Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Firewall

Subclass of:

726 - Information security

726002000 - ACCESS CONTROL OR AUTHENTICATION

726003000 - Network

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
726012000 Proxy server or gateway 221
726014000 Security protocols 199
726013000 Packet filtering 181
Entries
DocumentTitleDate
20090205039SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION - A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.08-13-2009
20100088755Access management for devices in communication networks - The invention relates to a terminal a node and a method for terminating communication between a communication network (04-08-2010
20110202993DIGITAL MEDIA COMMUNICATION PROTOCOL - A digital media communication protocol structured to selectively transmit one or more digital media files between a media terminal and a media node via a communication link on an interactive computer network. The communication link is initiated by the media terminal, wherein the media terminal is disposed in an accessible relation to the interactive computer network. The digital media communication protocol, and in particular, the communication link, is further structured to bypass at least one security measure, such as, for example, a password, security key, and/or firewall.08-18-2011
20120180119Session Initiation Protocol (SIP) Firewall For IP Multimedia Subsystem (IMS) Core - A SIP firewall defends an IMS network against SIP registration-based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall opens a registration window to a protected node of the core network. In such manner, the firewall opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node.07-12-2012
20080256618METHOD TO APPLY NETWORK ENCRYPTION TO FIREWALL DECISIONS - A system and related methods for providing a handler for requests to access a wireless network, operable by or separate from an enhanced personal firewall system, which obtains connection-related information from the operating system, network interface drivers, or both, and then provides that information to a controller which determines to allow or deny access. By collecting certain connection-related information, new levels and granularities of control are allowed and enabled. The process is equally well suited for implementation by a wireless device which may be in range of multiple servers or networks, such that the device may allow different levels of access to the device by the different servers or networks according to the collected connection-related information.10-16-2008
20090172800REORDERING A FIREWALL RULE BASE ACCORDING TO USAGE STATISTICS - A computer implemented method of reducing central processing unit (CPU) usage of a firewall by safe reordering a current firewall's rule-base exhibiting N rules. The method comprising: receiving rule usage statistics exhibiting usage frequency of each rule on the current firewall's rule-base; calculating a rules matched per packet (RMPP) parameter, being a summation of products of each rule identifier and the corresponding usage frequency for all the N rules; determining an alternative order of the rule base by repositioning rules, wherein the repositioned rules perform the same action on the firewall, or wherein the repositioned rules act on disjoint sets of network connections, and wherein the repositioning results in a reduction of the RMPP of the reordered rule base, thereby reducing the CPU usage of the firewall in implementing the alternative order of rules.07-02-2009
20130081129Outbound Connection Detection and Blocking at a Client Computer - A method of detecting and blocking a malicious SSL connection at a client computer. The method includes identifying, at a network firewall level, an outbound SSL connection being set up at the client computer; detecting an SSL certificate associated with the SSL connection; sending a request to a central server for reputation information on the SSL certificate; at the central server, determining reputation information in dependence upon the SSL certificate; providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection.03-28-2013
20130081130METHODS, APPARATUS, AND ARTICLES OF MANUFACTURE TO PROVIDE FIREWALLS FOR PROCESS CONTROL SYSTEMS - Methods, apparatus, and articles of manufacture to provide firewalls for process control systems are disclosed. An example method includes analyzing a network communication to identify a first service, an address associated with the first service within a secured portion of a network, and a subset of ports used by the first service, the network communication originating from within the secured portion of the network and to be transmitted to a destination outside of the secured portion of the network, and storing an identifier of the first service, the address, and the subset of the ports when the network communication includes the identifier, the address, and the subset of the ports.03-28-2013
20100100954METHOD AND APPARATUS FOR REDUCING FIREWALL RULES - A method and apparatus for reducing obsolete firewall rules are disclosed. The present invention addresses the issue by using existing network routing information as well as firewall rule configuration information to help analyze firewall access logs to identify obsolete and unused firewall rules so that these obsolete firewall rules can be removed. In one embodiment, the present invention is capable of periodically identifying the unused rule set for each external partner network and removing these obsolete rules with no impact to the current operation.04-22-2010
20100095365Self-setting security system and method for guarding against unauthorized access to data and preventing malicious attacks - A self-setting security guarding system and method for protecting against unauthorized access to data stored in a data processing apparatus, comprising setting various items used to guard data, wherein the items consist of protected areas with access control for data storage and access therein, authorized types of files with access controls, and access rules of safety regulations enabling the data processing apparatus to verify access to data contents stored therein or in the protected area thereof; and detecting access events of the protected area or types of files using the access control and generating a request for analysis when an access event is detected, and further analyzing whether the detected access event complies with the access rules and the analysis request to permit or deny execution of said access event depending on whether it complies or not with safety regulations.04-15-2010
20130047248Apparatus and Method for Determining Subject Assurance Level - According to one embodiment, an apparatus may store a plurality of token-based rules. The apparatus may further store a plurality of subject tokens associated with at least one of a user and a device. The apparatus may receive a resource token indicating that access to a resource has been requested. The apparatus may determine the value of an access value associated with the at least one subject token. The apparatus may then determine that the value of the access value is insufficient to grant access to the resource. The apparatus may then determine that access by at least one of the user and the device to the resource should be denied.02-21-2013
20110004930GLOBAL NETWORK COMPUTERS - A computer that is configured for connection to a network including the Internet, including, but not limited to the following. A microchip including a microprocessor, the microprocessor including a master control unit and at least two processing units and wherein the master control unit is configured to control the processing units. The computer also includes a Faraday Cage substantially surrounding the microchip. The Microchip further includes a firewall being configured with hardware to make the master control unit inaccessible from the network including the Internet when the computer is connected to the network including the Internet. The fire wall is further configured in a manner that permits access by another computer in the network including the Internet to at least one of the processing units of the microprocessor for an operation with another computer when the computer is connected to the network including the Internet.01-06-2011
20090328183ONE WAY SECURE LINK - A method for secure communications between a transmitting computer (12-31-2009
20120192262NETWORK ADAPTER FIREWALL SYSTEM AND METHOD - A network adapter system and associated method are provided. Included is a network adapter having a plurality of designated trusted and untrusted ports. The network adapter includes a processor coupled to a computer. Such processor is further coupled to a network via the ports. In use, the processor is configured for conditionally preventing network traffic from accessing the computer from the network via the untrusted ports and/or preventing unauthorized software from accessing the network in an untrusted manner from the computer.07-26-2012
20090094692SESSION CONTROL SERVER, COMMUNICATION DEVICE, COMMUNICATION SYSTEM AND COMMUNICATION METHOD, AND PROGRAM AND RECORDING MEDIUM FOR THE SAME - A communication device, connected via a network so as to be able to communicate with a session control server, and which establishes a session with another communication device by performing signal transmission to and reception from the session control server, includes: a unit which generates an asymmetric key pair; a request unit which requests certificate issuance for a public key in the asymmetric key pair; a receiving unit which receives notification of public key issuance completion from the session control server; a storage unit which stores a public key certificate which has been received; a sending unit which sends a location registration request of a communication device to the session control server; and a receiving unit which receives a location registration completed notification which includes a term of validity from the session control server; and which sends a location registration request and a certificate issuance request as a combined request.04-09-2009
20090094691Intranet client protection service - A system and method for protecting intranet client devices in a virtual private network are disclosed. The method includes defining one or more groups of client devices to protect from traffic emanating from an external network (e.g., Internet, a Wide Area Network (WAN), a remote subnet of an intranet, and the like), while allowing the client devices to initiate TCP sessions with servers in the outside network.04-09-2009
20130074173Control of Security Application in a LAN from Outside the LAN - A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established.03-21-2013
20120144476SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.06-07-2012
20090271857METHOD AND APPARATUS FOR FILTERING PACKETS USING AN APPROXIMATE PACKET CLASSIFICATION - A method and apparatus that enables approximate packet classification by using both an exact packet classification method and an inexact packet classification method are disclosed. For example, the method filters a plurality of packets using an exact packet classification method when a processing load is below or equal to a threshold, and filters the plurality of packets by dynamically switching between the exact packet classification method and an inexact packet classification method when the processing load is above the threshold.10-29-2009
20120117640Integrated Computer Security Management System and Method - The present disclosure is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present disclosure can be designed to communicate process or status information and packets with one another. The present disclosure can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.05-10-2012
20130067559INSTANT INTERNET BROWSER BASED VoIP SYSTEM - The present invention is an instant Internet browser based VoIP system with a VoIP client in the form of temporary VoIP applets that can start in a Web browser and can establish an instant peer-to-peer connection with another web-based or hardware embedded/installed VoIP client using session initiation protocol (SIP) and real-time transport protocol (RTP) audio streaming. The applet is a small file that is easily loaded onto a user's browser and uses application program interfaces (APIs) that require no additional libraries. The applet is written in JAVA, although other programming languages may also be used to write the applet.03-14-2013
20130067557AUTHENTICATION SHARING IN A FIREWALL CLUSTER - A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, determine user data associated with the connection, and share the user data with at least another node in the firewall cluster.03-14-2013
20130067556APPLICATION STATE SHARING IN A FIREWALL CLUSTER - A firewall cluster system comprises a first node operable to receive a connection in a firewall cluster having three or more nodes, monitor packets of the received connection and determining application state data associated with the connection from the monitored packets in the first node, and share application state data with at least another node in the firewall cluster.03-14-2013
20110023106METHODS AND SYSTEMS FOR ACHIEVING HIGH ASSURANCE COMPUTING USING LOW ASSURANCE OPERATING SYSTEMS AND PROCESSES - A computing system contains and uses a partitioning microkernel (PMK) or equivalent means for imposing memory partitioning and isolation prior to exposing data to a target operating system or process, and conducts continuing memory management whereby data is validated by security checks before or between sequential processing steps. The PMK may be used in conjunction with an Object Request Broker.01-27-2011
20110023105IPv6-over-IPv4 Architecture - Mobile clients can execute IPv6 applications in an IPv4 environment without the need for any specialized IPv6 hardware or upgrades to the network infrastructure. The architecture provides a seamless, disruption-free connectivity experience for mobile clients. Mobile clients are automatically connected to other mobile clients irrespective of their network connectively, whether wireless, wire line, IPv4, IPv6, public or private. Mobile clients communicate with other mobile clients using a secure, end-to-end IPv6 tunnel. This creates a persistent VPN connection between two clients using software.01-27-2011
20110023104SYSTEM FOR HOSTING CUSTOMIZED COMPUTING CLUSTERS - A computer system for hosting computing clusters for clients. The system includes clusters each including a set of computing resources and each implemented in custom or differing configurations. Each of the configurations provides a customized computing environment for performing particular client tasks. The configurations may differ due to configuration of the processing nodes, the data storage, or the private cluster network or its connections. The system includes a monitoring system that monitors the clusters for operational problems on a cluster level and also on a per-node basis such as with monitors provided for each node. The system controls client access to the clusters via a public communications by only allowing clients to access their assigned cluster or the cluster configured per their specifications and performing their computing task. Gateway mechanisms isolate each cluster such that communications within a cluster or on a private cluster communications network are maintained separate.01-27-2011
20130067558ASSURED PIPELINE THREAT DETECTION - Devices, methods, and systems for assured pipeline threat detection are described herein. One method for assured pipeline threat detection includes receiving a first set of data at a firewall from an unsecured network, moving the first set of data from the firewall to a number of virtual machines, performing a number of threat detection analyses on the first set of data in the number of virtual machines that are organized in a first assured pipeline, and sending the first set of data to a secured target network if no threat was detected.03-14-2013
20090013398Remote Testing Of Firewalled Networks - The present invention enables flexible deployment of testing agents within a firewalled network without the concern of needing to change security policies on routers and switches inside the firewalled network. Accordingly, remote diagnostic testing of networks and network devices can be conducted in which the firewalled network security is maintained and not compromised. The long-term diagnostic monitoring of networks is possible including an evolvable solution in which remote upgrades of the application agents are utilized.01-08-2009
20090007251Host firewall integration with edge traversal technology - A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.01-01-2009
20110283349IMPLEMENT METHOD AND DEVICE OF TERMINAL CALL FIREWALL - The present invention discloses an implement method and device of a terminal call firewall. The method comprises: adding a call number into a blacklist list, when it is determined that the call number is not in the blacklist list stored and an address list and it is determined that a call duration is less than a set call duration threshold. The device comprises: a storage module, which is connected with a judgment module, and configured to store a blacklist list and an address list; the judgment module, which is connected with a storage module and a timer, and configured to start up the timer to start timing when a call number is determined not in the blacklist list and the address list; the timer, which is connected with the judgment module and a processing module, and configured to make timing for a time length of a call duration threshold; the processing module, which is connected with the timer, and configured to add the call number into the blacklist list when the duration of the call is determined less than the call duration threshold. Through the method and the device, the present invention can ensure the terminal to identify unknown harassing call automatically during operation, can add the number of the call directly into the blacklist list, does not bother the user by ringing or prompting the user of the call, is simple and convenient to be used, and has remarkable practical effect.11-17-2011
20110283348SYSTEM AND METHOD FOR DETERMINING FIREWALL EQUIVALENCE, UNION, INTERSECTION AND DIFFERENCE - Aspects of the invention pertain to integrated compliance analysis of multiple firewalls and access control lists for network segregation and partitioning. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists in different firewalls in different network segments within a given network may overlap or have inconsistent rules. Aspects of the invention generate differences between firewalls, analyze equivalency of firewalls, generate the intersection (if any) between a pair of firewalls, and generate the union (if any) between firewalls. Such information provides an integrated analysis of multiple interrelated firewalls, including inbound and outbound access control lists for such firewalls, and may be used to manage firewall operation within the network to ensure consistent operation and maintain network security. It also addresses a wide range of security questions that arise when dealing with multiple firewalls.11-17-2011
20100269168System And Method For Developing A Risk Profile For An Internet Service - A method and system for controlling access to an Internet resource is disclosed herein. When a request for an Internet resource, such as a Web site, is transmitted by an end-user of a LAN, a security appliance for the LAN analyzes a reputation index for the Internet resource before transmitting the request over the Internet. The reputation index is based on a reputation vector which includes a plurality of factors for the Internet resource such as country of domain registration, country of service hosting, country of an internet protocol address block, age of a domain registration, popularity rank, internet protocol address, number of hosts, to-level domain, a plurality of run-time behaviors, JavaScript block count, picture count, immediate redirect and response latency. If the reputation index for the Internet resource is at or above a threshold value established for the LAN, then access to the Internet resource is permitted. If the reputation index for the Internet resource is below a threshold value established for the LAN, then access to the Internet resource is denied.10-21-2010
20110302647AUTOMATING NETWORK RECONFIGURATION DURING MIGRATIONS - Automating network reconfiguration such as firewall reconfiguration in migrations may include determining network reconfiguration needs in one or more network functionalities of the target environment based on the discovering; and applying the network reconfiguration needs to the one or more network functionalities in the target environment.12-08-2011
20110289578PIN-HOLE FIREWALL FOR COMMUNICATING DATA PACKETS ON A PACKET NETWORK - A pin-hole firewall network communications device that includes a first port configured to communicate data packets over a packet network and a first counter module in communication with the first port. A pin-hole firewall module may be in communication with the first counter module. A call control module may be in communication with the first counter module and the pin-hole firewall function. The call control module is configured to communicate with the pin-hole firewall module to alter the communication of data packets through a firewall pin-hole. A second counter module may be in communication with the pin-hole firewall function and the call control module. A second port may in communication with the second counter module and the packet network and be configured to communicate data packets over a second node segment of the packet network.11-24-2011
20090282469AIRCRAFT COMMUNICATIONS SYSTEM USING WHITELISTS TO CONTROL ACCESS AND ASSOCIATED METHODS - A communications system for an aircraft carrying personnel having personal electronic devices (PEDs) includes a wireless access device in the aircraft for the PEDs, and an aircraft server in the aircraft cooperating with the wireless access device for determining airborne validation of a ground server address entered via a corresponding PED. An air-to-ground transceiver in the aircraft cooperates with the aircraft server for communicating over an air-to-ground interface the airborne validated ground server address. A ground server on the ground receives the airborne validated ground server address over the air-to-ground interface, determines ground validation of the airborne validated ground server address, and provides ground access for the corresponding PED for which the entered ground server address has both airborne and ground validation.11-12-2009
20110296516INTEGRATED FIREWALL, IPS, AND VIRUS SCANNER SYSTEM AND METHOD - A system, method and computer program product are provided including a router and a security sub-system coupled to the router. Such security sub-system includes a plurality of virtual firewalls, a plurality of virtual intrusion prevention systems (IPSs), and a plurality of virtual virus scanners. Further, each of the virtual firewalls, IPSs, and virus scanners is assigned to at least one of a plurality of user and is configured in a user-specific.12-01-2011
20090055919Unauthorized communication detection method - According to an aspect of an embodiment, a method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, the data being transferred by using a packet, comprises the steps of: extracting type information identifying type of software conveyed by a packet and destination information identifying destination of the packet transmitted from one of the first devices; counting the number of kinds of the type information extracted from packets associated with the same destination information, respectively; and determining an unauthorized communication when the number of kinds of the type information is less than a predetermined value.02-26-2009
20110219443SECURE CONNECTION INITIATION WITH HOSTS BEHIND FIREWALLS - The invention is directed to an inter-host signaling protocol, referred to herein as Knock-On Protocol (KOP), for establishing in a secure manner a connection with a host behind firewall. Some embodiments of the invention are directed to a Knock-On Feature (KOF) used in intermediate firewalls or network address translators to enable connection establishment through the FW or NAT to hosts behind the FW or NAT. Advantageously the KOF may include a prefix-based protection feature to protect against address spoofing used in a message flood attack.09-08-2011
20100115601Method and an apparatus for assessing a security of a component and a corresponding system - In a method and an apparatus for assessing of security of components, in particular, of components involved in safety-critical infrastructures, the assessment of security of the safety-critical component has an assessing of risks of the respective component and deriving of security measures for the component. Further, an assessing of a level of implementation for each standardized security measure is performed defined by a standard and/or requirement document for the component as well as evaluating of a resilience of the component against attacks directed to the component by performing test attacks against the component which are arranged by use of test cases defined by use of risk assessing results, and by use of implementation level assessing results for each standardized security measure. Thus, improved assessing of the security of components is enabled which can be used, e.g., for insurance of the security of safety-critical components and infrastructures.05-06-2010
20100115600METHOD AND SYSTEM FOR SECURING DATA FROM AN EXTERNAL NETWORK TO A POINT OF SALE DEVICE - A data control system allows point of sale devices (05-06-2010
20100071050OPTIMIZING STATE SHARING BETWEEN FIREWALLS ON MULTI-HOMED NETWORKS - In one embodiment, a security device monitors for outgoing re-transmission messages indicating that an endpoint located in a multi-homed network transmitted an unanswered initial connection request. Responsive to identifying one of the outgoing re-transmission messages, the security device identifies destination address information included in the identified re-transmission message. The security device then causes another security device associated with a different link of the same multi-homed network to update its internal state table according to the identified destination address information. As a result, a response to the outgoing re-transmission can be forwarded to the multi-homed network regardless of which security device receives the response.03-18-2010
20100122335System and Method for Filtering Unwanted Internet Protocol Traffic Based on Blacklists - A system and method for filtering unwanted Internet Protocol traffic based on blacklists receives a first blacklist containing a first plurality of Internet protocol addresses associated with unwanted Internet traffic. The system also operates a first plurality of access control lists adapted to block the unwanted Internet traffic from one of the first Internet protocol addresses listed in the first blacklist. The system also assigns a first weight to each of the first Internet protocol addresses based on a reliability of Internet traffic from each of the first Internet protocol addresses. Additionally, the system reduces a first number of the first access control lists to optimally trade off a number of desirable Internet protocol addresses blocked with a number of bad Internet protocol addresses blocked based on the first weight of each of the first Internet protocol addresses.05-13-2010
20100281531MOBILE SERVER WITH MULTIPLE SERVICE CONNECTIONS - A method of communicating between a mobile communications device and a plurality of services that are used by the mobile communications device. The method includes establishing, through a firewall and a wireless network, a first communications session between the mobile communications device and a mobile server located in an enterprise network with which the mobile communications device is associated; and establishing, concurrent with the first communications session at least one further communications session between the mobile server and a service, the at least one further communications session being established by the mobile server as a session proxy for the mobile communications device.11-04-2010
20100281532FIREWALL INCLUDING LOCAL BUS - A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine couples to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.11-04-2010
20100122336METHOD AND APPARATUS FOR TWO-WAY TRANSMISSION OF MEDICAL DATA - The present invention provides for a secure, two-way transmission of medical data over the Internet and through the hospital's firewall using push and pull mechanisms. More particularly, the present invention utilizes standard SSH technology and the rsync and scp protocols to enable secure, cost-effective data transmission over the Internet. The hospital firewall is traversed through the use of an agent located behind the hospital's firewall. The agent utilizes a push mechanism to push the raw scan data through the firewall and over the Internet to the outside third party; and the agent uses a pull mechanism to reach through the firewall and over the Internet to retrieve the data processed by the outside third party. In other words, the present invention transfers data from the hospital to the third party by initiating a data push mechanism from behind the hospital firewall; and transfers the processed data from the outside third party back into the hospital by initiating a data pull mechanism from behind the hospital firewall. The aforementioned agent acts as a broker for the foregoing data transmission and also encodes how the data should be handled once it is received on the hospital side.05-13-2010
20080289026Firewall installer - Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online.11-20-2008
20120291116Network Security Device - The present invention provides for a security device for location within a network device and having first and second Medium Independent Interfaces for functional connection within the network device, whereby the MII interfaces can callow for location of the security device between a PHY chip and a MAC chip of the host network device.11-15-2012
20090089871Methods and apparatus for digital data processor instantiation - The invention provides, in one aspect, a digital data processing device includes a firewall device and a computer, both housed within the same enclosure and sharing a common path to the Internet (or other external network), yet, not sharing the same substantive processing logic. Thus, by way of example, the firewall device does not the computer's central processing unit (CPU) to execute firewall logic. The digital data processing device can be arranged to limit connectivity and/or functionality of the computer and/or firewall device, e.g., absent authentication. Thus, for example, the computer and firewall can be coupled to the common path—e.g., a modem, network interface card or other communications port supporting access via wired (e.g., wired ethernet and coaxial), wireless (e.g., satellite, telephony, 802.11x), and/or optical (e.g., fiber) means—such that that access by the computer to the Internet (or other external network) is mediated by the firewall device.04-02-2009
20120297475METHODS, NETWORK SERVICES, AND COMPUTER PROGRAM PRODUCTS FOR RECOMMENDING SECURITY POLICIES TO FIREWALLS - Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes.11-22-2012
20080209535Configuration of mandatory access control security policies - Presented herein are systems and methods for configuring a mandatory access control security policy in a computer, and applications thereof. An embodiment provides a security configuration program. The security configuration program configures a security policy based on user input. For example, a user may provide input regarding ranges of values corresponding to a resource, such as ports and/or Internet protocol (IP) addresses, to which a process is to be granted access. The security configuration program configures the security policy to allow the process access to the specified ranges of values for the resource. In this way, a security configuration program in accordance with an embodiment of the present invention allows a user to configure and extend a security policy without special knowledge of the security policy language.08-28-2008
20090113535Securely Virtualizating Network Services - Services in a network device are added through providing virtual environments. Virtualization allows services based on other platforms or architectures to be run with minimum modification and in a secure manner. Connecting services to the host through a stateful firewall allows dynamic integration, and passes only traffic of interest to the service. Virtualization allows services written for different instruction architectures to be supported. Multiple virtualized environments each supporting a service may be run.04-30-2009
20080250489Systems For Firewall Protection Of Mass Storage Devices - The present invention discloses a URD including: a non-volatile storage memory having program code, wherein said program code is configured to enable a network protocol for communicating with a host system; and a controller for controlling operations performed on said storage memory. Preferably, the storage memory includes flash memory. A URD including: a host system having a firewall; and a URD having a nonvolatile storage memory, wherein said storage memory includes program code, and wherein said program code is configured to enable a network protocol, said URD operationally connected to said host system; wherein said firewall is configured to provide security measures related to said URD. Preferably, the firewall is a software firewall or a hardware firewall.10-09-2008
20080250488Methods For Firewall Protection Of Mass-Storage Devices - The present invention discloses methods for protecting a host system from information-security risks posed by a URD, the method including the steps of: operationally connecting the URD to the host system; communicating, between the URD and the host system, via a network protocol, through a firewall residing in the host system; and configuring said firewall to provide security measures related to the URD. Preferably, the firewall is a software firewall or a hardware firewall. A method for protecting a host system from information-security risks posed by a URD, the method including the steps of: operationally connecting the URD to the host system; communicating, between the URD and the host system, via a network protocol, through a firewall residing in the host system; and configuring said firewall to restrict access of at least one application to the URD. Preferably, the firewall is a software firewall or a hardware firewall.10-09-2008
20090265777COLLABORATIVE AND PROACTIVE DEFENSE OF NETWORKS AND INFORMATION SYSTEMS - Collaborative and proactive defense of networks and information systems. The present examples of collaborative and proactive defense of networks and information systems provides a way of protecting computer networks from hackers by stopping them from entering a protected network. Protection may be include processes that utilize communications between layers in a communications protocol stack, or its equivalent to identify threats. Identified threats may be profiled and stored in a local and/or network database that may be shared among other subscribers. Once a threat is identified it may be blocked, redirected or otherwise processed to thwart, identify, or otherwise deal with the threat. Such protection may be termed the collaborative and proactive defense of networks and information systems.10-22-2009
20080289027Incorporating network connection security levels into firewall rules - Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.11-20-2008
20080282335Software firewall control - A software firewall that may be simply configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be translated to firewall filters for network interfaces of that network type. The translation may be performed automatically and may be updated based on network location awareness information.11-13-2008
20080282336Firewall control with multiple profiles - A networked computer with a software firewall that may be configured for any of a number of network contexts may be quickly configured with an appropriate set of rules for a current network context. The computer has multiple profiles, each containing rules applicable to a different network context. When a change in network context is detected, a difference between the profile for the current context and the profile with which the firewall was previously configured is determined. These differences are applied to quickly reconfigure the firewall without blocking, even temporarily, communications that are allowed in the previously configured and current profiles. Additionally, when the networked computer is connected to multiple networks simultaneously, an appropriate profile may be selected.11-13-2008
20080244723Firewall Restriction Using Manifest - Procedures of using manifest restrictions for use in configuring a firewall are described. In an example, an application including manifest defined restrictions for a firewall is executed. The firewall is configured to permit application access, in accordance with the defined restrictions while the application is executing.10-02-2008
20100146615Systems and Methods for Inhibiting Attacks on Applications - In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.06-10-2010
20120036570IMAGE FORMING APPARATUS, METHOD FOR CONTROLLING THE SAME, AND STORAGE MEDIUM - An image forming apparatus to communicate with a service provision system via a firewall may include an identification unit, a determination unit, and a communication unit. The identification unit identifies, out of services provided by the service provision system, a service which provides a substitute function corresponding to a function of the image forming apparatus limited by a failure. The determination unit determines, out of a plurality of communication methods to be used for communication with the service provision system via the firewall, a communication method to be used to perform data communication with the service identified by the identification unit. The communication unit performs data communication with the service identified by the identification unit by using the communication method determined by the determination unit.02-09-2012
20090083845NETWORK FIREWALL TEST METHODS AND APPARATUS - A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.03-26-2009
20090037998Systems and Methods for Authorizing a Client in an SSL VPN Session Failover Environment - The SSL VPN session failover solution of the appliance and/or client agent described herein provides an environment for handling IP address assignment and end point re-authorization upon failover. The appliances may be deployed to provide a session failover environment in which a second appliance is a backup to a first appliance when a failover condition is detected, such as failure in operation of the first appliance. The backup appliance takes over responsibility for SSL VPN sessions provided by the first appliance. In the failover environment, the first appliance propagates SSL VPN session information including user IP address assignment and end point authorization information to the backup appliance. The backup appliance maintains this information. Upon detection of failover of the first appliance, the backup appliance activates the transferred SSL VPN session and maintains the user assigned IP addresses. The backup appliance may also re-authorize the client for the transferred SSL VPN session.02-05-2009
20080256619Detection of adversaries through collection and correlation of assessments - An automated arrangement for detecting adversaries is provided in which assessments of detected adversaries are reported to a reputation service from security devices, such as unified threat management systems in deployed customer networks. By using actual deployed networks, the number of available sensors can be very large to increase the scope of the adversary detection, while still observing real attacks and threats including those that are targeted to small sets of customers. The reputation service performs a number of correlations and validations on the received assessments to then return a reputation back to the security device in the enterprise network that can be used for blocking adversaries, but only when multiple, distinct sources report the same adversary in their assessments to thus ensure that the reputation is accurate and reliable.10-16-2008
20090144816Knowledge-Intensive Arrangement for Handling of Scattered Data - The invention relates to a knowledge-intensive arrangement (06-04-2009
20090025077MANAGING CONFIGURATIONS OF A FIREWALL - A method and system for managing multiple firewall configurations are disclosed. The method uses a pointer on a packet object representing a packet to reference a configuration object representing a configuration of the firewall which is assigned to the packet. By using a pointer to link each packet entering a computer system to the most recent configuration, the method can maintain multiple configurations and enable the firewall processing modules to process each packet according to its assigned configuration even if new configurations are released during the transition of the packet through the system. A reference count is also used as a variable by the configuration object to track the number of packets assigned to the configuration. A corresponding system is also provided.01-22-2009
20110225644BEHAVIOR-BASED SECURITY SYSTEM - Described herein are techniques for operating a security server to determine behavioral profiles for entities in a network and to detect attacks or unauthorized traffic in a network based on those behavioral profiles. In one technique, a behavioral profile may be generated based on requests for security operations to be performed that are received at a security server from an entity in a network. The behavioral profile may be generated using learning techniques, including artificial intelligence techniques such as neural networks. When the security server receives from an entity one or more requests for security operations to be performed, the security server may compare properties of the requests to the behavioral profile for the entity and properties of requests commonly sent by the entity. The security server may determine a similarity score indicating how similar the request are to the behavioral profile and to requests commonly received from the entity.09-15-2011
20090083844Synchronizing between host and management co-processor for network access control - In network access controlled networks, it is desirable to prevent access to the network by any non-authenticated entities. Access control may be established through a trusted agent that, in some embodiments, may be implemented with a management co-processor. In some cases, active management technology may establish a connection while a host is inactive. Then, after the host becomes active, the host can attempt to use the management co-processor connection without obtaining the necessary authentications. This may be prevented, in some embodiments, by scanning for an active host and, if such an active host is found, blocking the host from using a layer 2 authentication channel unless the host is properly authenticated and has a proper Internet Protocol address.03-26-2009
20090158415METHOD AND APPARATUS OF PROVIDING AN INTERFACE FOR MANAGING NETWORK SWITCHES - An approach is provided for presenting, via a graphical user interface, a plurality of selectable areas corresponding to a plurality of categories of switches and a plurality of options. One of the options includes a search function for finding a desired one of the switches. A communication session is automatically established with one of the switches as specified by a user through one of the selectable areas or the search function. Information from the one switch is received over the communication session, wherein the information is used for analyzing the one switch.06-18-2009
20090064304PORT ACCESS USING USER DATAGRAM PROTOCOL PACKETS - Communication through an intervening firewall can be achieved by transmitting an outbound datagram through a port of a firewall to open a circuit through the firewall, receiving an inbound datagram through the open circuit from an application, wherein the application is external to the firewall, and communicating with the application through the open circuit. Also, the application can comprise a client application and the firewall can comprise a server firewall. Further, the client application can transmit an outbound datagram through a port of an associated client firewall to open a circuit through the client firewall and can receive one or more datagrams through the open circuit of the client firewall. Additionally, the port of the server firewall and the port of the client firewall can correspond to the same port number.03-05-2009
20090064305System and method for secure service delivery - A secure service delivery network, including a service delivery compartment connected to deliver services to a plurality of client networks. The secure service delivery network includes a first firewall connecting the service delivery compartment to a first virtual local area network. The secure service delivery network includes a plurality of firewalls each connecting one of the plurality of client networks to the first virtual local area network, whereby no communications between the plurality of client networks can be made over the first virtual local area network. A related method is also described.03-05-2009
20110231925FIREWALL NETWORK APPLICATION APPARATUS - A method and system for distributing flows between a multiple processors. The flows can be received from an external source such as a network, by a front-end processor that recognizes the flow and the associated request, and identifies at least one internal applications processor to process the request/flow. The front-end processor utilizes a flow scheduling vector related to the identified applications processor(s), and the flow scheduling vector can be based on intrinsic data from the applications processor(s) that can include CPU utilization, memory utilization, packet loss, and queue length or buffer occupation. In some embodiments, applications processors can be understood to belong to a group, wherein applications processors within a group can be configured identically. A flow schedule vector can be computed for the different applications processor groups.09-22-2011
20110231926BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - A method or apparatus for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit having connection to the Internet, and one or more of the private units have a connection to one or more secure non-Internet-connected private networks for personal and/or local administration. The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch and/or both buses, each with a single on/off switch. The hardware-based access barriers can be positioned successively between an outer private unit, an intermediate more private unit, an inner most private unit, and the public unit, and each private unit can be configured for a separate connection to a separate network of computers that excludes the Internet.09-22-2011
20090100513Universal media firewall - A universal media firewall allows a parent to control filtering of multiple media providers via a single firewall policy. The firewall(s) may be a stand-alone device or may be preformed with software on a home computer or at a remote site. Parental controls are accessible by the media provider so that media is filtered according to the parental settings prior to entering the home media network.04-16-2009
20090222904NETWORK ACCESS NODE COMPUTER FOR A COMMUNICATION NETWORK, COMMUNICATION SYSTEM AND METHOD FOR OPERATING A COMMUNICATION SYSTEM - The invention relates to a network access remote front-end processor (09-03-2009
20090205038Enabling Wake on LAN Behind NATs and Firewalls - Exemplary methods, computer-readable media, and systems for maintaining an inbound network path to a host in a sleep or a hibernation mode behind a plurality of network address translators (NAT) or firewalls. A network interface card (NIC) of a host is configured to periodically send or receive keep-alive packets. These packets enable network mappings that would ordinarily expire while a host is in a sleep or a hibernation mode. Power is maintained on the NIC while the host is in such mode, and the NIC responds as programmed including waking a host upon a certain event, such as receiving a data packet matching a preconfigured signature. During such time, the host may be in a wake on LAN mode.08-13-2009
20090222905METHOD, APPARATUS, AND SYSTEM FOR PRE-AUTHENTICATION AND PROCESSING OF DATA STREAMS - A method, apparatus and system for pre-authenticating ports is disclosed. In one embodiment, an active port facilitating communication of media content between a transmitting device and a receiving device is identified, while the active port are associated with a first High-Definition Content Protection (HDCP) engine. Then, inactive ports that are in idle mode serving as backup ports to the active port are identified, while the inactive ports are associated with a second HDCP engine. Pre-authentication of each of the inactive ports is performed so the pre-authenticated inactive ports can subsequently replace the active port if a port switch is performed.09-03-2009
20090254984HARDWARE INTERFACE FOR ENABLING DIRECT ACCESS AND SECURITY ASSESSMENT SHARING - Native IPv6 capabilities are provided to an IPv4 network node, device, or endpoint using a hardware interface that supports network communication under a Direct Access model. The Direct Access model supports IPv6 communication with IPsec and enforces Network Access Protection (“NAP”) health requirement policies for endpoints that are network clients. A Direct Access-ready server is enabled using a hardware interface that implements IPv4 to IPv6 translation and optionally IPsec termination capability. A Direct Access-ready client is enabled using a hardware interface that implements IPv4 to IPv6 translation, IPsec termination capability, and which optionally provides NAP (Network Access Protection) capabilities for Direct Access-ready clients that are configured as mobile information appliances. The hardware interface may be implemented as a network interface card (“NIC”) or as a chipset.10-08-2009
20110145909Interface Logic For A Multi-Core System-On-A-Chip (SoC) - In one embodiment, the present invention includes a system-on-a-chip (SoC) with first and second cores, interface logic coupled to the cores, chipset logic coupled to the interface logic, and a virtual firewall logic coupled between the chipset logic and the second core. The interface logic may include a firewall logic, a bus logic, and a test logic, and the chipset logic may include a memory controller to provide for communication with a memory coupled to the SoC. In some system implementations, both during test operations and functional operations, the second core can be disabled during normal operation to provide for a single core SoC, enabling greater flexibility of use of the SoC in many different implementations. Other embodiments are described and claimed.06-16-2011
20090249464FIREWALL FOR REMOVABLE MASS STORAGE DEVICES - A firewall device comprising a first connection device for connecting with a data device supporting transfer data with a removable mass storage device; second connection device for connecting with the removable mass storage device; and a microprocessor, adapted to control and secure data transfer between the data device and the removable mass storage device.10-01-2009
20100180331COMMUNICATION TERMINAL DEVICE, RULE DISTRIBUTION DEVICE, AND PROGRAM - A communication terminal device (07-15-2010
20100192215Method for Multi-Core Processor Based Packet Classification on Multiple Fields - The present invention relates to a method for multi-core processor based packet classification on multiple fields. The first step involved in this invention involves constructing a data structure of classification, which includes selecting a certain dimension such that the sum of the rules that fall into two rule sub-sets of two subspaces is as small as possible after spatial partition through a certain partition point in which the method to determine the partition point on the selected dimension is to select the partition point on the dimension such that the number of rules that fall into the two sub-spaces after partition by the point is equal to each other as much as possible. The invention specifically proposes three methods to select partition points, two associated methods to select dimensions, then receiving packet information after the data structure of classification is constructed, and searching the data structure of classification according to packet information to get matched results. The present invention can be implemented on many types of multi-core processor based platforms which ensure favorable performance and adaptive capabilities for different network applications, and significantly reduce the product cost of high-end routers and firewalls.07-29-2010
20100263039Accessing Method and Multimedia System Using Thereof - The access method includes the following steps. Firstly, multimedia data is accessed with a multimedia access device located on a local network, which connected to a public network via a network address translation (NAT) or firewall device. Next, first communication link between a portal server and the multimedia access device is established. Then a piece of punch-through information indicating whether the multimedia access device can punch through the NAT/firewall device is obtained in response to an inquiry command provided by a client device. Next, when the multimedia access device cannot punch through the NAT/firewall device, the multimedia data is pushed from the multimedia access device to the portal server and the multimedia data pushed to the portal server is further pulled from the portal server to the client device, so that multimedia data transmission between the client device and the multimedia access device can be obtained.10-14-2010
20080276311Method, Apparatus, and software for a multi-phase packet filter for internet access - A Time Gate Packet Filter (TGPF) for controlling data flow and Internet Access in a small environment. The TGPF is self-contained, simple to use, does not require IT expertise, and requires no software installation. The TGPF utilizes multi-phase filtering to control network access based on: types of sites, specific sites, types of services that can be accessed, source and destination, time of day, and day of week.11-06-2008
20090077647METHOD AND APPARATUS FOR FIREWALL TRAVERSAL - A method and apparatus for traversing a firewall are described.03-19-2009
20100218246DETECTING THE TYPE OF NAT FIREWALL USING MESSAGES - A method, system, and computer program product for detecting the type of NAT firewall using messages provides the capability to determine the type of NAT in use without requiring special purpose hardware or software. A method for determining a type of a NAT firewall may comprise receiving a message from a device inside the NAT firewall, the message addressed to a first IP address and port of a device outside the NAT firewall, transmitting a plurality of messages to the device inside the NAT firewall, at least one of the plurality of messages addressed from the first IP address and port and at least one of the messages addressed from a second IP address and port, receiving responses to at least some of the plurality of messages transmitted to the device inside the NAT firewall and determining the type of the NAT firewall based on the received responses.08-26-2010
20100122334Internet based data, voice and video alert notification communications system - A real-time integrated information sharing and telecommunications collaboration system is disclosed. The system includes at least one central server to create, store, display, edit, distribute, share, control and archive voice, data, video and images with a plurality of simultaneous wireless and wireline remote display devices. The system includes at least one central server monitors, controls and protects voice, data, video and image communications to, from and between display devices through encrypted token based security identifiers. The sharing of information and communication data packets between the display devices is contingent upon permissions assigned to individual human or machine end users. All data and communications, including the encrypted token based security identifiers may be stored simultaneously or individually within the central server, display device, or a third-party remote storage device whereby each or all may reside behind additional security systems and firewalls at a plurality of locations. All voice, data, video and images are seamlessly integrated through either one or in combination of communications paths to include, but not limited to, the Public Switched Telephone Network, World Wide Web, Internet, Wireless Wide Area Network (WWAN), Wide Area Network (WAN), Local Area Network (LAN), satellite, land mobile radio, WiFi, Worldwide Interoperability for Microwave Access (WiMAX), broadband over powerlines and other wireline and wireless networks.05-13-2010
20100138908Access Control Method And Apparatus - A method of controlling access to computing resources, comprising providing a first computing device with access to a database containing data indicative of computing resources access to which is controlled by the first computing device and a minimum security capability that a second computing device must possess to access the respective resources, assigning the second computing device a security capability, providing the second computing device with data indicative of the security capability, configuring the first computing device to respond to data indicative of the security capability and data indicative of a desired access from the second computing device by ascertaining the minimum required security capability corresponding to the desired access and by comparing the minimum required security capability with the security capability of the second computing device, and providing the desired access if the security capability of the second computing device meets the minimum security capability for the desired access. 06-03-2010
20100199344REDUNDANCY DETECTION AND RESOLUTION AND PARTIAL ORDER DEPENDENCY QUANTIFICATION IN ACCESS CONTROL LISTS - Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual entries that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting entries. An aspect of the invention converts an order-dependent control list into an order-free equivalent. Redundant entries are identified and removed without adversely affecting the access control list. Redundancy may be identified by evaluating the volume contraction ratio, which is the ratio of the volume of spin-off entries to specific original entry in the access control list. This ratio reflects the extent of order-dependent impact on that entry in a given access control list.08-05-2010
20090288156SYSTEM AND METHOD FOR DETECTING AND ELIMINATING IP SPOOFING IN A DATA TRANSMISSION NETWORK - A traffic management system sniffs data arriving at any point in a system. The sniffer operates to extract certain data from each address. This data could be, for example, the IP address data and the physical address data. The extracted data is then used to access different data bases to determine if matches occur. Time stamps, sequencing and other parameters of each piece of data entering a system are used to control data access.11-19-2009
20090328182ENABLING TWO-FACTOR AUTHENTICATION FOR TERMINAL SERVICES - Techniques for enabling two-factor authentication for terminal services are described. A client receives an authentication token from an authentication server. The authentication token is used as a factor for authenticating the client to a terminal services device. Native authentication of the client is also performed.12-31-2009
20090199288DISTRIBUTED AUTHENTICATION IN A PROTOCOL-BASED SPHERE OF TRUST IN WHICH A GIVEN EXTERNAL CONNECTION OUTSIDE THE SPHERE OF TRUST MAY CARRY COMMUNICATIONS FROM MULTIPLE SOURCES - A distributed authentication model that operates within a protocol-based sphere of trust. Rather than being able to communicate with any one of the computing systems internal to the sphere of trust, the amount of authentication is reduced by having the external computing systems initially communicate with a specific edge internal computing system. Many if not all of the internal computing systems then delegate the task of authentication to the edge computing system, and will rely on any authentication performed by the edge computing system. This allows the task of authentication to scale well for large protocol-based spheres of trust.08-06-2009
20090165113SYSTEMS, METHODS AND COMPUTER PROGRAM PRODUCTS FOR FIREWALL USE OF CERTIFIED BINARIES - Systems, methods and computer program products for firewall use of certified binaries. Exemplary embodiments include a method including reading a plaintext component from a digital signature, searching the plaintext component for an identifier, reading in a TotalTCPIPPorts field for a total number of sockets to be opened for an application, reading in ports and descriptions for each of the ports, displaying information from the plaintext component up to a block including the identifier, the port being opened and the port description, prompting an instruction, displaying on the screen information from the plaintext component up to a block including the identifier, displaying a warning that the application is opening additional ports beyond the default number specified displaying a warning that opening the additional ports should be avoided and prompting the instruction.06-25-2009
20120144475SCALABLE NAT TRAVERSAL - A system and method for traversing a firewall for a voice-over-IP session or other communication session uses four main components: a relay agent, and NAT 06-07-2012
20100313261Communication method for device in network system and system for managing network devices - A communication method for a device in a network system and a system for managing network devices are disclosed. The communication method for a device in a network system includes connecting a management server that manages at least one device in an internal network, the at least one device, and a designated device with one another through a firewall, the internal network, and an external network; the designated device maintaining a connection with the management server; and if a message for requesting a connection with a target device among the at least one device is received by the designated device from the management server, the designated device forwarding the received message to the target device. According to this method, the management server can connect and communicate with managed devices, whenever necessary, by making the designated device connected to the network continuously maintain the connection with the management server.12-09-2010
20100313260METHOD AND SYSTEM OF PROVIDING FIREWALL IN HANDSET - A method of providing firewall in handset is disclosed. The method includes receiving a request with a telephone number by a handset. The handset determines if the telephone number meets a refusing condition. The refusing condition includes a telephone number interval with at least one number and a symbolic variable. The handset refuses the request of the telephone number if the telephone number meets the refusing condition.12-09-2010
20130139243DISTRIBUTED FIREWALLING IN A WIRELESS COMMUNICATION NETWORK - A method and system for distributed collaborative firewalling in a wireless wide area communication network including a plurality of controllers, comprises a binding table that is built by the controller in response to receiving identifiers of wireless clients being served by the controller, where the binding table lists the wireless clients associated with each access port under control of the controller. A processor of the controller is operable to apply stateless firewalling on wireless communication traffic from a wireless client using the binding table, and applying, by each access port, stateful firewalling on the wireless communication traffic from the wireless client.05-30-2013
20130139244ENHANCING NETWORK CONTROLS IN MANDATORY ACCESS CONTROL COMPUTING ENVIRONMENTS - A Mandatory Access Control (MAC) aware firewall includes an extended rule set for MAC attributes, such as a security label or path. Application labels may be used to identify processes and perform firewall rule-checking. The firewall rule set may including conventional firewall rules, such as address checking, in addition to an extension for MAC attributes.05-30-2013
20110010767Server System, Communication Method, Computer, Program And Recording Medium - Establishment of communication between client apparatuses and an arithmetic function unit is performed based on communication information acquired by communication using HTTP between the client apparatuses and the arithmetic function unit through a firewall function unit, where the client apparatuses download encrypted contents data from the arithmetic function unit by P2P without passing a firewall.01-13-2011
20110010768Method and Apparatuses for End-to-Edge Media Protection in ANIMS System - An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept. A method for supporting a call by a telecommunications node.01-13-2011
20110131644NETWORK SECURITY SYSTEM HAVING A DEVICE PROFILER COMMUNICATIVELY COUPLED TO A TRAFFIC MONITOR - A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.06-02-2011
20100138909VPN AND FIREWALL INTEGRATED SYSTEM - The present disclosure provides an integrated VPN/Firewall system that uses both hardware (firmware) and software to optimize the efficiency of both VPN and firewall functions. The hardware portions of the VPN and firewall are designed in flexible and scalable layers to permit high-speed processing without sacrificing system security. The software portions are configured to provide interfacing with hardware components, report and rules management control.06-03-2010
20090138954SECURITY SYSTEM AND SECURING METHOD OF CALL SIGNALING MESSAGES FOR SESSION INITIATION PROTOCOL BASED VoIP SERVICE - Disclosed is a security system of a call signaling message. An object of the invention is to provide a security system and a securing method of a call signaling message, in which even when a call signaling message is leaked out and thus modified in a SIP (Session Initiation Protocol) based VoIP (Voice Over Internet Protocol) service, the modified message is blocked in advance to enable the VoIP service to be provided without an attack effect by the packets. When using the security system and the securing method of a call signaling message according to an embodiment of the invention, it is possible to prevent, in the SIP based VoIP service, a call signaling message from being modified to cause a call failure when requesting a call or during the call, and to block an attack on the call signaling message in advance.05-28-2009
20100132027Independent role based authorization in boundary interface elements - A boundary interface element for communications networks is disclosed. The boundary interface element is adapted for enabling a network administrator for a first network coupled to a first network interface of the boundary interface element to configure a policy for the first network interface independently of the other administrators of the other interfaces, while restricting access to a second network interface of the boundary interface element. Similarly, the boundary interface element enables a network administrator for a second network coupled to the second network interface of the boundary interface element to configure a policy for the second network interface while restricting access to the first network interface. The network administrator for the first network is permitted to view the policy configured for the second network interface, and the network administrator for the second network is permitted to view the policy configured for the first network interface. The boundary interface element may be employed in a variety of network deployment scenarios.05-27-2010
20100058457Methodology, Measurements and Analysis of Performance and Scalability of Stateful Border Gateways - Methods and apparatus for testing of Internet-Protocol packet network perimeter protection devices, e.g., Border Gateways such as Session Border Controllers, including 5 dynamic pinhole capable firewalls are discussed. Analysis and testing of these network perimeter protection devices is performed to evaluate the ability of such device to perform at carrier class levels. The efficiency of state look table functions as well as call signaling processing capacity, implemented in a particular perimeter protection device, are determined and evaluated. Proper performance and efficiency of such perimeter protection devices are evaluated as a function of incoming call rate and as a function of total pre-existing active calls. Various different network perimeter protection devices, e.g., of different types and/or from different manufactures, can be benchmarked for suitability to carrier class environments and comparatively evaluated. Test equipment devices, e.g., enhanced Integrated Intelligent End Points (IIEPs), for fault testing, 15 evaluating and stressing the network perimeter protection devices in a system environment are described. Typically these specialized test devices are used in pairs, one on each side of the firewall under test. These test equipment devices include a heavy duty traffic generator module, monitoring and analysis capability including a utilization analysis module, and a graphical output capability.03-04-2010
20090031412GLOBAL NETWORK COMPUTERS - Embodiments useful for a network of computers are presented. In an embodiment, microchip includes a plurality of dies. Each die is made by a separate fabrication process and assembled into a package with the separate die sections connected directly.01-29-2009
20100011432AUTOMATICALLY DISTRIBUTED NETWORK PROTECTION - A network protection solution is provided by which security capabilities of a client machine are communicated to a network security gateway so that a variety of processes can be automatically and dynamically distributed between the gateway and the client machine in a way that achieves a target level of security for the client while consuming the least possible amount of resources on the gateway. For example, for a client that is compliant with specified health and/or corporate governance policies and which is known to have A/V capabilities that are deployed and operational, the network security gateway will not need to perform additional A/V scanning on incoming network traffic to the client which can thus save resources at the gateway and lower operating costs.01-14-2010
20100058458SYSTEM AND METHOD FOR PROVIDING A SECURE CONNECTION BETWEEN NETWORKED COMPUTERS - Embodiments disclosed herein provide a system, method, and computer program product for establishing a secure network connection between two computers, a client and a server. The client may send a connection request over a public network to the server. In response, the server may generate a set of credentials, select a controller to automatically run on the client, and send the controller and the set of credentials to the client. The controller automatically executes on the client and utilizes the set of credentials from the server to establish a secure network connection with the server without user intervention. The set of credentials is valid until the secure network connection between the client and the server is severed.03-04-2010
20100077470METHOD AND APPARATUS FOR SECURITY-RISK BASED ADMISSION CONTROL - A method and apparatus is disclosed herein for security risk-based admission control. In one embodiment, the method comprises: receiving a request from the user device to access the network; determining whether to admit the user device based on a security-based admission control policy that admits user devices based on a constraint optimization that attempts to maximize the sum utility of the currently admitted user devices in view of a security assessment of the user device and security risk imposed on the network and already admitted user devices if the user device is admitted to the network, wherein the constraint optimization is based on a utility associated with admitting the user device to the network, a reputation value associated with the user device, and a botnet damage estimation on the network associated with the user device; and admitting the user device to the network based on results of determining whether to admit the user device.03-25-2010
20100058456IDS Sensor Placement Using Attack Graphs - Embodiments of the present invention identify locations to deploy IDS sensor(s) within a network infrastructure and prioritize IDS alerts using attack graph analysis. An attack graph that describes exploitable vulnerability(ies) within a network infrastructure is aggregated into protection domains. Edge(s) that have exploit(s) between two protection domains are identified. Sets that contain edge(s) serviced by a common network traffic device are defined. Set(s) that collectively contain all of the edge(s) are selected. The common network traffic device(s) that service the selected sets are identified as the location(s) to deploy IDS sensor(s) within the network infrastructure.03-04-2010
20110252468METHOD AND SYSTEM FOR PROTECTING A COMPUTER AGAINTS MALICIOUS SOFTWARE - A method of protecting a computer by having security software be set to clean mode where the clean mode acts as if files installed or modified before the clean date are safe and installed or modified after the clean date as potentially harmful.10-13-2011
20120304275HIERARCHICAL RULE DEVELOPMENT AND BINDING FOR WEB APPLICATION SERVER FIREWALL - At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model is identified. The HTTP message model includes a plurality of message model sections. Additional steps include parsing a representation of the at least one of an HTTP request message and an HTTP response message into message sections in accordance with the message model sections of the HTTP message model; and binding a plurality of security rules to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition. The given condition is based, at least in part, on a corresponding given one of the message sections. A further step includes processing the at least one of an HTTP request message and an HTTP response message in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided.11-29-2012
20120304274SYSTEM AND METHOD FOR INITIALIZING AND MAINTAINING A SERIES OF VIRTUAL LOCAL AREA NETWORKS CONTAINED IN A CLUSTERED COMPUTER SYSTEM - A system and method for sharing network resources; the system comprising at least one network switch, at least one computing device comprising at least one network connection and at least one storage device containing software capable of initializing and maintaining: (i) a management local area network (MLAN) comprising a virtual or physical firewall; and (ii) a plurality of client virtual local area networks (VLANs), wherein each client VLAN comprises a virtual firewall and a plurality of network resources.11-29-2012
20110154473SYSTEMS AND METHODS FOR CROSS SITE FORGERY PROTECTION - The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.06-23-2011
20110154468METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR ACCESS CONTROL SERVICES USING A TRANSPARENT FIREWALL IN CONJUNCTION WITH AN AUTHENTICATION SERVER - Access control methods include receiving an access authorization message from an authentication server computer at a blocking device that connects a first network to a second network, modifying access criteria of a transparent firewall at the blocking device responsive to the received access authorization message and operating the transparent firewall according to the modified access criteria to control transfer of messages between the first and second networks. The invention may also be implemented as apparatus and computer readable media.06-23-2011
20110078781Framework for Communicating Across a Firewall - A system for enabling communication between a first domain and a second domain is disclosed. At least the first domain is protected by a firewall. A first data-processing system is provided in the first domain and a second data-processing system provided in second domain. The second domain hosts an application that the first domain desires to access. To enable the communication between the two domains a tunnel is established through the firewall. The tunnel runs from the first data-processing system to the second data-processing system. The second data-processing system provides a web-proxy interface to interface to the application and also acts as a tunnel gateway.03-31-2011
20110072506Integrated unified threat management for a process control system - A Unified Threat Management System (UTMS) for securing network traffic in a process control system may comprise network devices configured to receive network traffic related to the process control system and including a ruleset received from an external source. The ruleset may include one or more rules defining a condition to accept or deny the network traffic received at the network device. The state of the network device may be integrated into the process control system as a process control object or variable, thus allowing the state and other UTMS and component network device parameters and variables to be displayed to an operator at a workstation within a graphical process control system environment. The network devices may also communicate with a perpetual service that proactively supplies the devices with rulesets to meet the latest security threats, threat patterns, and control system vulnerabilities found or predicted to exist within the network.03-24-2011
20110072505Process for Installing Software Application and Platform Operating System - A process for installing a software application on a platform, the platform comprises several servers including one or more application servers and a control server on which a platform configuration database is installed. The process comprises the following steps after a predefined software application is selected by an user: reading out configuration data and solution data from the platform configuration database wherein the registration data describes the platform configuration and the solution data describes a solution of the selected software application which is registered on the platform, determining the virtual server(s) which is needed to run the selected software application, creating the determined virtual server(s) on the platform, installing an instance of the selected software application in the created virtual server(s), connecting the instance to an interface of the platform to provide an access for listeners to the instance.03-24-2011
20110072504Policy-Based Virtualization Method Involving Adaptive Enforcement - A method is provided in which a permission for running a system software instance alongside another system software instance is issued on the basis of a first policy rule concerning the operation of a first software application and a second policy rule concerning the execution of second software application.03-24-2011
20100325717System and Method for Managing Access to a Plurality of Servers in an Organization - A system for managing access to resources in a plurality of servers by a plurality of client computers by using an operating system independent Secure Shell (SSH) protocol running in each server and using a central policy database that centrally stores access rules which specify access to the servers for a plurality of users/accounts. Each time a target server receives a user request to establish an SSH session, it retrieves associated access rules from the central policy database to obtain the latest access rules. Based on the retrieved rules and the identity of the user and the identity of the client computer, the target server determines whether the user has permission to establish the SSH session with the target server. Using a centralized database and requiring the servers to always retrieve the latest access rules from a central database provides consistent application of the access rules across all servers and all client computers.12-23-2010
20130160106BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - A method of securely controlling through a private network a computer protected by a hardware-based inner access barrier or firewall and optionally configured to operate as a general purpose computer connected to the Internet, comprising: two separate network connections separated by an inner hardware-based access barrier or inner hardware-based firewall protecting a private network connection configured for connection to a private network of computers but not protecting a public network connection configured for connection to a public network configured to include the Internet, the method including the step of controlling at least one operation of the computer, the control being provided through the private network and the operation involving data and/or code transmitted to the public network. Another method includes the step of controlling an operation of a second or third private protected unit of the computer, the control being provided through a second or third private network, respectively.06-20-2013
20110030048SYSTEM, METHOD AND PROGRAM FOR MANAGING FIREWALLS - Computer system, method and program for managing a firewall. First program instructions identify a first rule of the firewall. The first rule specifies a permitted message flow through the firewall to or from an IP address of a computer. The computer resides on a network. Second program instructions identify a second rule of the firewall. The second rule specifies a permitted message flow through the firewall to or from an IP address corresponding to the network. Message flows through the firewall to all computers on the network are permitted pursuant to the second rule. Third program instructions delete the first rule from the firewall based on the identification of the second rule and the computer residing on the network. Other program instructions identify and delete stale rules which are not needed. Other program instructions automatically identify rules for a new server added to a cluster.02-03-2011
20110154472SYSTEMS AND METHODS FOR PREVENTION OF JSON ATTACKS - Described herein is a method and system for prevention of personal computing attacks, such as JavaScript Objection Notation (JSON) attacks. An intermediary device is deployed between a plurality of clients and servers. A firewall executes on the intermediary device. A client sends a request to the server and the server sends a response to the request. The intermediary device intercepts the response and identifies that the response may contain possibly harmful content. The application firewall parses the content of the response and determines whether it contains any harmful content. If it does, the application firewall blocks the response from being sent to its destination. Additionally, the method and system can provide other security checks, such as content hijacking protection and data validation.06-23-2011
20110154471SYSTEMS AND METHODS FOR PROCESSING APPLICATION FIREWALL SESSION INFORMATION ON OWNER CORE IN MULTIPLE CORE SYSTEM - The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core.06-23-2011
20110154469METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR ACCESS CONTROL SERVICES USING SOURCE PORT FILTERING - An authentication request message is received at an authentication server computer, the authentication request message identifying a requesting client device. The authentication request message is authenticated at the authentication server computer and, responsive to authentication of the authentication request message, a source port for a redirected communication between the requesting client device associated and the protected server is determined. An access authorization message identifying the determined source port is transmitted from the authentication server computer to a blocking device that controls access to the protected server. A redirect message may be transmitted from the authentication server to a browser resident at the client device responsive to authentication of the authentication request message. Embodiments include methods, apparatus and computer readable media.06-23-2011
20120204251METHOD AND SYSTEM FOR PROVIDING CLOUD BASED NETWORK SECURITY SERVICES - An approach is provided for performing cloud based computer network security services. Data traffic from a plurality of networks corresponding to a plurality of subscribers are received. Data traffic is routed to a security platform over a communication path to one or more service aggregators to process the data traffic according to one or more security services performed by the security platform. The security services are provided as a managed service by a service provider. The processed data are received from the one or more service aggregators, and routed to the corresponding one of the networks.08-09-2012
20110258692PROTECTED APPLICATION STACK AND METHOD AND SYSTEM OF UTILIZING - A secure appliance for use within a multi-tenant cloud computing environment which comprises: a) a policy enforcement point (PEP); b) a hardened Operating System (OS) capable of deploying applications; and c) at least one application capable of hosting services and application program interfaces (APIs).10-20-2011
20110258691METHOD FOR IMPROVING SECURITY OF COMPUTER NETWORKS - A method of preventing unauthorized user access to a computer network has been developed. The method includes receiving a domain name server resolution request at the computer network from a requesting user. Next a reply to the requesting user is generated with a domain name server resolution and internet protocol address of a target device within the computer network. The reply is inspected with a network security device, where the network security device does not have an assigned internet protocol address so that it remains undetected by the requesting user. The network security device then monitors data traffic to the computer network to detect a reply from the requesting user. Once detected, the reply to the internet protocol address is intercepted with the network security device. Finally, the network security device verifies that the requesting user is authorized to access the computer network with the network security device.10-20-2011
20100058455METHODS AND SYSTEMS FOR AUTOMATIC REMOVAL AND REPLACEMENT OF CONNECTIONS IN A POOL RENDERED STALE BY A FIREWALL - This disclosure describes, generally, methods and systems for managing connections within a connection pool. The method includes initializing a plurality of connections. The plurality of connections are configured to pierce a firewall. The method further includes placing the plurality of connections in a connection pool, and storing creation times for each of the plurality of connections. The method then determines the firewall's connection teardown time period and, based at least in part on the firewall's connection teardown time period, setting the connection pool's connection teardown time period to be at least less than the firewall's connection teardown time period.03-04-2010
20090254985Secure network interface device - An interface device for a protected workstation or host has a network interface for connection to a multi-level secure network, a first address corresponding to a guard control port, and a second address corresponding to a guard data port. A transport guard in the device has a control component coupled to the guard control port for processing configuration data sent to the first address and producing a desired security configuration, a guard component coupled to the output of the control component and to the guard data port of the network interface, and a host interface coupled to the guard component for exchanging data with the protected host. Only when permitted by the desired security configuration, the guard component passes network data addressed to the second address of the network interface to the host interface, and passes outbound data from the host interface to the network through the guard data port.10-08-2009
20090249465System and Method for Implementing Content and Network Security Inside a Chip - Systems and methods for implementing content, streaming, and network security inside a chip or inside a computing device are disclosed. In exemplary embodiments, a system comprises a communication chip and a second processor. The communication chip comprises a router and security instructions. The router is configured to intercept untrusted data between a network, and a first router. The second processor is configured to receive the untrusted data from the router, process the untrusted data with the security instructions to produce trusted data, and provide the trusted data to the router.10-01-2009
20080320581SYSTEMS, METHODS, AND MEDIA FOR FIREWALL CONTROL VIA PROCESS INTERROGATION - Generally speaking, systems, methods and media for implementing a firewall control system responsive to process interrogations are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a process rule exists for the associated program, where the process rule includes a condition to be satisfied for a process of the user computer system. Embodiments may also include, in response to determining that a process rule does exist, determining a method for evaluating a status of the process and determining a current status of the process. Embodiments may also include determining whether the process rule is satisfied based on the current status of the process and using the determined evaluation method. Embodiments may also include, in response to determining whether the condition of the process rule is satisfied, performing one or more firewall actions.12-25-2008
20080320580SYSTEMS, METHODS, AND MEDIA FOR FIREWALL CONTROL VIA REMOTE SYSTEM INFORMATION - Generally speaking, systems, methods and media for implementing a firewall control system responsive to remote system information are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a remote system condition exists for the associated program, where the remote system condition includes a condition to be satisfied based on information received from a particular remote system. Embodiments may also include, in response to determining that a remote system condition exists, determining whether the remote system condition is satisfied based on information received from the particular remote system. Embodiments may also include, in response to determining whether the remote system condition is satisfied, performing one or more firewall actions.12-25-2008
20080289028FIREWALL FOR CONTROLLING CONNECTIONS BETWEEN A CLIENT MACHINE AND A NETWORK - A firewall system adapted for location outside the client machine, preferably in the same data processing device as the client machine but outside a virtual machine containing the client machine. Control logic of the firewall system receives incoming and outgoing connections from the network and client machine respectively. In response to a connection request initiating a connection between respective endpoints in the network and client machine, the control logic performs a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allows or inhibits the connection in dependence on the result of the security assessment. The security assessment may be performed in accordance with a security policy of the system, and different security assessments may be performed for different connection requests in accordance with the security policy.11-20-2008
20120311690METHOD OF USING A SECURE PRIVATE NETWORK TO ACTIVELY CONFIGURE THE HARDWARE OF A COMPUTER MICROCHIP - A method for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit or units having connection to the public Internet and one or more of the private units have a connection to one or more non-Internet-connected private networks for private network control of the configuration of the computer or microchip using active hardware configuration, including field programmable gate arrays (FPGA). The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch.12-06-2012
20110138456SECURITY MANAGEMENT SYSTEM FOR MONITORING FIREWALL OPERATION - A test method for Internet-Protocol packet networks that verifies the proper functioning of a dynamic pinhole filtering implementation as well as quantifying network vulnerability statistically, as pinholes are opened and closed is described. Specific potential security vulnerabilities that may be addressed through testing include: 1) excessive delay in opening pinholes, resulting in an unintentional denial of service; 2) excessive delay in closing pinholes, creating a closing delay window of vulnerability; 3) measurement of the length of various windows of vulnerability; 4) setting a threshold on a window of vulnerability such that it triggers an alert when a predetermined value is exceeded; 5) determination of incorrectly allocated pinholes, resulting in a denial of service; 6) determining the opening of extraneous pinhole/IP address combinations through a firewall which increase the network vulnerability through unrecognized backdoors; and 7) determining the inability to correlate call state information with dynamically established rules in the firewall.06-09-2011
20110138455FIREWALL FILTERING USING NETWORK CONTROLLER CIRCUITRY - An embodiment may include network controller circuitry to be comprised in a host computer that includes a host processor to execute an operating system environment. The circuitry may be coupled to the processor, receive at least one packet via a network, store at least one firewall filter parameter set, and execute, based at least in part upon the parameter set and packet, at least one firewall filter action involving, at least in part, the packet. The action may implement, at least in part, at least one firewall rule supplied by a firewall application to an interface of a driver associated with the circuitry. The application may be executed, at least in part, in the environment. The circuitry may generate and store the parameter set based at least in part upon at least one command from the driver. The command may be based at least in part upon the rule.06-09-2011
20110258693OPERATIONS AND MAINTENANCE ARCHITECTURE FOR MULTIPROTOCOL DISTRIBUTED SYSTEM - An architecture for providing operations and maintenance functionality in an open access wireless signal distribution system. The open access system makes use of a common, shared, distributed radio frequency distribution network and associated network entities that enable a system operator to offer access to wireless infrastructure that maybe shared among multiple wireless service providers (WSPs). The WSPs, or tenants of the operators, may obtain access in a tenant lease-space model. The open access system provides the ability for multiple tenants in a given community to share wireless equipment such as remotely located antenna sites, regardless of their specific requirements for radio frequency (RF) air interface signal protocols and/or management messaging formats. The present invention is directed to an open access Network Management System (NMS) that provides multiple tenants with an appropriate level of access and control over the system elements that carry their signaling. For example, in addition to forwarding messages from tenant-controlled NMSs to the open access system elements, the open access NMS preferably acts as a caching firewall to ensure that the tenant NMS are permitted privileges to access only those system elements to which they are a properly assigned. A database function included with the open access NMS may be used to build and maintain a database of operations and maintenance information from autonomously initiated poll and status functions. This then permits queries from tenant NMSs to be answered without the need to duplicate open system network traffic.10-20-2011
20100115599METHOD AND SYSTEM FOR SECURING DATA FROM A POINT OF SALE DEVICE OVER AN EXTERNAL NETWORK - A data control system allows point of sale devices (05-06-2010
20110154470METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MANAGING FIREWALL CHANGE REQUESTS IN A COMMUNICATION NETWORK - A method of managing firewall change requests for a communication network includes providing a change request interface comprising a plurality of change request form types, each request form including an interface for entering requestor identification information, Internet Protocol (IP) address information, change implementation schedule information, and submission information specifying any requestor instructions for implementing the change, receiving completed change request forms from at least one requestor, arranging the completed change request forms in a request queue, and presenting the request queue to at least one administrator responsible for implementing firewall changes in the communication network.06-23-2011
20100017868METHOD AND SYSTEM FOR CONFIGURING A RULE FILE FOR FIREWALL OF WEB SERVER - A method, a system, and a computer program product embodying computer readable code for configuring a rule file for a Web application firewall. The method includes: blocking a response created by a Web application; modifying the response by adding capturing code for capturing a regular expression and an associated parameter value embedded in the response while being executed; sending the modified response to the browser; receiving a request submitted by the browser and at least one regular expression and an associated parameter value captured by the capturing code; determining a parameter name and a regular expression associated with the same parameter value, and configuring the rule file of the firewall by use of the determined parameter name and regular expression associated with one another as a filtering rule.01-21-2010
20090172799SECURITY-LEVEL ENFORCEMENT IN VIRTUAL-MACHINE FAIL-OVER - Methods, systems, and articles to receive, by a fail-over computing device, a request to instantiate a virtual-machine in response to a virtual-machine failure on a separate physical device. The request includes a minimum security rating. The fail-over computing device then compares the minimum security rating against an assigned security rating of the fail-over computing device and instantiates the virtual-machine if the assigned security rating meets or exceeds the minimum security rating.07-02-2009
20120042372GLOBAL NETWORK COMPUTERS - A microchip for a computer configured to connect to a one network of computers, the microchip comprising: a first internal hardware-based firewall, the first internal hardware-based firewall configured to deny access to a portion of the microchip from the network; a general purpose microprocessor including at least two general purpose cores or general purpose processing units; a first core or processing unit is located inside of the first internal hardware-based firewall; a second core or processing unit is located outside of at the first internal hardware-based firewall; the second core or processing unit is separate from the first internal hardware-based firewall; and a memory component located inside of a second internal hardware-based firewall that is located between said memory component and a core or processing unit with which said memory component is associated. The microchip can also include a plurality of dies.02-16-2012
20120042373MANAGING CONFIGURATIONS OF A FIREWALL - A method for processing packets in a computer undergoing transitioning from a first configuration of a firewall to a second configuration of the firewall is disclosed. Packets arriving in the computer are associated with the first configuration of the firewall existing in the computer, and after a second configuration of the firewall becomes available, the computer starts associating packets arriving in the computer with the second configuration of the firewall, and processing packets associated with the second configuration according to the second configuration of the firewall, while continuing processing the packets associated with the first configuration according to the first configuration of the firewall until all packets associated with the first configuration are processed. Packets are processed by a plurality of firewall processing modules asynchronously. First and second reference counts, counting numbers of packets processed according to respective firewall configuration are conveniently introduced. A corresponding system is also provided.02-16-2012
20120047570FIREWALLS FOR SECURING CUSTOMER DATA IN A MULTI-TENANT ENVIRONMENT - Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response.02-23-2012
20120047569METHOD FOR PROVIDING TERMINALS OF IMS NETWORK WITH FIREWALL AND FIREWALL SYSTEM - A method for providing firewall for terminals in the IMS network and a firewall system are provided. The method includes: arranging a firewall system in the IMS network; acquiring an identification information of said terminal, when the firewall system receives a request for providing the terminal with a firewall from a network element; sending an identification information of the firewall system to the terminal and related network elements; and managing at least part of the communication activities between said terminal and other network elements by the firewall system, wherein, said other network elements include network elements in the IMS network and/or network elements which communicate with said terminal via the IMS network.02-23-2012
20120210416LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION - Methods and systems for balancing load among firewall security devices are provided. According to one embodiment, a switch maintains a session table the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular firewall security device (FSD). Responsive to receiving a packet of a first traffic session on a first port, a determination is made whether there exists a matching session entry. Responsive to a negative determination, a load balancing function is performed to select an FSD with which to associate the first traffic session and a corresponding reverse second traffic session. After processing of the packet by the selected FSD and receipt of the packet at a second port, a session entry is installed within the session table for the second traffic session and which associates the selected FSD with the second traffic session.08-16-2012
20100287608PROCESS CONTROL METHODS AND APPARATUS FOR INTRUSION DETECTION, PROTECTION AND NETWORK HARDENING - The invention provides an improved network and methods of operation thereof for use in or with process control systems, computer-based manufacturing or production control systems, environmental control systems, industrial control system, and the like (collectively, “control systems”). Those networks utilize a unique combination of firewalls, intrusion detection systems, intrusion protection devices and/or other devices for hardening (e.g., security against hacking, intrusion or other mischievous conduct) and/or intrusion detection. The networks and methods have application, by way of example, in plants, sites and other facilities in which networks that support control systems interface with corporate, business or other networks.11-11-2010
20110107412APPARATUS FOR DETECTING AND FILTERING DDOS ATTACK BASED ON REQUEST URI TYPE - Provided is an apparatus for detecting and responding to a DDoS attack. The apparatus includes: a receiver unit configured to receive an HTTP request from a client terminal having a predetermined IP address; a data measuring unit configured to compute a number of a pre-defined URI in the received HTTP request by IP for a predetermined measuring time period; a DDoS discrimination unit configured to compare the computed number of the pre-defined URI with a pre-defined threshold and configured to detect an access of the client terminal with the IP address as the DDoS attack when the number of the pre-defined URI is greater than the threshold; and a blocking unit configured to block the access of the client terminal when the DDoS discrimination unit detects the DDoS attack.05-05-2011
20100095366Enabling Network Communication From Role Based Authentication - Network communications are secured on clients that do not have a user properly logged in and authenticated. The clients have transmit and/or receive functionality disabled. When a user logs into the client and is properly authenticated, the transmit and/or receive functionality is enabled. In some embodiments, the client can then download firewall policy information to prevent the client from communicating on certain ports or with certain clients. The firewall policy information may be specific to a role that a user logged into the client has. For example, administrators, executives and employee roles may each use different firewall policy information.04-15-2010
20110099619SYSTEM AND METHOD FOR CREATING A TRANSPARENT DATA TUNNEL - A method of transparently transferring data between a network application running on a first processor and a target service running on a second processor through a tunnel server running on a third processor, the method comprising: connecting a target program running on the second processor to the tunnel server; connecting a client program running on the first processor to the tunnel server; connecting the network application to the client program through a network adapter running on the first processor; sending data from network application to the tunnel server through the client program; connecting the target program to the target service through a network adapter running on the second processor; and relaying data from the tunnel server to the target service through the target program.04-28-2011
20090133112USE OF DATA LINKS FOR AERONAUTICAL PURPOSES WITHOUT COMPROMISING SAFETY AND SECURITY - A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall.05-21-2009
20120317634Method of securely controlling a computer or microchip with a master or central controller connected by a secure control bus to networked microprocessors or cores - A method of securely controlling a computer or microchip through a private network. The computer or microchip includes a secure private unit protected by an inner hardware-based access barrier or firewall; an unprotected public unit including at least one network connection configured to connect to a network; a separate private network connection located in the secure private unit a microprocessor, core or processing unit configured for general purposes, in the unprotected public unit and separate from the access barrier or firewall; a master or central controlling device located in the secure private unit; and a secure control bus configured to connect the master or central controlling device with the microprocessor, core or processing unit. The secure control bus is isolated from input from both the network and components of the unprotected public unit. The method includes securely controlling an operation executed by the microprocessor, core or processing unit.12-13-2012
20120222106Automated Hybrid Connections Between Multiple Environments In A Data Center - A multi-tenant data center environment includes a dedicated domain having at least one dedicated server associated with a client and a cloud domain having at least one cloud server associated with the client. The cloud server may have a public interface to a public network and a private interface to a private network. In turn, a network device is coupled between the dedicated domain and the public network, and is further coupled to the cloud server via the private network. A controller of the data center may be used to determine presence of the cloud server, and configure the network device to allow certain traffic to pass directly to the dedicated domain, while preventing other traffic from this direct path, based on access controls of the network device.08-30-2012
20120317636MANAGEMENT SYSTEM, MANAGEMENT METHOD AND MANAGEMENT PROGRAM FOR MANAGING INDUSTRIAL CONTROL SYSTEM - A system and method of an appropriate countermeasure at the time of anomaly. The management system for an industrial control system includes a control apparatus, a control network connected to the control apparatus, and multiple devices controlled by the control apparatus via the control network, the management system includes multiple firewall modules provided for each of control zones each controlling one part of the industrial control system, the firewall modules relaying communication between devices in the control zones and the control network; an event analyzing module collecting events from each of the multiple firewall modules and analyzing the events to detect an anomaly of each of the control zones, and a communication managing module changing a communication operation performed via the firewall module provided for the control zone where an anomaly has been detected.12-13-2012
20120317635SYSTEM AND METHOD FOR MONITORING UNAUTHORIZED TRANSPORT OF DIGITAL CONTENT - A system for network content monitoring and control, comprising: a transport data monitor, connectable to a point in a network, for monitoring data being transported past said point, a signature extractor, associated with said transport data monitor, for extracting a derivation of said data, said derivation being indicative of content of said payload, a database of preobtained signatures of content whose movements it is desired to monitor, and a comparator for comparing said derivation with said preobtained signatures, thereby to determine whether said payload comprises any of said content whose movements it is desired to monitor. The monitoring result may be used in bandwidth control on the network to restrict transport of the content it is desired to control.12-13-2012
20120131662Virtual local area networks in a virtual machine environment - In one embodiment, a method includes identifying virtual machines operating at a network device and virtual local area networks associated with the virtual machines, creating an allowed list of virtual local area networks at the network device based on the virtual machines operating at the network device, and updating the allowed list in response to changes in the virtual machines at the network device. The network device is configured to forward traffic received from the virtual local area networks on the allowed list to a virtual switch at the network device, and drop traffic received from a virtual local area network not on the allowed list. An apparatus and logic are also disclosed.05-24-2012
20120216269Software licensing in a virtualization environment - Provided are a system and method for activating an unauthorized software program in a virtualization environment. A software program is installed on a computer. A valid license is obtained to activate the software program. A cloning operation is performed on the software program. At least one other instance of the software program is generated during the cloning operation. The valid license is obtained to activate the at least one other instance of the software program. Also provided are systems and methods for identifying and counteracting unauthorized licensing of instances of a software program.08-23-2012
20120254975SYSTEM AND METHOD FOR AUTOMATICALLY REGULATING MESSAGES BETWEEN NETWORKS - A system, method, and profiler for regulating access between a remote network and a host network. The profiler includes a processor for executing a set of instructions and a memory for storing the set of instructions. The set of instructions are executed to determine one or more target devices for the host network, determine authorized content for messages from one or more remote networks to the one or more target devices, analyze the messages to determine whether the messages comply with message thresholds for the remote networks, and communicate the messages between the host network and the one or more remote networks in response to compliance with the message thresholds and the authorized content.10-04-2012
20120254974Local Data Appliance for Collecting and Storing Remote Sensor Data - A system for providing local access by means of a local data appliance to data collected from remote monitors and sensors is described. The system includes a plurality of remote monitors and sensors, the remote monitors and sensors reporting data over a wide area communications network, and a data collection center receiving the data from the remote monitors and sensors, the data collection center operable to process the data and generate customer defined reports based on the data. A local data appliance placed in the customer's network operates to receive the data from the data collection center, and to process the customer data, generate reports based on the data and send instructions to the remote monitors and sensors. The appliance resides behind the customer's firewall but is separate from the customers network and data center equipment.10-04-2012
20120137356INTELLIGENT ELECTRIC DEVICE AND NETWORK SYSTEM INCLUDING THE DEVICE - A protection relay installed at a power system and a network system including the protection relay are disclosed, the protection relay storing a security level of a plurality of systems or a plurality of source addresses, instructing whether to short-circuit a power by checking a security level of a data-transmitting system based on a security level stored in a security level setting device, or instructing whether to short-circuit a power by comparing the source addresses included in the data with the plurality of source addresses.05-31-2012
20120216270Method and Apparatus for Graphical Presentation of Firewall Security Policy - A graphical representation of the firewall and a network coupled to the firewall is generated and displayed. A number of an inbound port of the network is displayed. An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port. The port number and the arrow are located between an icon for the network and an icon for the firewall. A port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number. The destination port number and the other arrow are located between an icon for the network and an icon for the firewall.08-23-2012
20090300748RULE COMBINATION IN A FIREWALL - A firewall system comprises a rule management tool that is operable to evaluate a rule set for rules that may be merged, present selected rules that can be merged to an administrator, along with an indication of any change in function of the resulting merged rule, and receive input from the administrator indicating whether to merge the selected rules.12-03-2009
20120174209Method and Device for Detecting Validation of Access Control List - A method for detecting validation of an Access Control List (ACL) is disclosed in the present invention, when an action part of an ACL rule is performed each time, a counter attached to the currently performed ACL rule is started in accordance with an attachment mode, wherein the counter counts in accordance with a preset counting mode; whether the ACL rule takes effect or not is judged according to whether there is a count value or not by reading the count value stored in the counter. An apparatus for detecting validation of an ACL is also disclosed in the present invention. The apparatus can implement neither increasing the network load nor impacting the safety of a Central Processing Unit (CPU) in a device while judging whether an ACL rule takes effect or not.07-05-2012
20120180120SYSTEM FOR DATA LEAK PREVENTION FROM NETWORKS USING CONTEXT SENSITIVE FIREWALL - Method and system of preventing data leak in a network that allows for context based access of network resources by network users is provided. Where the communication network can be an open network like the internet or a closed network like a company's Local Area Network (LAN). The network resource may be any application, website, program, communication means etc. available by accessing the network. A request is sent to a network firewall to access a web application, where the web application is identified. A context template is created for the web application, and compared with the request to create a request context map. The request context map is compared to a request context rule on the network firewall. Access is provided to the web application when the request context map matches the request context rule.07-12-2012
20130174245METHOD OF SECURELY CONTROLLING A COMPUTER OR MICROCHIP WITHA MASTER OR CENTRAL CONTROLLER CONNECTED BY A SECURE CONTROL BUSTO NETWORKED MICROPROCESSORS OR CORES - A method of securely controlling a computer or microchip through a private network. The computer or microchip includes a secure private unit protected by an inner hardware-based access barrier or firewall; an unprotected public unit including at least one network connection configured to connect to a network; a separate private network connection located in the secure private unit a microprocessor, core or processing unit configured for general purposes, in the unprotected public unit and separate from the access barrier or firewall; a master or central controlling device located in the secure private unit; and a secure control bus configured to connect the master or central controlling device with the microprocessor, core or processing unit. The secure control bus is isolated from input from both the network and components of the unprotected public unit. The method includes securely controlling an operation executed by the microprocessor, core or processing unit. The secure control is provided by the master or central controlling device through the separate private network to the separate private network connection via the secure control bus.07-04-2013
20120185929INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES - Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.07-19-2012
20120227100APPARATUS, SYSTEM, AND METHOD FOR NETWORK AUTHENTICATION AND CONTENT DISTRIBUTION - An apparatus, system, and method are disclosed for network authentication and content distribution. The apparatus includes an authentication module configured to receive redirected network requests over a communications network from a firewall module and configured to present a user license agreement and not require user-identifiable information, and a content distribution module configured to synchronize over the communications network with a client module and transmit content to the client module. The system includes a firewall module connected with a global communications network, a network connected with the firewall module, a computing device configured to couple with the network, and the apparatus. The method includes receiving redirected network requests over a communications network from a firewall module, presenting a user license agreement and not requiring user-identifiable information, and synchronizing over the communications network with a client module and transmitting content to the client module.09-06-2012
20120233686NETWORK ACCESS FIREWALL - The communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web.09-13-2012
20080301795DISTRIBUTED AND SCALABLE INSTANT MULTIMEDIA COMMUNICATION SYSTEM - A scalable instant multimedia communication network includes at least one server that supports instant multimedia communication (IMC) sessions for a plurality of clients registered on the at least one server, and a multi-point switch unit coupled to the server(s) that sends data out of and receives data into the network, routes data between server(s), and performs a security check to enforce a security policy of the network on an invitation to establish a secure IMC session between at least two of the plurality of clients registered on the at least one server. The instant multimedia communication network can be expanded or contracted by coupling additional or fewer servers to the multi-point switch unit.12-04-2008
20080301794METHOD AND SYSTEM FOR PROVIDING REMOTE ACCESS TO RESOURCES IN A SECURE DATA CENTER OVER A NETWORK - Methods, computer products, and systems are described for providing remote access to resources in a secure data center protected by at least one firewall. One method includes sending by an internal server within the secure data center a request to an external server outside of the secure data center to establish a secure data transport channel between the internal server and the external server. The request travels through at least one firewall protecting the secure data center and over a public network, a private network, and/or a second firewall. The internal server receives a reply to the request from the external server granting the request and confirming the establishment of the secure data transport channel. When a first message from the external server instructing the internal server to create a first data access point associated with a first session is received via the established secure data transport channel, the internal server instantiates the first data access point for the first session and visual data corresponding to the resources in the secure data center is sent from the first data access point to the external server via the secure data transport channel. The visual data is received by the external server and then sent to a first client associated with the first session so that the first client is provided visual access to the resources in the secure data center while the resources remain protected within the secure data center.12-04-2008
20110004931GLOBAL NETWORK COMPUTERS FOR SHARED PROCESSING - A computer configured for a connection to a network of computers including the Internet, comprising: a microchip including a microprocessor including a master control unit configured using hardware and firmware, and two processing units; an internal hardware firewall that is located between a protected portion and an unprotected portion of the microchip; said protected portion including said master control unit and one of the processing units, said unprotected portion including one or more of the processing units that are separate from and located outside of the internal hardware firewall; said hardware firewall denying access to said protected portion by the network; and said hardware firewall permitting access by another computer in the network to one or more of the processing units included in the unprotected portion for an operation with said another computer in the network; and an active configuration of a circuit integrated into the microchip.01-06-2011
20120266230METHOD AND APPARATUS FOR CYBER SECURITY - Aspects of the disclosure provide a network interface device for use in an electronic device. The network interface device includes multiple systems and can be configured to perform multiple levels of security functions. In an example, the network interface device includes a first system and a second system. The first system includes a first interface configured to couple the first system with a host system of the electronic device, a second interface configured to couple the first system with an external electronic device, and first integrated circuits configured to monitor and filter traffic flowing between the external electronic device and the host system of the electronic device. The second system includes second integrated circuits. The network interface device also includes a communication channel between the first system and the second system. The second system is configured to send control information to and receive status information from the first system via the communication channel.10-18-2012
20120324564Computers and microchips with a faraday cage, with a side protected by an internal hardware firewall and unprotected side connected to the internet for network operations, and with internal hardware compartments - A personal computer or microchip comprising at least one Faraday Cage, two or more microprocessors or processing units and an internal hardware firewall. The internal hardware firewall is configured to separate a protected side of the computer or microchip from an unprotected side of the computer or microchip. The unprotected side being configured to connect to a network including the Internet. The protected hardware side of the computer or microchip includes at least one microprocessor or processing unit. The unprotected network side of the computer or microchip is located between the internal hardware firewall and the network and includes the unprotected microprocessors or processing units. At least one of the unprotected microprocessors or processing units is not a network communications component and is a separate component from the internal hardware firewall. The computer or microchip can include two, four, or more internal hardware compartments.12-20-2012
20120324563MICROCHIPS WITH MULTIPLE INTERNAL HARDWARE-BASED FIREWALLS AND DIES - Embodiments useful for a network of computers are presented. In an embodiment, microchip includes a plurality of dies. Each die is made by a separate fabrication process and assembled into a package with the separate die sections connected directly.12-20-2012
20120324562Enhanced Personal Firewall for Dynamic Computing Environments - An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access.12-20-2012
20120324561ROAD BLOCK the next evolution of security software for network operations - Road Block simply put is a blockade against any and all hacker attempts. It is a security software program that resides on a server and the user machine with specific coding interchanging between the two for a secure link and transference of information. Unlike VPN technology Road Block establishes a Binary code link specific to computer chips residing on a server and also on the user computer. This technology can be used by banks, medical offices, insurance companies, credit unions and facilities allowing employees to work remotely. In a nutshell Road Block is the ultimate security software package to ensure safe and secure transmission of any information between a user and server.12-20-2012
20120272308MANAGEMENT SYSTEM, MANAGEMENT METHOD AND MANAGEMENT PROGRAM FOR MANAGING INDUSTRIAL CONTROL SYSTEM - A system and method of an appropriate countermeasure at the time of anomaly. The management system for an industrial control system includes a control apparatus, a control network connected to the control apparatus, and multiple devices controlled by the control apparatus via the control network, the management system includes multiple firewall modules provided for each of control zones each controlling one part of the industrial control system, the firewall modules relaying communication between devices in the control zones and the control network; an event analyzing module collecting events from each of the multiple firewall modules and analyzing the events to detect an anomaly of each of the control zones, and a communication managing module changing a communication operation performed via the firewall module provided for the control zone where an anomaly has been detected.10-25-2012
20110239288EXECUTABLE CODE VALIDATION IN A WEB BROWSER - An active filter monitors a web browser session to identify executable code transmitted in the session. The executable code may be analyzed to determine if the code is digitally signed. When the code is digitally signed by the web server or by another trusted source, the code may be executed. When the code is neither digitally signed or when the source is not trusted, the code may be rejected and not executed. The filter may be implemented as a web browser component or plugin, as well as a gateway device, proxy, or other service. The filter may also be implemented on the server side to reject incoming data that may include unauthenticated code.09-29-2011
20120331541SYSTEMS, METHODS, AND MEDIA FOR FIREWALL CONTROL VIA REMOTE SYSTEM INFORMATION - A method and system for controlling a firewall for a user computer system. One or more processors of the user computer system receive a control request to control a program of the user computer system by the firewall. The control request includes a condition pertaining to at least one process of a remote computer system. The at least one process is configured to be executed on the remote computer system. The firewall protects the user computer system from external threats. The processors store a remote system condition associated with the program of the user computer system. The remote system condition includes the condition pertaining to the at least one process. The processors ascertain whether the remote system condition is satisfied. The processors direct the firewall to block or allow the transmission of data if it is ascertained that the remote system condition is not satisfied or satisfied, respectively.12-27-2012
20110277028ASSIGNING A NETWORK ADDRESS FOR A VIRTUAL DEVICE TO VIRTUALLY EXTEND THE FUNCTIONALITY OF A NETWORK DEVICE - Virtually extending the functionality of a network device to a server is provided. A virtual device which virtually represents functionality of the network device is created. An association is stored between the network device and a user or a group for the network device. A determination is made as to whether the network device and the user or the group for the network device correspond to a local network or to a disparate network, based on the stored association. A network address for the virtual device is assigned based on the determination. Functionality of the network device is accessed via the virtual device, using the assigned network address for the virtual device.11-10-2011
20100229234SYSTEMS AND METHODS FOR DETECTING AND PREVENTING DENIAL OF SERVICE ATTACKS IN AN IPTV SYSTEM - An intrusion protection system is disclosed for an Internet based television service (IPTV) that detects unexpected conditions, including rogue terminals sending unexpected message. The system comprises one or more firewalls that may implement a mirrored state machine which is specific to an application level protocol. The state machine is typically maintained for each user, and each message from a user may be analyzed to determine if it is an expected message. The message may also be analyzed to determine if it represents an unusual volume of messages from the user or otherwise represents some other unusual aspect associated with a rogue terminal or terminals. Information regarding unusual events are reported from the firewall to an intrusion protection system which can further analyze the events, other data, and report possible attacks to a network operations center.09-09-2010
20120291115METHOD AND APPARATUS FOR DYNAMIC HOST OPERATING SYSTEM FIREWALL CONFIGURATION - A method and apparatus for dynamic host operating system firewall configuration provides plural monitoring processes to monitor the firewall configuration of a host operating system and guest operating systems. When any firewall configuration change is detected by a monitor in a monitored guest operating system, a appropriate corresponding firewall change is made by the monitor to the host operating system.11-15-2012
20100199345Method and System for Providing Remote Protection of Web Servers - Techniques for preventing attacks of web servers are provided. In one embodiment, a secure web application firewall (“WAF”) service server is provided to protect one or more web servers from malicious activity. The secure WAF service server is located at a location that is remote from the one or more web servers. Incoming traffic to the web servers and outbound traffic from the web servers is directed through the secure WAF service server. A secure WAF associated with the secure WAF service server analyzes the incoming and outbound traffic and can perform various responsive actions if malicious activity is detected.08-05-2010
20100199343CLASSIFICATION OF WIRED TRAFFIC BASED ON VLAN - Controlling access and capabilities on wired digital networks. According to the invention, rather than use port-centric controls, multiple virtual local area networks (VLANs) are supported by a wired controller, and these VLANS may be terminated on multiple physical ports. Capabilities are then assigned on a VLAN basis, with default capabilities assigned to the port when no VLAN is used. By defining capabilities on a VLAN basis, as an example no access, trusted access, or untrusted access. Trusted access VLANS are not subject to authentication or firewalling. Untrusted VLANS are subject to authentication and firewalling, which may be configured as required for the VLAN and its authorized users.08-05-2010
20100146616COOPERATION FOR CONSUMER AND SERVICE PROVIDER MOCA NETWORKS - Embodiments may be disclosed herein that provide systems, devices, and methods of operating a Multimedia over Coax (MoCA) network. One such embodiment is a method comprising: designating a selected MoCA device as a network controller; and logically partitioning, into virtual MoCA networks, a predetermined bandwidth reserved for the MoCA network by sending, from the network controller one or more beacons containing virtual network information.06-10-2010
20100132028METHOD FOR IMPLEMENTING SECURITY-RELATED PROCESSING ON PACKET AND NETWORK SECURITY DEVICE - Embodiments of the present invention provide method for implementing security-related processing on packet and a network security device. Through establishing a relationship between stream attribute information of an initial packet of a stream and security-related processing information implemented on the initial packet, when a succeeding packet of the stream is received, the previously stored relationship is acquired according to stream attribute information of the succeeding packet, the security-related processing is implemented on the succeeding packet according to the security-related processing information in the relationship. Therefore, according to the method for implementing security-related processing on packet and the network security device provided by the present invention, the process of searching for security information entries for succeeding packets of a stream is not required, the security-related processing procedure of the packet is thus accelerated, and the packet processing efficiency is improved.05-27-2010
20100132026Selective Web Content Controls for MFP Web Pages Across Firewalls - Devices, methods, and computer-readable media for tagging web page content according to a content access level for entry into a web page content database, and filtering in response to a dynamic web page construction request based on the access level of the requesting source.05-27-2010
20120151571"Push" Keep-Alive Mechanism For SIP User Agents Located Behind NATS/Firewalls - A user equipment (UE) and method is provided having one or more components configured to receive a non-session initiation protocol (SIP) notification from a SIP entity and in response to send a ping request to the SIP entity, the one or more components further configured to receive a SIP request from the SIP entity. A network component and method is also provided that include one or more components configured to send a non-session initiation protocol (SIP) notification to a user equipment (UE) and to receive a ping request from the UE and further to send a SIP request to the UE.06-14-2012
20130019301SYSTEMS AND METHODS FOR INTEGRATION BETWEEN APPLICATION FIREWALL AND CACHING - The present invention is directed towards integrating cache managing and application firewall processing in a networked system. An integrated cache/firewall system comprises an application firewall operating in conjunction with a cache managing system in operation on an intermediary device. The application firewall processes a received HTTP response to a request by a networked entity serviced by the intermediary device. The application firewall generates metadata from the HTTP response and stores the metadata in cache with the HTTP response. When a subsequent request hits in the cache, the metadata is identified to a user session associated with the subsequent request. The application firewall can modify a cache-control header of the received HTTP response, and can alter the cookie-setting header of the cached HTTP response.01-17-2013
20110162059APPARATUS AND METHOD FOR SECURE REMOTE PROCESSING - A method and apparatus for providing on-demand services to an organization. The services are provided by a hosting center. The apparatus comprises an on-premises connectivity agent at the organization, which receives requests or commands from computing platforms within the organization and concentrates all communication to and from the hosting center. The on-premises connectivity agent embeds or otherwise introduces organization metadata to the messages. The apparatus further comprises a hosted connectivity agent associated with the hosting center. The apparatus may further comprise a central connectivity component for routing communication between the on-premises connectivity agent and the hosted connectivity agent, in accordance with the metadata. Communication between the on-premises connectivity agent and the central connectivity component flows through a secure channel and comprises only communications related to the organization. Communication between the central connectivity component and the hosted connectivity agent may comprise communications related multiple organizations. Such communications may be multiplexed.06-30-2011
20080250487Systems For Firewall Protection Of Mass Storage Devices - The present invention discloses a URD including: a non-volatile storage memory having program code, wherein said program code is configured to enable a network protocol for communicating with a host system; and a controller for controlling operations performed on said storage memory. Preferably, the storage memory includes flash memory. A URD including: a host system having a firewall; and a URD having a non-volatile storage memory, wherein said storage memory includes program code, and wherein said program code is configured to enable a network protocol, said URD operationally connected to said host system; wherein said firewall is configured to provide security measures related to said URD. Preferably, the firewall is a software firewall or a hardware firewall.10-09-2008
20080222716COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM - A control unit of a connection destination device assigns a connection destination device address to a virtual line unit. In response to an instruction from the control unit, the virtual line unit sets a line as an active line to be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line, notifies a preceding-stage device that the line has the connection destination device address. Thereafter, the line is used to establish, communicate, or disconnect an IPsec tunnel from a connection source device to the connection destination device.09-11-2008
20080222715Enhanced Personal Firewall for Dynamic Computing Environments - An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access.09-11-2008
20130179963COMPUTERS AND MICROCHIPS WITH MULTIPLE INTERNAL HARWARE FIREWALLS - An apparatus for a network of computers is presented. A plurality of inner firewalls operate within a personal computer. The personal computer operates in a network of computers and includes at least one microprocessor and at least two memory components. The plurality of inner firewalls deny access to a first memory component of the personal computer by another computer through a network connection with the personal computer during a shared operation. The plurality of inner firewalls also allow access to a second memory component of the personal computer by the other computer through the network connection with the personal computer during the shared operation.07-11-2013
20120254976DIRECTORY SERVER FOR AUTOMATIC NETWORK INFORMATION ACCESS SYSTEMS - Systems, apparatus and methods are described for providing information access to network devices. A directory server registers identification information about a first network device coupled to a first network. The first network and the directory server may be coupled to a second network, which may include a wide area network, public network, or the Internet. The identification information may include a network address of the first network device on the first network, or a network address of the first network on the second network. The directory server may receive and process requests for identification information about registered network devices, and may selectively reply to the requests based on status information of the first network device.10-04-2012
20120254973DATA PROTECTION DEVICE FOR COMPUTERS - A data protection device includes a storage unit, a hard disk drive (HDD) controller, a switch, a network card; and a main control unit. The main control unit prevents the network card from communicating with communication networks when the first switch connects the HDD controller to the storage unit, and directs the first switch to disconnect the HDD controller from the storage unit when the network card is allowed to communicate with the communication networks.10-04-2012
20110225646POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection. The content processing configuration schemes each include multiple content processing configuration settings for each of one or more network service protocols. Application-level content of a packet stream associated with the network connection is then processed by the proxy module reassembling the application-level content from multiple packets of the packet stream and scanning the application-level content based on the retrieved content processing configuration schemes.09-15-2011
20110225645BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - Hardware or firmware-based firewalls or other access barriers are disclosed. The firewalls or access barriers establish one or more private units disconnected from a public unit that is connected to the Internet. One or more of the private units have a connection to one or more secure non-Internet connected private networks.09-15-2011
20110231924METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING APPLICATION LAYER FIREWALL AND INTEGRATED DEEP PACKET INSPECTION FUNCTIONS FOR PROVIDING EARLY INTRUSION DETECTION AND INTRUSION PREVENTION AT AN EDGE NETWORKING DEVICE - Methods, systems, and computer readable media for an application layer firewall function including an integrated deep packet inspection function for providing early intrusion detection and intrusion prevention at an edge networking device are disclosed. According to one method, steps are performed at a session controller configured to operate at the border of a first network and a second network. The steps include receiving, at an intrusion protection system (IPS) module of the session controller interfacing with modules associated with layers 2 and above of a protocol stack of the session controller, information gathered by modules located at lower layers and associated with an intrusion attempt, vulnerability, or other security policy violation. In response to receiving the information, the IPS module provides at least one of a security policy and a rule to a module located at the most appropriate layer for securing the intrusion attempt, vulnerability, or other security policy violation.09-22-2011
20130152186FILTERING KERNEL-MODE NETWORK COMMUNICATIONS - Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.06-13-2013
20130152187METHODS AND APPARATUS FOR MANAGING NETWORK TRAFFIC - Methods, apparatus, and computer readable storage media reduce or eliminate network traffic meeting criteria. In some aspects, network traffic transmitted by one or more source nodes to one or more destination nodes may comprise a denial of service attack against the destination node(s). At least a portion of the denial of service attack traffic may be reduced or eliminated with the disclosed methods and apparatus. In one aspect, a method of managing undesirable network traffic transmitted from a source node to a destination node over a communications network includes receiving a notification of a routing rule change, authenticating the notification, determining a network routing rule based on the notification, applying the network routing rule, determining a network path toward the source node, determining an entity based on the network path, and transmitting a notification of the routing rule change to the entity.06-13-2013
20120260331Network Firewall Host Application Identification and Authentication - Systems for providing information on network firewall host application identification and authentication include an identifying and transmitting agent on a host computer, configured to identify each application in use, tag the application identity with a host identity, combine these and other information into a data packet, and securely transmit the data packet to the network based firewall. The embodiment also includes an application identity listener on the network based firewall, configured to receive the information data packet, decode the data packet and provide to the network based firewall the identity of the application. The network based firewall is provided with an application-awareness via an extension of firewall filtering or security policy rules via the addition of a new application identity parameter upon which filtering can be based. Other systems and methods are also provided.10-11-2012
20130185785SYSTEM AND METHOD FOR INITIALIZING AND MAINTAINING A SERIES OF VIRTUAL LOCAL AREA NETWORKS CONTAINED IN A CLUSTERED COMPUTER SYSTEM - A system and method for sharing network resources; the system comprising at least one network switch, at least one computing device comprising at least one network connection and at least one storage device containing software capable of initializing and maintaining: (i) a management local area network (MLAN) comprising a virtual or physical firewall; and (ii) a plurality of client virtual local area networks (VLANs), wherein each client VLAN comprises a virtual firewall and a plurality of network resources.07-18-2013
20110314535NULL-PACKET TRANSMISSION FROM INSIDE A FIREWALL TO OPEN A COMMUNICATION WINDOW FOR AN OUTSIDE TRANSMITTER - A high-bandwidth direct communication path between two clients is used for voice or video calls over the Internet. An opening or a window in a firewall is made for the direct path by sending a null packet out from inside the firewall. The null packet can be a UDP packet directed to a UDP port of the other client. Initially, each client makes a TCP connection to port 12-22-2011
20110321151Methods And Systems For Providing Context-Based Outbound Processing Application Firewalls - Outbound processing with application firewalls. An outbound message is generated with an application. The outbound message includes at least a trustworthiness indicator and/or marking information for the one or more portions of the outbound message. The outbound message is received by an application firewall. The outbound message is analyzed based on the trustworthiness indicator and/or marking information, and context information. An action is performed on the outbound message based on the trustworthiness indicator and/or marking information, and the context information.12-29-2011
20110321150Methods And Systems For Context-Based Application Firewalls - Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device.12-29-2011
20120005741FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS - Methods and systems for an intelligent network protection gateway (NPG) are provided. According to one embodiment, a firewall prevents unauthorized network-lawyer access to internal hosts by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall facilitates concurrent management of multiple incoming VoIP calls by providing multiple VoIP ports and advertising multiple IP address/VoIP port pairs corresponding to internal hosts. When incoming VoIP packets are received, the packets are directed to an appropriate internal host by the firewall performing port forwarding based on a port indication contained within the packets to a server or gatekeeper within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.01-05-2012
20120030748COMPUTERS AND MICROCHIPS WITH AN INTERNAL HARDWARE FIREWALL AND AT LEAST ONE MICROPROCESSOR PROCESSING UNIT OUTSIDE THE FIREWALL - This invention generally relates to one or more computer networks having computers like personal computers or network servers with microprocessors linked by broadband 5 transmission means and having hardware, software, firmware, and other means such that at least one parallel processing operation occurs that involve at least two computers in the network. More particularly, this invention relates to one or more large networks composed of smaller networks and large numbers of computers connected, like the Internet, wherein more than one separate parallel processing operation involving more than one different set of computers occurs simultaneously and wherein ongoing processing linkages can be established between virtually any microprocessors of separate computers connected to the network. Still more particularly, this invention relates to business arrangements enabling the shared used of network microprocessors for parallel and other processing, wherein personal computer owners provide microprocessor processing power to a network, preferably for parallel processing, in exchange for network linkage to other personal and other computers supplied by network providers, including linkage to other microprocessors for parallel or other processing; the basis of the exchange between owners and providers being whatever terms to which the parties agree, subject to governing laws, regulations, or rules, including payment from either party to the other based on periodic measurement of net use or provision of processing power.02-02-2012
20120030747Computers and microchips with at least one internal hardware firewall and at least two microprocessors or processing units outside the at least one firewall - A computer, comprising: at least one internal hardware firewall; at least two microprocessors being located outside of the at least one internal hardware firewall; and the at least two microprocessors being separate from the at least one internal hardware firewall.02-02-2012
20120030746Devices and Methods for Using HTTP Encapsulation to Access Web Resources - Embodiments provide a method of a system accessing web resources using HTTP encapsulation, by for example, a method that may include the steps of: (a) receiving, by an HTTP-encapsulator server component, HTTP request data from a web client; (b) saving, by the HTTP-encapsulator server, the HTTP request data; (c) creating, by the HTTP-encapsulator server, a first web resource accessible through an endpoint Uniform Resource Locator (URL); (d) creating, by the HTTP-encapsulator server, a second web resource containing data, wherein the data comprises: a URL to access the first web resource; and an endpoint URL pointing to a file handler on the HTTP-encapsulator server; (e) fetching, by an HTTP-encapsulator client of a local computing device, a command data of the HTTP-encapsulator server; (f) receiving, by the HTTP-encapsulator client, the command data of the HTTP-encapsulator server comprising a retrieval instruction to a data file stored at the local computing device as a destination page; (g) and generating, by the HTTP-encapsulator client, a response to the request of the HTTP-encapsulator server, based on a protected network resource; and (h) sending the generated response to the URL endpoint of the HTTP-encapsulator server hosted at the source external to the HTTP-encapsulator client of the local computing device.02-02-2012
20130198829SYSTEM TO RETRIEVE AND DISTRIBUTE IMAGES IN REAL TIME - An image-data acquisition and display system coupled to a network provides a first specified data to an interactive control server system to be accessed by a user for acquiring a second specified data based on the first specified data, and receives third specified data from the ICSS, includes: identifying information associated with the system; a server for coupling to the network for transmitting the identifying information to the ICSS via the network; and a tunnel client coupled to the network to establish, based on the identifying information, a communications tunnel through a firewall to exchange data wait the ICSS via the tunnel, to allow data/commands to be received by and transmitted from the system through the firewall to the ICSS over the network. The firewall allows the third specified data to be received by the system though the tunnel and prevents data/commands from being received by the system.08-01-2013
20120096537BASIC ARCHITECTURE FOR SECURE INTERNET COMPUTERS - A method of securely controlling through a private network a computer protected by a hardware-based inner access barrier or firewall and optionally configured to operate as a general purpose computer connected to the Internet, comprising: two separate network connections separated by an inner hardware-based access barrier or inner hardware-based firewall protecting a private network connection configured for connection to a private network of computers but not protecting a public network connection configured for connection to a public network configured to include the Internet, the method including the step of controlling at least one operation of the computer, the control being provided through the private network and the operation involving data and/or code transmitted to the public network. Another method includes the step of controlling an operation of a second or third private protected unit of the computer, the control being provided through a second or third private network, respectively.04-19-2012
20120096536Data Security System - A method, computer system, and computer program product for validating data contained in a request sent by a requestor to a server application. A computer receives the request from the requestor before receipt of the request by the server application. The computer identifies a set of data validation rules to apply to the data in the request based on a data format specification contained in the request sent by the requestor. The computer determines whether the data is valid based on the identified set of data validation rules. The computer forwards the request to the server application in response to the computer determining that the data is valid based on the identified set of data validation rules.04-19-2012
20130212668Suspension of Processes in Industrial Control System When an Anomaly Occurs - A method for suspension of processes in an industrial control system includes detecting at least one anomaly in an industrial control system; notifying a controller of the at least one anomaly; accessing a database comprising emergency suspend procedures; sending a stream comprising at least one emergency suspend command through at least one firewall/gateway to at least one downstream zone; and terminating or suspending a process in the at least one zone.08-15-2013

Patent applications in class Firewall

Patent applications in all subclasses Firewall