGING INTERWORKING COMMUNICATIONS PROTOCOLS - Systems and methods for managing interworking protocols are provided. According to one embodiment, a policy-based provisioning methodology is used by a service management system (SMS) to provision subscriber interfaces of service processing switches based upon parameters of a predefined policy. The subscriber interfaces communicate data in accordance with a first protocol. The parameters include a window size, a window timeout, a number of allowed bad events, an event window size and/or a keep-alive interval. Transport network interfaces, which communicate in accordance with a second protocol, are provisioned to provide a transport between the subscriber interfaces. A first-protocol-over-second-protocol (FPoSP) Virtual Private Network (VPN) is created through which the subscriber sites securely exchange data by establishing a virtual router (VR) corresponding to each subscriber interface. The VRs encapsulate packets received from the subscriber sites within packets of the second protocol and transmit the encapsulated packets through the transport network interfaces. | 12-03-2009 |
| 20090268617 | Systems and methods for content type classification - A method for determining a type of content includes receiving a first packet, determining a state of classification for the first packet or for a session with which the first packet is associated, receiving a second packet, and determining a content type for the second packet based at least in part on the determined state. A method for determining a type of content includes receiving a packet associated with a session, determining whether a content type has been determined for the session or for an other packet associated with the session, and classifying the packet to be the content type based at least in part on a result from the act of determining. A method for determining a type of content includes receiving a first packet from a first port, the first port adapted for receiving at least two types of content, and determining a content type for the first packet or for a session with which the first packet is associated. A method for determining a type of content includes receiving a packet associated with a session, and determining a state of classification for the packet or the session. | 10-29-2009 |
| 20090238181 | NETWORK PACKET STEERING VIA CONFIGURABLE ASSOCIATION OF PROCESSING RESOURCES AND NETWORK INTERFACES - Methods and systems are provided for steering network packets. According to one embodiment a method is provided for steering incoming network packets. Each network packet processing resource of a network routing/switching device is dynamically assigned to one or more network interfaces of the network routing/switching device. Each of the network packet processing resources includes one or more processing elements and a memory. Incoming network packets received by the network interfaces are steered to an appropriate network packet processing resource based on the dynamic assignment. | 09-24-2009 |
| 20090225759 | HIERARCHICAL METERING IN A VIRTUAL ROUTER-BASED NETWORK SWITCH - Methods and systems are provided for applying metering and rate-limiting in a virtual router environment and supporting a hierarchy of metering/rate-limiting contexts per packet flow. According to one embodiment, multiple first level metering options and multiple second level metering options associated with a hierarchy of metering levels are provided. A virtual routing engine receives packets associated with a first packet flow and packets associated with a second packet flow. The virtual routing engine performs a first type of metering of the first level metering options on the packets associated with the first packet flow using a first metering control block (MCB) and performs a second type of metering of the second level metering options on the packets associated with the first packet flow and the packets associated with the second packet flow using a second MCB. | 09-10-2009 |
| 20090110233 | IMAGE SPAM FILTERING BASED ON SENDERS' INTENTION ANALYSIS - Systems and methods for an anti-spam detection module that can detect image spam are provided. According to one embodiment, an image spam detection process involves determining and measuring various characteristics of images that may be embedded within or otherwise associated with an electronic mail (email) message. An approximate display location of the embedded images is determined. The existence of one or more abnormal factors associated with the embedded images is identified. A quantity of text included in the one or more embedded images is determined and measured by analyzing one or more blocks of binarized representations of the one or more embedded images. Finally, the likelihood that the email message is spam is determined based on one or more of the approximate display location, the existence of one or more abnormal factors and the quantity and location of text measured. | 04-30-2009 |
| 20090073977 | ROUTING TRAFFIC THROUGH A VIRTUAL ROUTER-BASED NETWORK SWITCH - Methods and systems are provided for routing traffic through a virtual router-based network switch. According to one embodiment, a flow data structure is established that identifies current packet flows associated with multiple virtual routers in the virtual router-based network device. When an incoming packet is received by the virtual router-based network device, it is then determined whether the incoming packet is associated with a current packet flow by accessing the flow data structure based on a header associated with the incoming packet. If it is determined that the incoming packet is associated with the current packet flow, then the incoming packet is hardware forwarded via a network interface of the virtual router-based network device without intervention by a processor of the virtual router-based network device, otherwise the incoming packet is forwarded to software on the processor for flow learning. | 03-19-2009 |
| 20090064323 | USE OF GLOBAL INTELLIGENCE TO MAKE LOCAL INFORMATION CLASSIFICATION DECISIONS - Methods and systems are provided for delaying local information classification until global intelligence has an opportunity to be gathered. According to one embodiment, an initial information identification process, e.g., an initial spam detection, is performed on received electronic information, e.g., an e-mail message. Based on the initial information identification process, classification of the received electronic information is attempted. If the received electronic information cannot be unambiguously classified as being within one of a set of predetermined categories (e.g., spam or clean), then an opportunity is provided for global intelligence to be gathered regarding the received electronic information by queuing the received electronic information for re-evaluation. The electronic information is subsequently classified by performing a re-evaluation information identification process, e.g., re-evaluation spam detection, which provides a more accurate categorization result than the initial information identification process. Handling the electronic information in accordance with a policy associated with the categorization result. | 03-05-2009 |
| 20090063371 | RECONFIGURABLE SPAM DETECTION SYSTEM BASED ON GLOBAL INTELLIGENCE - Systems are provided for delaying e-mail classification until global intelligence has an opportunity to be gathered. According to one embodiment, a spam detection system includes a global intelligence network and a network device. The global intelligence network contains global intelligence servers coupled to a public network and configured to (i) gather intelligence from distributed anti-spam engines, (ii) maintain and update e-mail message signatures and associated reputation information and (iii) readjust spam detection characteristics of the distributed anti-spam engines. The network device includes an anti-spam engine, which is configured to (i) perform reputation analysis and content analysis on observed e-mail messages and (ii) provide the global intelligence network with an opportunity to gather further information to make the content analysis more accurate by queuing e-mail messages for which a satisfactory spam or clean categorization cannot be made in real-time for subsequent reapplication of the reputation analysis or the content analysis. | 03-05-2009 |
| 20090046728 | SYSTEM AND METHOD FOR DELIVERING SECURITY SERVICES - Systems and methods are provided for delivering security services. According to one embodiment, multiple virtual routers are established within a service processing switch, which is operable to be logically interposed between a public communications network and multiple subscriber sites. Each of the virtual routers has associated therewith a subset of processing and storage resources of the service processing switch. Subscribers are provided with respective sets of customized application layer services. Subscriber resource isolation is provided by partitioning the virtual routers between the subscribers including allocating and configuring partitions, having subsets of the virtual routers, to the subscribers. Changeable provisioning of processing capacity between the subscribers is provided by dynamically reallocating resources of the service processing switch between the partitions based on comparative processing demands of the customized application layer services. | 02-19-2009 |
| 20090044273 | CIRCUITS AND METHODS FOR EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM - Various embodiments of the present invention circuits and methods for improved virus processing. As one example, such methods may include providing a system memory, a general purpose processor and a virus co processor. The methods further include receiving a data segment at the general purpose processor, and storing the data segment to the system memory using virtual addresses. The date segment is accessed from the system memory by the virus co processor using the virtual addresses. The virus co processor then scans the date segment for viruses and returns results. | 02-12-2009 |
| 20090007228 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Apparatus are provided for managing hierarchically organized subscriber profiles. According to one embodiment, a router includes a subscriber manager, a database and a virtual interface. The subscriber manager is operable to receive a connection request from a subscriber of a service provider. The database has stored therein hierarchically organized profile identifiers, including multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected to the service provider by (i) explicitly defining the subscriber services or (ii) referring to one or more of the plurality of lower-level profile identifiers. The virtual interface defines a subscriber connection between the router and the subscriber and is created and configured responsive to the connection request based on a first-level profile identifier that is associated with the subscriber. | 01-01-2009 |
| 20090006423 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, holding buffers in which data collected from a remote file-system access protocol is stored, a holding buffer context table, a file map table and a usage table corresponding to each holding buffer are created within one or more computer-readable media. References to each of the holding buffers are tracked within the holding buffer context table. References to a common file are mapped to a common holding buffer of the holding buffers with the file map table. Modified and unmodified portions of the holding buffers are tracked using the usage table corresponding to each holding buffer. Responsive to a predetermined event in relation to a holding buffer or the holding buffers, the existence of malicious, dangerous or unauthorized content contained within the holding buffer is determined by performing content filtering on the holding buffer. | 01-01-2009 |
| 20080320553 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Methods are provided for managing hierarchically organized subscriber profiles. According to one embodiment of the present invention, a subscriber connection is created with a virtual router operable within a telecommunications system of a service provider. A connection request is received from a subscriber of multiple subscribers of the service provider at a subscriber manager of the virtual router. The virtual router maintains a database of hierarchically organized profile identifiers, including multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected by (i) explicitly defining the subscriber services or (ii) referring to one or more of the multiple lower-level profile identifiers. If the subscriber is successfully authenticated, a connection is created by creating and configuring a virtual interface within the virtual router for the subscriber connection based on the subscriber's first-level profile identifier. | 12-25-2008 |
| 20080317231 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Methods are provided for managing hierarchically organized subscriber profiles. According to one embodiment, subscriber services are modified without requiring a change to the subscriber's first-level profile identifier and without requiring the subscriber to reestablish a connection with the service provider. A database of hierarchically organized profile identifiers, including multiple lower-level profile identifiers, explicitly defining subscriber services, and multiple first-level profile identifiers, defining service contexts representing combinations of services available to subscribers by (i) explicitly defining the subscriber services or (ii) referring to one or more of the lower-level profile identifiers, are maintained within a virtual router operable within a telecommunications system of the service provider. Updated service profile information, representing a change to the subscriber's service context, is received. Responsive the updated service profile information, lower-level profile identifiers currently associated with the subscriber's first-level profile identifier are replaced with lower-level profile identifiers corresponding to the updated service profile information. | 12-25-2008 |
| 20080317040 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Apparatus are provided for managing hierarchically organized subscriber profiles. According to one embodiment, a router includes multiple virtual interfaces and a policy engine. The virtual interfaces define connections between the router and corresponding subscribers of a service provider. A first virtual interface is operable to receive packets from a first subscriber and to process the packets in accordance with a first-level profile identifier. The policy engine is coupled with the virtual interfaces and operable to de-reference subscriber profiles of the subscribers on behalf of the virtual interfaces based on a database of hierarchically organized profile identifiers. The database includes multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected to the service provider by (i) explicitly defining the subscriber services or (ii) referring to one or more of the lower-level profile identifiers. | 12-25-2008 |
| 20080282337 | CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a transparent proxy running within a network gateway logically interposed between a client and a server intercepts remote file-system access protocol requests/responses. Responsive to receipt of a remote file-system access protocol request from the client, the network gateway issues the remote file-system access protocol request to the server on behalf of the client. The network gateway buffers into a holding buffer associated with the network gateway data being read from or written to a file associated with a share of the server. Then, responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network gateway determines the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer. | 11-13-2008 |
| 20080259936 | SERVICE PROCESSING SWITCH - A system and method for providing IP services. A packet is received at a line interface/network module and forwarded to a virtual routing engine The virtual routing engine determines if the packet requires processing by a virtual services engine. If the packet requires processing by the virtual services engine, the packet is routed to the virtual services engine for processing. | 10-23-2008 |
| 20080259934 | DISTRIBUTED VIRTUAL SYSTEM TO SUPPORT MANAGED, NETWORK-BASED SERVICES - Methods and systems are provided for allocating network resources of a distributed virtual system to support managed, network-based services. According to one embodiment, a VR-based switch having multiple processing elements is configured for operation at an Internet POP. An NOS is provided on each of the processing elements. Resources of the VR-based switch are segmented between a first and second subscriber by mapping VRs assigned to the first and second subscriber onto appropriate processing elements. Then, a first and second set of customized services are configured, each including two or more of firewalling, virtual private networking, encryption, traffic shaping, routing and network address translation (NAT), to be provided by the VR-based switch. Customized services are configured by allocating appropriate service object groups to the VRs, which can be dynamically distributed by the NOS to customized processors of the processing elements to achieve desired computational support. | 10-23-2008 |
