Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Proxy server or gateway

Subclass of:

726 - Information security

726002000 - ACCESS CONTROL OR AUTHENTICATION

726003000 - Network

726011000 - Firewall

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20080313728INTERSTITIAL PAGES - A reverse proxy server can provide access to web applications. The reverse proxy system can produce interstitial pages not generated with the web application code and optionally block access to the web application until the interstitial pages have been processed.12-18-2008
20090037999Packet filtering/classification and/or policy control support from both visited and home networks - A method of supporting access to a selected Internet Protocol (IP) multimedia application via an IP Multimedia Subsystem (IMS) is provided for a roaming mobile node (MN)—i.e., user equipment (UE) (02-05-2009
20120246711PORTABLE MULTI-MEDIA AUTOMATIC AUTHENTICATING ROUTER AND METHOD FOR AUTOMATICALLY ROUTING STORED DATA - A computer program product and automatic authenticating router device for automatically routing stored data from a single device to at least one remote storage location is provided. The router device includes the computer program product. The computer program product includes a computer readable medium bearing software instructions for enabling predetermined operations. The predetermined operations include detecting an availability of a proximal network; automatically establishing a connection with the at least one remote storage device based on the availability of the proximal network; automatically recognizing a data type of a data file stored on the single device; associating routing information with the data file based on the data type; and automatically uploading the data file from the single device to the remote storage device based on the routing information.09-27-2012
20090158417Anti-replay protection with quality of services (QoS) queues - An embodiment of the present invention includes a technique to provide anti-replay protection with QoS queues. A single global anti-replay window is maintained to have global lowest and highest sequence numbers for an Internet protocol security (IPSec) security association (SA). The single global anti-replay window is associated with individual differentiated services code point (DSCP) or DSCP group, the individual DSCP or DSCP group corresponding to individual per-DSCP anti-replay windows. A received packet having a sequence number is pre-processed before packet processing using the single global anti-replay window. The received packet is post-processed after packet processing using the individual per-DSCP anti-replay windows.06-18-2009
20090158418SYSTEMS AND METHODS FOR PROVIDING A VPN SOLUTION - A system, apparatus and a method for implementing a secured communications link at a layer other than that at which packets are filtered are disclosed. In one embodiment, a computer system is configured to form a virtual private network (“VPN”) and comprises an address inspection driver to identify initial target packet traffic addressed to a target server. Also, the computer system includes a pseudo server module to receive rerouted initial target packet traffic from the address inspection driver. The pseudo server module is configured to convey packet regeneration instructions to a VPN gateway. The address inspection driver functions to identify additional target packet traffic addressed to the target server and routes the additional target packet traffic to the pseudo server. In one embodiment, the pseudo server is configured to strip header information from the additional target packet traffic to form a payload, and thereafter, to route the payload to the target.06-18-2009
20100107237COMMUNICATION SYSTEM, RELIABLE COMMUNICATION MECHANISM, AND COMMUNICATION METHOD USED FOR THE SAME - Provided is a communication system capable of fundamentally preventing an attack from an unspecified counterpart and resolve problem even when a problem occurs in a user terminal or client and a server. A mediation server (04-29-2010
20100107236NETWORK SYSTEM, COMMUNICATION METHOD, COMMUNICATION TERMINAL, AND COMMUNICATION PROGRAM - Provided is a network system which attains effective prevention of information leakage without having a user recognize existence of spy ware or the like operating on a user terminal.04-29-2010
20100107235METHOD AND COMMUNICATION SYSTEM FOR ACCESSING A WIRELESS COMMUNICATION NETWORK - A method for accessing a wireless communication network is described, comprising collocating a Proxy Agent apparatus with an Access apparatus and determining in a Mobile Gateway apparatus an address of the Access apparatus. The Proxy Agent apparatus comprises information about a Master apparatus, the Master apparatus being adapted for executing a master function. The method further comprises indicating a message, to be handled by the master function, as a master function message and sending the master function message to the address of the Access apparatus. Furthermore, the method comprises diverting in the Access apparatus the master function message to the Proxy Agent apparatus and forwarding the master function message to a Proxy Relay apparatus for relaying the master function message to the Master apparatus.04-29-2010
20100024026Application gateway system and method for maintaining security in a packet-switched information network - A method and apparatuses are disclosed for handling digital data packets at a logical borderline that separates an untrusted packet-switched information network from a protected domain. A packet processor part intercepts a packet that is in transit between the untrusted packet-switched information network and the protected domain. The packet is examined at the packet processor part in order to determine, whether the packet contains digital data that pertains to a certain protocol. If the packet is not found to contain such digital data, it is processed at the packet processor part. If the packet is found to contain digital data that pertains to said certain protocol, it gets redirected to an application gateway part that processes the packet according to a set of processing rules based on obedience to said certain protocol. The packet processor part is a kernel mode process running in a computer device and the application gateway part is a user mode process running in a computer device.01-28-2010
20090126002SYSTEM AND METHOD FOR SAFEGUARDING AND PROCESSING CONFIDENTIAL INFORMATION - One aspect of the invention is a method for providing restricted access to confidential services without impacting the security of a network. The method includes using a gateway to isolate one or more components providing confidential services from one or more other portions of an enterprise network. A first communication directed to a selected one of the one or more components may be received at the gateway. A determination may be made as to whether the first communication is user traffic or management traffic. The first communication may then be authenticated. If the first communication is user traffic, the first communication is forwarded to a component providing the confidential services. If the first communication is management traffic, the first communication is encrypted and forwarded to a component providing the confidential services. Additionally, components of the sub-network may be monitored to identify malicious changes.05-14-2009
20100095369Gateway Registry Methods and Systems - A gateway device for managing a set of two or more local management devices at a location. A system for networks at a plurality of locations. A method of operating a gateway device in a control network. A method for storing information to operate a gateway device in a control network. A method for storing information to operate a replacement gateway device in a control network.04-15-2010
20100095368HOME NODE B ACCESS CONTROL METHOD AND SYSTEM - A home Node B access control method provided herein includes: by a security access gateway, receiving access request information from a home Node B; forwarding the access request information to a network node capable of authenticating; and exercising access control for the home Node B according to the authentication result. A home Node B access control system is also provided herein. The method and the system for controlling the home Node B access ensure the security of the mobile network, stability of the wireless environment, and implementation of the operator policies. The access control is performed before the network allocates resources to the home Node B, thus avoiding waste of network resources and preventing unqualified home Node Bs from accessing the network.04-15-2010
20130047249Method And Apparatus For Token-Based Packet Prioritization - According to one embodiment, an apparatus may receive a hard token that identifies a device and a subject token indicating that a user is a high priority user. The subject token may include a user identifier associated with the high priority user. The apparatus may apply a token-based rule that facilitates packet prioritization in response to receiving the subject token. In response to applying the token-based rule, the apparatus may communicate a notification token to at least one network component. The notification token may include the user identifier associated with the high priority user, the device identifier associated with the device, and instructions to prioritize any packet communications associated with the user identifier or the device identifier. The apparatus may then communicate at least one token to facilitate the provisioning of a container to the device associated with the high priority user.02-21-2013
20090064308SECURITY GATEWAY SYSTEM, METHOD THEREOF, AND PROGRAM - A non-secure network gateway 03-05-2009
20090044261SYSTEM AND METHOD FOR SECURE DUAL CHANNEL COMMUNICATION THROUGH A FIREWALL - A server including a dual channel communications module operable to establish a communication session between the server and a client is provided. The server may be operable to receive a dual channel communication packet from the client. In a particular embodiment, the dual channel communication packet may include a header in a data payload. The header includes a client external IP address, and the data payload includes an encoded port command having a client internal IP address and a client data port number. A codec operable to decode the port command may also be provided. The server may also include a translation module for retrieving the client external IP address from the header. In a particular embodiment, the server is operable to establish data channel coordinates including the client external IP address, the client data port number, a server internal IP address and a server data port number.02-12-2009
20120192263ACCESS GATEWAY AND METHOD FOR PROVIDING CLOUD STORAGE SERVICE - An access gateway establishes a link with at least one terminal device via a user interface module, and obtains a cloud storage service list from a backend server. The access gateway selects one cloud storage service from the cloud storage service list, and authenticates one cloud storage service provider server corresponding to the selected cloud storage service to obtain a backend uniform resource locator (URL). The access gateway downloads backend software from the one cloud storage service provider server according to the backend URL, and installs the backend software. The access gateway provides cloud storage service from the one cloud storage service provider server to the at least one terminal device according to the installed backend software.07-26-2012
20130074174FIREWALL ACCESS CONTROL WITH BORDER GATEWAY PROTOCOL ATTRIBUTES - Packets are routed from at least one internet protocol (IP) address in accordance with border gateway protocol (BGP); while carrying out the routing in accordance with the border gateway protocol (BGP), at least one border gateway protocol (BGP) attribute associated with the at least one internet protocol (IP) address is noted. A firewall policy is applied to the packets from the at least one internet protocol (IP) address based on the at least one border gateway protocol (BGP) attribute associated with the at least one internet protocol (IP) address. Techniques may be implemented, for example, on a router or on a separate firewall device coupled to a router.03-21-2013
20130074175Methods, Systems, and Computer Program Products for Protecting Against IP Prefix Hijacking - A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each, of the at least one potential hijack AS.03-21-2013
20090271859SYSTEMS AND METHODS FOR RESTRICTING EVENT SUBSCRIPTIONS THROUGH PROXY-BASED FILTERING - A system, method and filter are provided for restricting event subscriptions. The system includes an event server, such as a session initiation protocol (SIP) event server, capable of maintaining at least one event. Also, the system includes a network entity, such as a requester, capable of sending a subscription message, such as a SIP SUBSCRIBE message, subscribing to the event. Further, the system includes a proxy, such as an SIP proxy, associated with the event server, and in coupled between the event server and the network entity. In this regard, the proxy is capable of receiving the subscription message. The system also includes a filter capable of receiving the subscription message from the proxy. Thereafter, the filter can determine whether the network entity is an authorized subscriber. Then, if the network entity is an authorized subscriber, the proxy can forward the subscription message to the event server.10-29-2009
20090271858Method For Connecting Unclassified And Classified Information Systems - A method and system that enables the connection of an unclassified information system to a classified information system while meeting all government requirements. The system utilizes a combination of COTS technologies (e.g., a Trusted Gateway System, type-2 encryption software, etc.), local administrative policies, and scriptable software applications.10-29-2009
20090055920Systems And Methods For Establishing A Communication Session Among End-Points - Systems and methods for establishing a communications session among end-points are shown and described. The method can include receiving, from a client computing device at a gateway computing device, a request to establish a communication session with an end-point, the client computing device executing a program that locates address information for the end-point within application output displayed at the client computing device and forwarding at least a portion of the received request to a private branch exchange in communication the gateway computing device, the at least a portion of the received request including the address information of the end-point and address information associated with an end-user of the client computing device.02-26-2009
20120117641METHODS AND APPARATUSES FOR PROVIDING INTERNET-BASED PROXY SERVICES - A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.05-10-2012
20090013399Secure Network Privacy System - The invention provides a method and system of receiving communications from a network device in a network to a source of network data and establishing a secure and/or authenticated network connection between the network device and the source that appears to the network device as a direct connection to the source of network data. Broadly conceptualized, the method and system may also include a parsing module that modifies the network data passing back and forth between the network device and the source of network data.01-08-2009
20090007253FILTERING TECHNIQUE FOR PROCESSING SECURITY MEASURES IN WEB SERVICE MESSAGES - A message gateway apparatus is provided for use in a web service system to process a message containing a request for a destination web service application, in which the message includes a plurality of events within a structured document conforming to a web service protocol and each event of the plurality of events has a name and a content thereof. The message gateway apparatus comprises a message parsing module configured to sequentially identify the events of the plurality of events of the message, an input object creation module configured to sequentially extract the events of the plurality of events from the message parsing module, and a message filtering module configured to sequentially access the events of the plurality of events as the events are extracted from the message parsing module by the input object creation module to analyze the name of each event and perform security processing on the content of each event for which the corresponding name indicates that security measures have been applied according to a security protocol. The input object creation module is configured to construct an input object including input parameters for the destination web service application based on the message. The input object creation module constructing the input object by adding a representation of each event of the plurality of events to the input object after each event is accessed by the message filtering module.01-01-2009
20090007252System and Method for Implementing Proxy-Based Auto-Completion on a Network - A system and method for implementing forward proxy based auto-completion on a network, wherein the network includes a data center, at least one forward proxy, and a collection of clients coupled to the at least one forward proxy. The data center marks at least one input field in an application as relevant for auto-completion. In response to detecting a first client accessing the at least one input field in the application to input at least one data entry, the forward proxy parses the at least one data entry entered into the at least one input field. The forward proxy ranks by frequency of entry the at least one data entry entered into the at least one input field. In response to detecting a second client accessing the at least one input field in the application to input at least one data entry, the forward proxy performs auto-completion on the at least one input field, wherein the auto-completion includes displaying a collection of past data entries in an order of the ranking to facilitate completion of the at least one input field.01-01-2009
20120240213GATEWAY DEVICE AND METHOD FOR USING THE SAME TO PREVENT PHISHING ATTACKS - A gateway device that is in electronic connection with at least one client computer, a first domain name system (DNS) server located in a first communication network, and a second DNS server located in a second communication network separated from the first communication network. When a domain name is transmitted to both the first DNS server and the second DNS server, the first DNS server and the second DNS server respectively resolve the domain name into two groups of internet protocol (IP) addresses, and the gateway device compares the two groups of IP addresses with each other to select one of the two groups of IP addresses that is identified as all IP addresses of which are safe, and allows the client computer to access websites within the first communication network via the selected group of IP addresses to prevent the client computer from phishing attacks.09-20-2012
20100175122SYSTEM AND METHOD FOR PREVENTING HEADER SPOOFING - A system and method for preventing spoofing including a receiver at a session border controller (SBC) configured to receive a message from a network element, wherein the message is a request for network access and the message comprises a first source information. The system and method may also include one or more processors at the session border controller (SBC) configured to identify an identifier associated with the network element, wherein the identifier corresponds to a second source information, and to replace the first source information in the message received from the network element with the second source information corresponding to the identifier of the network element. The system and method may also include one or more databases configured to store the second source information. The system and method may also include a transmitter at the session border controller (SBC) configured to transmit the message with the second source information to a service provider proxy for granting network access. In another embodiment, network access may be denied in the event it is determined that the first source information in the message received from the network element with the second source information corresponding to the identifier of the network element are different.07-08-2010
20130024928SECURE NETWORK COMMUNICATIONS FOR METERS - A system and method are provided for secure network communications. A proxy server receives meter data, from a meter of a set of meters via a local network, for an energy management server. The proxy server uses secure communications to send the meter data via a non-secure network to the energy management server.01-24-2013
20090172801PERFORMANCE ENHANCING PROXY - One embodiment of the present invention may take the form of a method and a system for performance enhancing proxy (PEP). A PEP system may include a configuration of software components and hardware devices to increase the performance of a two-way satellite broadband service. The PEP system may include one or more embodiments to reduce the time necessary for users to transmit and receive data provided through a communication network.07-02-2009
20090049537System and Method for Distributed Multi-Processing Security Gateway - A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.02-19-2009
20110289579UNIFIED CONTENT SCANNING AND REPORTING ENGINE - A method of unified content scanning in which content is deconstructed into base formats so as to be presented to content filters in a common format. The base formats include text, image and audio. The invention also includes a system of unified content scanning and a gateway appliance embodying the method of unified content scanning.11-24-2011
20110289580NETWORK SECURITY SYSTEM AND REMOTE MACHINE ISOLATION METHOD - In a thin client system in which clients are connected to remote machines via a network so as to implement transactions, a remote machine infected with a virus is isolated from the network in response to a user's instruction on each client whilst communication settings minimally required for transactions are maintained. That is, a request issue agent issues an isolation request in response to a user input, so that a request execute agent changes communication settings of the remote machine in response to the isolation request. In an isolated state of a remote machine isolated from the network, a management server is allowed to change network settings regarding the remote machine with reference to a disconnection setting file, which stores communication settings minimally required for the remote machine in advance.11-24-2011
20110296517METHOD AND APPARATUS FOR PROVIDING REACTIVE AUTHORIZATION - An approach is provided for providing reactive authorization for accessing a semantic network resource. An access application of a resource owner entity detects an authorization proxy entity acting between at least a semantic network resource and a requesting entity that requests access to the semantic network resource. The access application determines to cause, at least in part, actions that result in transmission of a query for whether to accept the requesting entity to an owner entity of the semantic network resource.12-01-2011
20090113536Digital Rights Management (DRM) Enabled Portable Playback Device, Method and System - A method for enabling access to digital rights managed (DRM) content from a server to a portable playback device using a device that functions as a proxy for enabling communication between the server and the portable playback device. The method provides for establishing a connection with a device capable of operating as a gateway device for passing data between the portable playback device and the server, requesting that the device establish a connection with the server and operate as a proxy for enabling data exchange between the portable playback device and the server, sending to the server, upon establishing the connection with the server via the device operating as a proxy, data indicating DRM solutions supported by the portable playback device, and a list comprising requested DRM content to be downloaded to the portable playback device, and receiving from the server, via the device operating as a proxy, the requested DRM content and DRM rules associated with the received content.04-30-2009
20090119766Method for Remotely Accessing a Local Area Network, and Switching Node for Carrying Out the Method - The invention relates to the technical field of data transmission in a network of distributed stations. One problem particularly with a UPnP-based home network is that although the network-internal communication is based on the IP protocol, the allocated IP addresses are valid only locally and they therefore cannot be accessed via the Internet. This is the starting point of the invention, which proposes that remote access to the network have the network's switching node provide address conversion which is effected using an internally managed table about the devices which are present in the network and their IP addresses. For the remote access, the globally valid IP address of the switching node is used, with an additional information item being additionally provided in the HTTP Get remote access and allowing the address conversion. A suitable additional information item is the converted local IP address of the network station which is to be addressed, in particular. The response to the remote access involves the inverse address conversion, so that the references back to the local area network again contain the globally valid address of the switching node plus the additional information item.05-07-2009
20090165114Takeover Processes in Security Network Integrated with Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller.06-25-2009
20100115602METHOD AND SYSTEM FOR SECURING DATA FROM AN EXTERNAL NETWORK TO A NON POINT OF SALE DEVICE - A data control system allows non-point of sale devices (05-06-2010
20120110655DATA TRANSMISSION MANAGEMENT SERVER AND METHOD - A data transmission management server for managing a terminal device to access a network resource providing server by a source gateway in a virtual private network (VPN) obtains current resource information of a plurality of gateways in the VPN periodically. The data transmission management server selects one from the gateways as a destination gateway according to the resource information, transmits an internet protocol address of the destination gateway to the source gateway to make the source gateway establish a secure communication tunnel to the selected destination gateway and access the network resource providing server over the secure communication tunnel.05-03-2012
20110271339COMPUTERS AND MICROCHIPS WITH MULTIPLE INTERNAL HARDWARE FIREWALLS - An apparatus for a network of computers is presented. A plurality of inner firewalls operate within a personal computer. The personal computer operates in a network of computers and includes at least one microprocessor and at least two memory components. The plurality of inner firewalls deny access to a first memory component of the personal computer by another computer through a network connection with the personal computer during a shared operation. The plurality of inner firewalls also allow access to a second memory component of the personal computer by the other computer through the network connection with the personal computer during the shared operation.11-03-2011
20090070865Security proxy service - A secure proxy service has been developed to authorize pre-defined individuals (defined as a “Security Agent”) to gain access to otherwise privileged information/premises when an individual has “gone missing”. The individual subscribing to the service defines and retains control of various factors such as: the time period to trigger the proxy service (i.e., missing for several days, missing for several weeks, etc.), the types of information to be accessed (i.e., only email, both premises and email, bank accounts, etc.), and the like. Once activated, the proxy allows the authorized individual(s) to gain access to the person's residence, computer accounts, bank accounts, etc. (via previously-executed “power of attorney” documents, when necessary) in an attempt to find clues regarding the missing person's location.03-12-2009
20100218248REDIRECTION OF SECURE DATA CONNECTION REQUESTS - Methods, systems, and computer-readable media are disclosed for processing a secure data connection request. A particular method receives, at a first gateway, a secure data connection request from a client identifying a server to connect to. The first gateway sends the client device a redirect message instructing the client device to attempt alternate connection via a second gateway. The client sends a secure data connection request to the second gateway and the second gateway facilitates the secure data connection between the client and the server.08-26-2010
20100122337System and method for integrating mobile networking with security-based VPNS - Systems and methods provide a secure network path through an inner and outer firewall pair between a mobile node on a foreign network and a corresponding node on a home network. One aspect of the systems and methods includes providing a mobile IP proxy between the mobile node and a VPN gateway inside the firewalls. The mobile IP proxy acts as a surrogate home agent to the mobile node, and acts as a surrogate mobile node to a home agent residing on the home network.05-13-2010
20100122338NETWORK SYSTEM, DHCP SERVER DEVICE, AND DHCP CLIENT DEVICE - When customer-premises communication equipment connected to a home gateway device is about to establish IP communication with a server on a network, the present invention enables the server to establish communication after verifying that the physical connection location of the communication equipment is authorized. When a DHCP server issues an IP address to the home gateway device, the DHCP server not only passes a circuit-ID-based identifier to the home gateway device, but also transmits the identifier and information about the home gateway device to the server. Upon receipt of the identifier through the home gateway device, a communication equipment requests to establish IP communication with the server by using the identifier and the information about the home gateway device to which the communication equipment is connected. This permits the server to check whether the connection path of the communication equipment that has requested to be connected is proper.05-13-2010
20090094693Access technology indication for proxy mobile internet protocol version 6 - A Local Mobility Anchor/Agent (LMA), on seeing a Proxy Binding Update (PBU) with a same Network Access Identifier (NAI) but with a different access technology indication or interface identifier can assign a unique prefix to a mobile node (MN) via a PBAck message. The unique prefix avoids the creation of a duplicate address that would conflict with the address assigned to another interface that was configured using a prefix provided by the LMA. This solution can enable an MN to attach to different Mobility Access Gateways (MAGs) that are in different access networks of differing technologies but attached to the same LMA (i.e. the MAGs and the LMA are in the same PMIP6 domain) and not cause conflicts in prefix assignment or confuse the LMA into thinking that the MN had performed a handover (HO).04-09-2009
20100125899REMOTE ACCESS TO LOCAL NETWORK VIA SECURITY GATEWAY - Multiple protocol tunnels (e.g., IPsec tunnels) are deployed to enable an access terminal that is connected to a network to access a local network associated with a femto access point. A first protocol tunnel is established between a security gateway and the femto access point. A second protocol tunnel is then established in either of two ways. In some implementations the second protocol tunnel is established between the access terminal and the security gateway. In other implementations the second protocol tunnel is established between the access terminal and the femto access point, whereby a portion of the tunnel is routed through the first tunnel.05-20-2010
20110197272Low-Latency Detection of Scripting-Language-Based Exploits - Systems and methods for protecting client computers are described. One method includes receiving webpage data at a proxy from a webpage before the data reaches an intended recipient; gathering scripting-language-data from the webpage data; normalizing the scripting-language-data so as to generate normalized data; emulating execution of the normalized scripting-language-data with a inspection-point-script-execution engine that that is adapted to provide inspection points instead of effectuating particular functions, and determining whether to block the data from the intended recipient by analyzing inspection-data collected from the inspection points.08-11-2011
20090288157SECURITY OVERLAY NETWORK - A device receives an indication of detected attack traffic associated with a network, identifies a victim of the attack traffic, and selects a security platform for processing the attack traffic. The device also advertises a tunnel and routing tag information in the network for the selected security platform, receives the attack traffic via the advertised tunnel, and forwards the attack traffic to the selected security platform for processing. The device further receives processed traffic from the selected security platform, and forwards, via the network, the processed traffic to the victim.11-19-2009
20090064309BROWSER PLUG-IN FIREWALL - A browser plug-in firewall manages data exchanged between a browser and a plug-in according to a pre-defined list of rights.03-05-2009
20080209539System and method for preventing service oriented denial of service attacks - A method, system, and computer program product for preventing network service attacks, including processing a message to validate the message for message version and syntax via a security firewall; canonicalizing the message and extracting a message header and body via a converter; converting the body into a Patricia Trie via the converter; and validating the header and the converted body for security via a comparator.08-28-2008
20080209536Updating Parameters in a Bridged Multistandard Home Network - The invention relates to the field of home networks, in particular to the connection of two home networks of different types via a gateway. The network appliances in the network of the first type are also intended to be able to control the network appliances in the network of the second type, and vice versa. One problem that occurs when carrying out conversion processes on control messages is that an input parameter which is known in the network of the first type can be changed as required and can also be signaled further within this network, but the associated correspondence in the network of the second type is permanently set, and accordingly cannot be changed. The invention provides a way in which an input parameter such as this can nevertheless be likewise updated in the network of the second type. For this purpose, the network station which relates to the input parameter is first of all logged-off in the network of the second type. The changed input parameter is then converted to the information element in the network of the second type. The network station which relates to the input parameter is then logged on again in the network of the second type. This results in the network stations in the network of the second type being able to newly read the appliance description for the network station which relates to the input parameter. This then also results in the input parameter being updated in the network of the second type.08-28-2008
20080209538Strategies for Securely Applying Connection Policies via a Gateway - A strategy is described for securely applying connection policies in a system that includes a first entity (e.g., a TS client) connected to a second entity (e.g., a TS server) via a gateway using a remote-operating protocol (e.g., RDP). The strategy involves establishing a first secure channel between the gateway and the TS server and transmitting policy information from the gateway to the TS server. The strategy then involves deactivating the first secure channel and setting up a second secure channel between the TS client and the TS server. The strategy uses the second secure channel to transmit RDP data from the TS client to the TS server. The TS server uses the previously-transmitted policy information to determine whether to enable or disable a feature that affects the TS client, such as device redirection.08-28-2008
20090044262METHOD, SYSTEM AND SOFTWARE FOR MAINTAINING NETWORK ACCESS AND SECURITY - A system, method and apparatus for securing communications between a trusted network and an untrusted network are disclosed. A perimeter client is deployed within the trusted network and communicates over a session multiplexing enabled protocol with a perimeter server deployed within a demilitarized zone network. The perimeter client presents requests to make available and communication initiation requests to the perimeter server which presents corresponding sockets to the untrustred network. The session multiplexing capabilities of the protocol used between the perimeter server and perimeter client permit a single communication session therebetween to support a plurality of communication sessions between the perimeter server and untrusted network. In the event data flows across the communication sessions are encrypted, decryption of the data flows is left to the components at the end points of the communication session, thereby restricting exposure of privileged information to areas within trusted networks.02-12-2009
20090282470CONTENT AGGREGATION SERVER ON VIRTUAL UNIVERSAL PLUG-N-PLAY NETWORK - A content aggregation server (CAS) establishes an IPSec tunnel with a gateway of a home network and discovers content on the home network. The CAS generates a web page that a user of the home network can access remotely to view an index of content hyperlinks, organize the content on the home network, and if desired select a hyperlink to access the content directly through the gateway, not the CAS, which thus is used for listing and managing content but not for hosting the content.11-12-2009
20090119767FILE LEVEL SECURITY FOR A METADATA CONTROLLER IN A STORAGE AREA NETWORK - A storage gateway is employed as part of a security enhancing protocol in a data processing system which includes at least one metadata controller node and at least one application node which is granted a time limited access to files in a shared storage system. The gateway is provided with information as to data blocks to which access is to be allowed and also with information concerning the duration of special access granted to a requesting application node. This insures that metadata cannot be improperly used, changed or corrupted by users operating on an application node.05-07-2009
20080216167PROXY CONNECTION METHOD AND ADAPTER TO IMS/MMD NETWORK - A client for IPv4 having a SIP function sends first REGISTER to adapter. Then, the adapter executes an authentication sequence of EAP-AKA for an access gateway connected to the interval of an IMS/MMD network and the IPv4 network, then establishes the tunnel connection. Then, the adapter generates second REGISTER corresponding to the IPv6 based on first REGISTER corresponding to IPv4. And, the adapter sends second REGISTER to a SIP server connected to the IMS/MMD network through the tunnel connection to the access gateway.09-04-2008
20090276841METHOD AND DEVICE FOR DYNAMIC DEPLOYMENT OF TRUST BRIDGES IN AN AD HOC WIRELESS NETWORK - A method for deploying a trust bridge in an ad hoc wireless network can provide interoperability for multi-organizational authentication. The method includes processing at a delegate certification authority (DCA) node device authorizations received from of a plurality of certification authorities (CAs) of different organizations, where the authorizations authorize the DCA node device to serve as a DCA representing the CAs (step 11-05-2009
20110209211MULTI-STAGE POLLING MECHANISM AND SYSTEM FOR THE TRANSMISSION AND PROCESSING CONTROL OF NETWORK RESOURCE DATA - A method and corresponding system for coordinating submission of network resource data across a first network to a network resource located on a second network, the second network being coupled to the first network by a firewall such that the second network has a higher level of trust than that of the first network, the method comprising the steps of: receiving and storing in a storage the network resource data submitted by a network terminal coupled to the first network, the network resource data containing a network resource identifier for associating the network resource data with the network resource; receiving and storing in the storage control data associated with the network resource data, the control data for coordinating one or more actions on the network resource data; receiving a first poll message initiated through the firewall by a polling server located on the second network, the first poll message requesting stored network resource data containing the network resource identifier and forwarding the network resource data matching the network resource identifier to the polling server; and receiving a second poll message initiated through the firewall by the polling server, the second poll message requesting stored data matching the control data associated with the network resource data and forwarding the matched control data to the polling server.08-25-2011
20080282338SYSTEM AND METHOD FOR PREVENTING THE RECEPTION AND TRANSMISSION OF MALICIOUS OR OBJECTIONABLE CONTENT TRANSMITTED THROUGH A NETWORK - A system for preventing the reception and transmission of malicious or objectionable content transmitted through a network. A thin is client installed upon a user computer and is associated with a web browser computer program installed upon the user computer, the thin client and web browser being coupled to a web proxy server with a network service provider. At least one protective server is intermediate the web proxy server and the network, the protective server being dedicated to detecting a type of malicious or objectionable content and acting to deter the reception of detected content by the user computer. At least one reference library contains a profile defining malicious or objectionable content, the protective server utilizing the library to identify the malicious or objectionable content.11-13-2008
20080235784Gateway log in system with user friendly combination lock - User friendly gateway log-in system for validation of a user's identity for entry into a master security website that provides a gateway to a plurality of different subscriber websites includes: (a) a plurality of user computers; (b) an internet; (c) a host server connected to the internet for connection to user computers; and (d) a website program hosted on the host server for a website that requires individual user security, for connecting each of the plurality of computers to the website available to the user computers, that includes an open log in field. The program has software for secured activity for receiving and recognizing a unique user identification from a user of a user computer to create a personal combination lock rule for a unique easy-to-remember user initialization input that includes a preset selection and operation of the intersection of a first randomly arranged challenge presentation and a second randomly arranged challenge presentation to obtain a selection solution. Successful solution by a user provides access to the gateway for entry into any subscriber-website without website-specific log-in.09-25-2008
20080235783P-GANC OFFLOAD OF URR DISCOVERY MESSAGES TO A SECURITY GATEWAY - In one embodiment, a security gateway receives an IPSec Initiation (IPSec INIT) request from a client. The security gateway may communicate with a AAA server to authenticate the client. After authentication, the security gateway intercepts a URR Discovery request from the client. The security gateway determines registration information for a response to the registration request. The registration information may be information on where the client can locate a D-GANC. A response is generated using the determined information and sent to the client. The response to the discovery request is performed without communicating with a P-GANC. Accordingly, a security gateway is used to authenticate the client and also to respond to the discovery request. This does not require that a P-GANC function be deployed in a network. Thus, cost and processing power may be saved.09-25-2008
20080289029METHOD AND SYSTEM FOR CONTINUATION OF BROWSING SESSIONS BETWEEN DEVICES - A system and method are provided for continuing a browsing session initiated with a first client machine and a web site. The browsing session may be continued on a second client machine by tracking the navigation history associated with the browsing session of the first client machine. The navigation history comprises at least an address of a last viewed web page of the web site. Continuation of the browsing session is further facilitated by collecting at least one web cookie during the browsing session that is dependent upon the interaction between the first client machine and the web site. In this way, in order to allow switching between client machines to continue the browsing session, the navigation history and the at least one web cookie is provided from the second client machine to the web site to restore and resume the browsing session at the point that it was previously terminated.11-20-2008
20100146618Multi-Level Secure Information Retrieval System - According to one embodiment, a multi-level secure information retrieval system includes an enterprise access service tool coupled to one or more client applications and at least one gateway managed by an enterprise. The enterprise access service tool executes services operating in a service oriented architecture. The enterprise access service tool receives requests from the client applications, associates each of the requests with one of a plurality of differing security levels, and transmits the requests to the gateway. The gateway transmits the requested information back to the client applications in which the information is filtered by the gateway according to their associated security levels.06-10-2010
20100146617UNIFYING RELATED WEB SERVICE PORTS USING PORT POINTERS IN PROXY MEDIATION - A Web service description can be extended to cross reference a front-side port associated with a client using a Web service and a back-side port associated with a server providing the Web service. The extending of the Web service description can occur in a standards compliant manner for a programming language within which the Web service description is specified and for a repository in which the Web service description is maintained.06-10-2010
20090089872Communication network access - A method of routing traffic between external users and a communication network via a private access network. The method comprises establishing a secure outer tunnel between the private network and a gateway of a public access network to which the private network is coupled, based upon authentication of the private network to the public access network, said gateway being coupled to said communication network. For each external user wishing to connect to the communication network via the private network, a secure inner tunnel is established between the user and the gateway based upon authentication of the user to the gateway, the inner tunnel being within said outer tunnel. Traffic is caused to flow between external users and the gateway through the respective inner tunnels.04-02-2009
20090083846SYSTEM AND METHOD FOR SECURITY MANAGEMENT OF HOME NETWORK - A security management system of a home network is provided. The home network includes a home gateway and one or more user devices connected to the home gateway. The security management system further includes a security management server adapted to provide a security management service for the home network. Within the home network, a security management module is disposed to provide a security service for the user devices within the home network. The user devices and a device where the security management module locates have unique device identifications, and the home network has a unique network identification. By the home gateway, the security management server communicates with the security management module. With the network identification and the device identification, the security management server and the security management module achieve a security management for the home network through a registration of the home network and a registration of the user device. A security management method of home network devices is also provided.03-26-2009
20090183251INTEGRATED INFORMATION MANAGEMENT SYSTEM AND METHOD - Embodiments of present invention provide for an integrated information management system. The system comprises a set of predetermined applications related to managing information of a government program. The system also comprises a web portal that renders a set of web pages as a virtual workspace. The web portal interoperates with the set of predetermined applications using a plurality of portlets. At least one of the plurality of portlets implementing an application of the set of predetermined applications that is external to the web portal and at least one of the plurality portlets implementing an application of the set of predetermined applications that is local to the web portal.07-16-2009
20090064306Network access control based on program state - A gateway controls access to a region of a network by either granting or denying a client machine access to the network region based on whether a particular program is running on the client machine. A program is installed on the client machine which sends a detectable indication that the program is running. When it is detected that the program is running, the gateway allows the client machine access to the network region. When the program is not detected to be running, the gateway denies the client machine access to the network region.03-05-2009
20090178132Enterprise Security Assessment Sharing For Consumers Using Globally Distributed Infrastructure - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.07-09-2009
20090165115Service providing system, gateway, and server - A large-scale content delivery system may be achieved, which may send a large amount of contents without intensive management of the contents in the server. In a service providing system where a client, a service gateway, and a server are connected to each other through a network, the client sends a first message to the server by way of the service gateway. The service gateway inquires a processing method of the first message from the client of the server by using a second message that includes a part of the first message content. The server replies to the inquiry of the processing method from the service gateway with a program that describes the processing method, and the service gateway processes the first message from the client on the basis of the received processing method.06-25-2009
20090138956Multi-use application proxy - Some embodiments of a multi-use application proxy have been presented. In one embodiment, an application proxy is executed as an intermediary a set of applications. The application proxy performs multiple functions between the set of applications. For example, the application proxy aggregates interactions between the applications and a client in one embodiment.05-28-2009
20080256620Default Internet Traffic and Transparent Passthrough - A method for routing packets sent from a user to the internet is provided for systems in which the user is connected to a private network. The method includes: extracting a source network address from the packet; using said source network address to retrieve a user profile for the user; examining said user profile to determine whether to route the packet through the private network or to route the packet directly to the Internet; and routing said packet according to said profile. This allows a user or network provider to choose whether to route packets destined for the Internet directly to the Internet rather than through the private network, thus preventing excessive network traffic on the private network.10-16-2008
20090138955USING GAA TO DERIVE AND DISTRIBUTE PROXY MOBILE NODE HOME AGENT KEYS - A Generic Authentication Architecture bootstrapping procedure is performed between a mobile terminal and a bootstrapping server function resulting in the mobile terminal and the bootstrapping server function each acquiring at least a bootstrapping transaction Identifier associated with the mobile terminal and a corresponding shared key. The mobile terminal derives a network application function specific key based on at least the acquired shared key and an identifier of said network application function. The bootstrapping transaction identifier and the network application function specific key are sent from the mobile terminal to the proxy mobile node. A request message for Mobile Internet Protocol registration is sent from the proxy mobile node to a home agent on behalf of the mobile terminal, the request message including the bootstrapping transaction identifier and an identifier of the proxy mobile node. The registration message is verified in the home agent with the use of a network application function specific key obtained from the bootstrapping server function or a network application function. The request message for Mobile Internet Protocol registration is authenticated with the proxy mobile node acting on behalf of the mobile terminal by verifying the message authentication code with the obtained network application function specific key.05-28-2009
20090172802LOCAL PROXY SYSTEM AND METHOD - A local proxy system includes a storage device having a local proxy and a physical port connection. The local proxy is part of a split proxy configuration having a local proxy and a remote proxy. The physical port connection is operative to receive commands from a host via an internet application protocol; and to transmit commands to the host via a modem control protocol, to thereby function as a gateway for conveying these commands to a remote proxy, via the host. Also provided is a method of optimizing communication over a network; and a local proxy system that includes a storage device having a local proxy. The storage device is in connection with a host via a physical port connection complying with a standard storage device interface.07-02-2009
20090178131GLOBALLY DISTRIBUTED INFRASTRUCTURE FOR SECURE CONTENT MANAGEMENT - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.07-09-2009
20090144817TECHNIQUES FOR HIGH AVAILABILITY OF VIRTUAL PRIVATE NETWORKS (VPN'S) - Techniques for high availability of virtual private networks (VPN's) are provided. VPN gateways are organized as a virtual ring of VPN gateways. A client seeking to establish VPN communications with a destination resource is assigned one of the VPN gateways as a primary gateway and one VPN gateway as a secondary gateway. When a client's primary fails, the client seamless transitions to its designated secondary and the VPN gateways reconfigure themselves to account for the primary's failure.06-04-2009
20090019536AUTOMATIC IP NETWORK DETERMINATION AND CONFIGURATION FOR EDGE DEVICES - A method of self-configuration of a network device having at least one network connection port, comprising the steps of, after booting of the network device, actively probing a network in which the network device is located and analysing data packets received on the port(s), attempting to determine a network configuration for all network connections the device can make according to information extracted from the received data packets, and configuring device settings according to the network configuration determined.01-15-2009
20090199289Method and System for Pervasive Access to Secure File Transfer Servers - End-to-end file transfer security for file transfer is provided over a network such as the Internet between a client, using a secure communication protocol which is pervasively available, such as HTTPS, to a secure file server which is accessible only through a secure file transfer protocol which is not pervasively available by using a secure proxy for accessing the secure file server rather than providing a protocol break merely for traversing a firewall. The secure proxy is arranged to provide a protocol conversion between the pervasively available secure protocol and the communication protocol through which the server is accessible and which is not pervasively available. By doing so, the secure proxy inherits secure functions of the secure server which thus need not be separately or independently provided in the secure proxy.08-06-2009
20110145910PORT TAPPING FOR SECURE ACCESS - Secure access in a computing environment is provided. One implementation involves a client generating a sequence for tapping server ports, and the client identifying itself to the server by tapping the server ports based on the sequence. The server verifies if the tapping sequence is correct. If the tapping sequence is correct, access is provided from the client to the server.06-16-2011
20110231927Internet Mediation - Systems and methods for a user to personalize Internet content from an Internet service provider using selected policy applications. The policy applications may be discrete, single purpose applications. The system may be controlled from home gateways and remote devices.09-22-2011
20110231928SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.09-22-2011
20120096538DYNAMIC MOBILE STREAMING APPLICATION SUPPRESSION - A method performed by a network device may include obtaining an Internet Protocol address and a user device identifier associated with a user device, determining that the obtained user device identifier does not match a previous user device identifier associated with the obtained Internet Protocol address, and monitoring packets destined for the obtained Internet Protocol address to determine whether the packets are associated with a streaming application, based on determining that the obtained user device identifier does not match the previous user device identifier. The method may further include detecting a packet destined for the obtained Internet Protocol address, where the packet is associated with a streaming application and where the packet is received from a particular network device and signaling the particular network device to stop sending packets associated with the streaming application and destined for the obtained Internet Protocol address.04-19-2012
20090199290VIRTUAL PRIVATE NETWORK SYSTEM AND METHOD - One embodiment of the application provides a method and system for receiving at a gateway device a plurality of virtual private network tunnels to be routed to a Local Area Network (LAN), routing a first portion of the plurality of virtual private network tunnels to at least one slave device coupled to the gateway device, performing IPsec processing of the first portion of the plurality of virtual private network tunnels using at least one slave device, forwarding the first portion of the plurality of virtual private network tunnels after IPsec processing to at the gateway device and routing the plurality of virtual private network tunnels to the LAN.08-06-2009
20090249466METHODS AND DEVICES FOR ENFORCING NETWORK ACCESS CONTROL UTILIZING SECURE PACKET TAGGING - Disclosed are methods, devices, and media for enforcing network access control, the method including the steps of: extracting a packet signature from a packet (or packet fragment) received from a network; storing the packet signature and the packet in a buffer; computing a buffer signature using a per-endpoint secret key; determining whether the packet signature and the buffer signature are identical; and upon determining the packet signature and the buffer signature are identical, transmitting the packet to a protocol stack. Preferably, the step of extracting includes extracting the packet signature from a field (e.g. identification field) of a header of the packet. Preferably, the method further includes the step of: upon determining the packet signature and the buffer signature are not identical, discarding the packet. Methods for receiving a packet from a protocol stack, and transmitting the packet to a network are disclosed as well.10-01-2009
20090138958Takeover Processes in Security Network Integrated with Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller.05-28-2009
20090249467PROXY SERVER - A proxy server for downloading a data file for a client, such as an email client or web browser, including: a external proxy for downloading the data file for the client from an external server over a network, based on profile data associated with the client stored on the proxy server; a memory module for storing the data file; and an internal proxy for transferring the data file to the client when requested by the client. The external proxy operates asynchronously to the internal proxy, and the proxy server operates transparently with respect to the client.10-01-2009
20100169964APPARATUS AND METHOD FOR PROVIDING PEER-TO-PEER PROXY SERVICES IN PEER-TO-PEER COMMUNICATIONS - A network gateway device providing peer-to-peer proxy service is provided, including a P2P meta descriptor detector detecting an original P2P meta descriptor file from the public network, a P2P proxy control unit modifying the original P2P meta descriptor file to generate a modified P2P meta descriptor file, and forwarding the modified P2P meta descriptor file to a computer in the private network, an internal tracker receiving a first inquiry message, and replying with a pseudo sharing computer list, and a peer-to-peer engine loading the original P2P meta descriptor file to download shared contents, and forwarding the shared contents to the computer.07-01-2010
20100162380COMMUNICATIONS SYSTEM PROVIDING SHARED CLIENT-SERVER COMMUNICATIONS INTERFACE AND RELATED METHODS - A communications system may include a plurality of communications devices connected together in a network and having a plurality of user accounts associated therewith. At least one of the communications devices may process requests using an HTTP client application associated therewith. The system may also include an application server for accessing the user accounts via the HTTP client application, and an HTTP server for interfacing the HTTP client application with the application server. The HTTP server and the HTTP client application may format requests to be communicated therebetween in an HTTP format, and each may provide additional state information with the HTTP formatted requests recognizable by the other for authentication purposes. Furthermore, the HTTP client application may request a first universal resource locator (URL) from the HTTP server for accepting work requests from the application server, and a second URL different from the first for responding to work requests.06-24-2010
20100162378METHODS AND APPARATUS TO ENHANCE SECURITY IN RESIDENTIAL NETWORKS - Example methods and apparatus to enhance security in residential networks and residential gateways are disclosed. A disclosed example apparatus includes a transceiver to receive an Internet protocol (IP) packet, a first packet processing module associated with a protected IP address, the first packet processing module to be communicatively coupled to a first network device, a second packet processing module associated with a public IP address, the second packet processing module to be communicatively coupled to a second network device, and a packet diverter to route the received IP packet to the first packet processing module when the IP packet contains the protected IP address and to route the IP packet to the second packet processing module when the IP packet does not contain the protected IP address.06-24-2010
20100192216SECURITY GATEWAY SYSTEM, METHOD AND PROGRAM FOR SAME - A non-secure network gateway 07-29-2010
20100162379UNSOLICITED COMMUNICATION MITIGATION - A method and apparatus for mitigating unwanted communication are disclosed. A request to establish communications is received at a first Protection Against Unsolicited Communications in Internet Protocol Multimedia Subsystem (PUC) server. The PUC server determines whether to block the communication. If the communication is blocked, the sender is informed and a record of the blocked communication may be stored. Alternatively, the communication may be delivered to a subsequent PUC server (along with appended information about the sender), the receiver or sent to storage.06-24-2010
20110239290SECURE SHARING OF TRANSPORT LAYER SECURITY SESSION KEYS WITH TRUSTED ENFORCEMENT POINTS - Embodiments of the present invention address deficiencies of the art in respect to security enforcement point operability in a TLS secured communications path and provide a novel and non-obvious method, system and computer program product for the secure sharing of TLS session keys with trusted enforcement points. In one embodiment of the invention, a method for securely sharing TLS session keys with trusted enforcement points can be provided. The method can include conducting a TLS handshake with a TLS client to extract and decrypt a session key for a TLS session with the TLS client traversing at least one security enforcement point. The method further can include providing the session key to a communicatively coupled key server for distribution to the at least one security enforcement point. Finally, the method can include engaging in secure communications with the TLS client over the TLS session.09-29-2011
20100180332INFORMATION PROTECTION APPLIED BY AN INTERMEDIARY DEVICE - Methods, systems, and computer-readable media are disclosed for applying information protection. A particular method includes receiving a data file at a gateway coupled to a network. The data file is to be sent to a destination device that is external to the network. The method also includes selectively applying information protection to the data file at the gateway prior to sending the data file to the destination device. The information protection is selectively applied based on information associated with the destination device, information associated with the data file, and information associated with a user of the destination device.07-15-2010
20100218247SERVICE ACCESS USING A SERVICE ADDRESS - A method is disclosed that includes assigning a service address to a service of a private network. The service of the private network is accessible, via a gateway, by a client computer. The method also includes turning off duplicate address detection at the gateway. The gateway is associated with a public network address that is different from the service address.08-26-2010
20100235901CIFS PROXY AUTHENTICATION - Techniques are described for a proxy system to provide a client device with transparent access to multiple network file servers. The proxy system may appear to the client device as a single network file server. The proxy may be configured to forward requests received from the client device to multiple servers as well as provide responses from the server back to the client. Further, the proxy system may authenticate itself, as the client, to each of the multiple network servers using authentication credentials supplied by the client. After prompting a user to submit credentials to establish a session with a first network server, the proxy system may send a session timeout error code, prompting the client to submit a fresh authentication request used by the proxy system to establish a session with a second network server.09-16-2010
20100235902SERVER PROTECTION FROM DISTRIBUTED DENIAL OF SERVICE ATTACKS - A network device connects between a client and a server. The network device is configured to store information regarding an application operating on the server; receive a first message, from the client, intended for the server; generate a second message in response to the first message; send the second message to the client; receive a third message from the client; generate, based on the information regarding the application on the server, a fourth message, that includes the information regarding the application operating on the server; send the fourth message to the client; receive a service request from the client in response to the fourth message; and establish, based on the service request, a connection between the client and the server.09-16-2010
20090328184System and Method for Enhanced Security of IP Transactions - A transaction routing system is described. The system includes a communication gateway linked to at least one transaction terminal and at least one host server. The communication gateway determines whether to perform an authentication procedure during a call session. Based on a result of the authentication procedure, at least one proceeding step is determined. A method for ensuring enhanced security during transaction routing is also provided.12-31-2009
20080307518Security in communication networks - Disclosed is a method including allowing an application server to request setup of a session on behalf of a user terminal, and using mechanisms of a generic peer authentication procedure for procedure for enabling authentication of the application server to an interrogating server, the interrogating server being a network element that is configured to process said request to setup a session on behalf of a user terminal. Also disclosed are related devices, systems and computer programs.12-11-2008
20090320120REPLICATING MESSAGE QUEUES BETWEEN CLUSTERED EMAIL GATEWAY SYSTEMS - A method of “stateful failover” is provided that allows email gateway systems in a cluster to deliver email messages that have been accepted for delivery by a member of the cluster, but has failed with out delivering the messages. The method involves creating a backup copy of the messages that have been accepted for delivery by one email gateway system in the stateful failover cluster on one or more other email gateway systems in the stateful failover cluster. Upon detecting the failure of the email gateway system that accepted the message, another member of the stateful failover cluster that has access to the backup copy of the message queue takes responsibility for the delivery of the messages on the mirrored queue.12-24-2009
20090113539GATEWAY SYSTEM AND METHOD FOR IMPLEMENTING ACCESS TO VARIOUS MEDIA - A gateway system for implementing access to various media is provided in the invention, and the gateway system includes: a communication media access module, for establishing a communication link with the corresponding media access network; a Media Independent Handover Functions module, for seamless handover between accesses to various media; and a handover decision module, for selecting a target network for the seamless handover. The gateway system may also include an authentication module, for sharing the authentication information of the User Equipment. Two methods for implementing access to various media are further disclosed in the invention. By the provided gateway system and methods, the User Equipment can access various media via the gateway system, seamlessly hand over between accesses to various media and achieve the access to a service network using the shared authentication information.04-30-2009
20090113538Method and system for controlling access for mobile agents in home network environments - Disclosed is a method and system for controlling access for a mobile agent in a home network environment. The method includes the steps of: issuing a role ticket to the mobile agent; verifying access authority to service requested by the mobile agent through the role ticket; and granting the mobile agent access authority to the service. Accordingly, a table for managing access authority of a user is distributed to devices, so that it is possible to provide the mobile agent access control method and system capable of minimizing network traffic in the home network environment.04-30-2009
20090049538Identifier Authenticating System - There is provided an identifier authenticating system in which information requesting users can share all the predetermined information held in a plurality of information providing servers. In the identifier authentication system, when an identifier holding user 02-19-2009
20090106830Secure Network Communication System and Method - A secure network communication system and method for secure data exchange using transmission control protocol are disclosed. The system provides for data exchange using between a client and a server, by way of an agent and a broker interconnected to exchange data over an unsecured network link. Upon receipt of a control packet from the client, the broker forwards a modified control packet to the agent using a secure protocol. The agent then inspects the modified control packet and forwards it to the server. Upon receipt of a response packet from the server, the agent forwards the response packet to the broker using a secure protocol and upon receipt of the response packet, the agent modifies the response packet and forwards it to the client. In the case that the exchange of control packets indicates establishment of a TCP session, the agent and the broker establish a data channel between themselves to create a transparent TCP channel between the client and the server.04-23-2009
20100299741METHOD AND SYSTEM FOR MANAGEMENT OF SECURITY RULE SET - There are provided a method of automated managing an ordered set of security rules implemented at one or more security gateways and a system thereof. The method comprises a) obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request; b) automated searching for a rule within said ordered set of security rules, said rule best matching to be amended in order to facilitate allowance of the unfitting connectivity request, wherein best matching is defined in accordance with one or more predefined criteria; c) automated generating amendment of the best matching rule, said amendment capable to facilitate allowance of the unfitting connectivity request; and d) automated implementing the generated amendment at one or more relevant security gateways among said one or more security gateways. At least one predefined criterion may be related to extra allowed traffic resulting from the amendment and/or to requested traffic restricted after amendment because of shadowing by one or more rules above the amended rule.11-25-2010
20130133057SYSTEM FOR MANAGING VIRTUAL PRIVATE NETWORK AND METHOD THEREOF - Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.05-23-2013
20130133058SECURITY BRIDGING - A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.05-23-2013
20130133059REVERSE PROXY DATABASE SYSTEM AND METHOD - A system and method for providing a comprehensive security solution for databases through a reverse proxy, optionally featuring translating database queries across a plurality of different database platforms.05-23-2013
20110023107Lifecycle Management Of Privilege Sharing Using An Identity Management System - A method, system and computer-usable medium are disclosed for managing the lifecycle of a shared privileged account. A proxy service is implemented with an Identity Management (IdM) system that defines and manages a plurality of identity services, which in turn manage a plurality of privileged accounts used to access a plurality of managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requester. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requester uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requester with the shared privileged account by deleting the shared ID authorization account.01-27-2011
20100333187SUBSCRIBER BASED POLICY FOR SERVICE NETWORK GATEWAYS - A subscriber network can provide services. External applications can use the services on the subscriber network. A service access gateway can control application access to services of the subscriber network. The service access gateway can filter requests from an external application to access services on the subscriber network based on the customer for which the external application is accessing the service.12-30-2010
20110119751SYSTEM AND METHOD FOR REGULATING COMMUNICATIONS TO OR FROM AN APPLICATION - The flow of information to or from an application on a host machine is regulated by a trusted agent operating in conjunction with at least one security element, such as a firewall or a policy server. When a communication to or from the application is detected by the trusted agent, the trusted agent gathers information about the attempted communication, and formulates and sends a message based upon the gathered information to at least one security element. The security element makes a decision to permit or block at least part of the attempted communication based upon the message received from the trusted agent.05-19-2011
20110119749SYSTEM AND METHOD FOR FILTERING SIP-BASED SPAM - A system for filtering SIP (Session Initiation Protocol)-based spam includes a spam detection unit for receiving a SIP message where labeling is performed from a sending user agent and detecting the spam using a label in the SIP message. Further, the system includes a spam checking unit for checking a call recipient from the SIP message and confirming a spam policy previously set by the call recipient through a spam management server; and a spam filtering unit for filtering the spam based on the confirmed spam policy.05-19-2011
20110119750METHOD FOR IMPROVING NETWORK APPLICATION SECURITY AND THE SYSTEM THEREOF - A method for improving network application security and the system thereof are disclosed in the invention, relating to the field of information security. The method includes: a proxy server in a customer terminal host receives a protocol message, generated and sent by the customer terminal software according to the information input by a user, and obtains the protocol content after parsing the protocol message, and determines whether critical information is included in the protocol content, if it is, the server sends the protocol content to the smart key device; and the smart key device obtains the critical information by parsing it and sends it to the user, and after a confirmation information is gotten from the user, the smart key device signs the protocol content and sends the signature result to the server; and then the server generates a new protocol message to an application server according to the signature result and the protocol content; after an error confirmation or no confirmation is received within a predetermined time period by the user, the smart key device performs the exception handling. The system includes a smart key device and a proxy server in the customer terminal host. The invention improves network application security on the premise of no change to the customer terminal, and it is usable and compatible.05-19-2011
20110131645LOAD BALANCING AND FAILOVER OF GATEWAY DEVICES - Methods and systems for load balancing and failover among gateway devices are disclosed. One method provides for assigning communication transaction handling to a gateway. The method includes receiving a request for a license from a computing device at a control gateway within a group of gateway devices including a plurality of gateway devices configured to support communication of cryptographically split data. The method also includes assigning communications from the computing device to one of the plurality of gateway devices based on a load balancing algorithm, and routing the communication request to the assigned gateway device.06-02-2011
20090313690Method for establishing a multi-link access between a local network and a remote network, and corresponding appliance - The invention enables the different access links between a local network and a remote network to be used in a common and transparent manner. The invention is based on the use of various IP tunnels using the different access links between an appliance on the local network of the user and an appliance on the remote network. Said tunnels are embodied as a single link providing access to the remote network.12-17-2009
20110093944DETECTING ANOMALOUS WEB PROXY ACTIVITY - A method, system and apparatus for detecting anomalous web proxy activity by end-users are disclosed. The techniques include analyzing records from a web proxy log and determining whether the records contain anomalous end-user activity by inspecting a uniform resource locator and a connect instruction included therein. The techniques also include generating an alert in response to the analysis.04-21-2011
20100037308MULTI-SERVICE PROVIDER AUTHENTICATION - Network access providers implement interactive procedures and subscriber terminals employ embedded secure authentication structures and procedures to ensure that a satellite modem at the subscriber terminal accurately verifies the identity of a satellite modem terminal system at the location of the network access provider gateway facility during the satellite modem initialization process so that the satellite modem will only attempt to acquire satellite resource from the appropriate (authenticated and authorized) satellite modem termination system. In a virtual downstream channel environment, diverse downstream channel feeds are distinguished by authentication procedures. The present invention differs from standard theft of service prevention because theft of subscriber prevention is in a virtual channel environment, where subscriber terminals have access to a plurality of virtual channels by the nature of the signal.02-11-2010
20100071053Presence Status Notification From Digital Endpoint Devices Through A Multi-Services Gateway Device At The User Premises - A gateway device for operation at a user premises to provide and manage application services provided for endpoint devices associated with the gateway device. The gateway device includes a communications client program to enable client-server communications between the gateway device and a remote communications server via the wide area network using a presence and networking message protocol. The gateway device utilizes at least one driver program with a driver communications protocol to communicate with, control, and manage associated endpoint devices. The communications client program interacts with the driver program, and the gateway device is configured to specify which associated endpoint devices, attributes and operations are exposed to the network via the communications client. The gateway device is configured to specify rules for presentation and/or notification of incoming presence and networking messages to the gateway device and the routing of those messages to the managed endpoint device through their respective drivers.03-18-2010
20100071051System and method for exposing malicious sources using mobile IP messages - Malicious sources within networks are identified using bait traffic, including mobile IP messages, transmitted between a collaborating network device and a collaborating mobile client that has a fixed connection to the network. The bait traffic entices a malicious source to transmit malicious packets towards the collaborating mobile client and/or the network device. Upon receiving a malicious packet, the collaborating mobile client or the network device is able to identify the source of the packet as a malicious source and report the presence of the malicious source within the network.03-18-2010
20110093945USER-TYPE HANDLING IN A WIRELESS ACCESS NETWORK - A system, method, and apparatus in an access network such as the Generic Access Network (GAN) for providing user-type information to a Security Gateway (SEGW) or for enabling the SEGW to obtain user-type information for different user types so that the SEGW can apply specific security functions based on the user type. The invention may also provide user-type information to a controller node such as a GAN Controller (GANC) or may enable the GANC to obtain user-type information for application of security settings toward GAN-clients. An Authentication, Authorization and Accounting (AAA) Server may create a user-type indication internally, or may obtain an indication from a Home Location Register and forward the indication to the SEGW. The SEGW may forward the indication to the GANC, or the GANC may determine the user-type information internally or retrieve it from a database.04-21-2011
20120304277System and Method for Building Intelligent and Distributed L2 - L7 Unified Threat Management Infrastructure for IPv4 and IPv6 Environments - A security gateway appliance is configured to evaluate network traffic according to security rules that classify traffic flows according to specifically identified application programs responsible for producing and/or consuming the network traffic and to enforce policies in accordance with network traffic classifications. The appliance includes an on-box anti-virus/anti-malware engine, on-box data loss prevention engine and on-box authentication engine. One or more of these engines is informed by an on-box dynamic real tie rating system that allows for determined levels of scrutiny to be paid to the network traffic. Security gateways of this type can be clustered together to provide a set of resources for one or more networks, and in some instances as the backbone of a cloud-based service.11-29-2012
20110088088Method of frame blocking for wireless device - A frame blocking method for wireless device comprises the steps of: receiving a frame; determining if a size of the frame complies with a predetermined size? If “YES” then proceed; determining if the frame complies with a predetermined frame format? If “YES” then proceed; determining if an IP address contained in the frame is the same with a currently using IP address pre-stored in the client device? If “NO” then ignore the frame, if “YES” then handle the frame by normal operations. Therefore, unnecessary frames can be blocked as early as possible so as to save power and improve overall communicating quality.04-14-2011
20110083174Dynamic Network Tunnel Endpoint Selection - Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path.04-07-2011
20110072507MULTI-IDENTITY ACCESS CONTROL TUNNEL RELAY OBJECT - In various embodiments, the present disclosure provides a system and method for establishing a secure tunnel between a client device and a remote server utilizing multiple user identities, and in some embodiments, a client device identity, to authenticate access to the remote server.03-24-2011
20100325718Automatic Firewall Configuration - One embodiment of a gateway router is equipped to recognize a trustworthy local server automatically, and to accept certain incoming connections to a local server that the router has recognized as trustworthy.12-23-2010
20100313262PROVISIONING REMOTE ACCESS POINTS - Provisioning remote access points for use in a telecommunication network. A remote access point contains identity information established during manufacturing; this identity information may be in the nature of a digital certificate. The identity information is stored in the remote access point, and may be stored in a Trusted Platform Module if present. When the remote access node is powered up in unprovisioned state, outside the manufacturing environment, it attempts to establish an internet connection via a first wired interface, and queries a user for information representing the TCP/IP address of its controller via a second wired interface. Once an internet connection is present, and a TCP/IP address has been provided, the remote access point attempts to connect to the controller at that address. The controller may filter connection requests through a whitelist of approved remote access points. Once a connection is established, controller and access point exchange and verify each other's identities. This may be done through the exchange and verification of digital certificates. Provisioning information is downloaded from controller to remote access point and installed. This may be done via a tunnel such as an encrypted tunnel. Software updates may be applied. The provisioned remote access point is placed in operation.12-09-2010
20100269169METHODS AND ARRANGEMENTS FOR SECURITY SUPPORT FOR UNIVERSAL PLUG AND PLAY SYSTEM - The present invention relates to a nodes and methods for use in a Universal Plug and Play (UPnP) system to provide support for both UPnP security and mobility of security aware UPnP nodes. A gateway is arranged to provide remote access to a UPnP network to remote UPnP nodes via the gateway. The gateway comprises means for creating a virtual UPnP node for emulating internal presence of a remote UPnP node on the UPnP network. The virtual UPnP node is arranged to obtain and store security information associated with the remote UPnP node. The security information specifies how the remote UPnP node is authorized to interact with other UPnP nodes in the UPnP network. The security information may be used to filter messages from the UPnP network to the remote UPnP node.10-21-2010
20110154474METHOD, DEVICE, AND COMPUTER PROGRAM PRODUCT FOR DIFFERENTIATED TREATMENT OF EMAILS BASED ON NETWORK CLASSIFICATION - Method, device, and computer program product are provided for differentiated treatment of incoming and outgoing emails based on a network server. A server receives a query from a gateway, and the query includes information about an email received by the gateway. The server obtains rules for processing the email of the query. The server determines an identity for the email based on the rules for processing the email. The server transmits the identity to the gateway to cause the gateway to send the email having the identity to a post office server. The email having the identity is configured to cause the post office server to process the email based on the identity.06-23-2011
20100269170RULE GENERALIZATION FOR WEB APPLICATION ENTRY POINT MODELING - A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.10-21-2010
20120204253METHOD AND APPARATUS FOR EXCHANGING DATA BETWEEN A USER EQUIPMENT AND A CORE NETWORK VIA A SECURITY GATEWAY - The present invention concern a methods and an apparatus for exchanging data between a user equipment and a core network via a security gateway. The invention concerns the establishment of an inactive pair of tunnel mode security associations between the UE and the security gateway, as well as the application of the pair of security associations when the UE detects attachment to or need to attach to an untrusted access network.08-09-2012
20080229403Method and apparatus for providing wireless services to mobile subscribers using existing broadband infrastructure - Techniques for providing wireless services to mobile subscribers using existing broadband network infrastructures are described herein. In one embodiment, in response to a request received at a gateway device from a mobile subscriber over a radio access network (RAN) for accessing a service provider network, the gateway device authenticates the mobile subscriber for accessing the RAN, where the gateway device interfaces the RAN and the existing broadband network. Upon successfully authenticating the mobile subscriber for accessing RAN, the gateway device accesses a network service provider over the existing network to acquire a network address on behalf of the mobile subscriber optionally using at least a portion of credentials derived from the authentication, where the network address allows the mobile subscriber to access the service provider network. Other methods and apparatuses are also described.09-18-2008
20120204252SYSTEM AND METHOD FOR ENABLING VPN-LESS SESSION SETUP FOR CONNECTING MOBILE DATA DEVICES TO AN ENTERPRISE DATA NETWORK - A mobile application gateway configured to interconnect mobile communication devices on a cellular network with an enterprise network is provided. The mobile application gateway includes a voice and data signaling gateway configured to provide routing functionalities, service functionalities and admission control. A gateway GPRS support node (GGSN) is configured to establish a secure data session between one or more of the mobile communication devices and the enterprise network by establishing a GPRS tunneling protocol (GTP) tunnel between a carrier-hosted serving GPRS support node (SGSN) and the GGSN.08-09-2012
20100071052REVERSE PROXY ARCHITECTURE - Aspects of the subject matter described herein relate to a reverse proxy architecture. In aspects, a client that seeks to access a Web document via a proxy sends a request to the reverse proxy. The reverse proxy obtains the Web document from a server indicated by the request and modifies links therein so that if the links are clicked on or otherwise fetched by the client, the communication goes back to the reverse proxy. The reverse proxy may also modify cookies, if needed, so that the cookies refer to a domain or hostname associated with the reverse proxy.03-18-2010
20090241180System and Method for Data Transport - A data agnostic transport system that may be used for data objects such as email, calendar, notes, files, and multimedia.09-24-2009
20080320583Method for Managing a Virtual Machine - Methods for managing a virtual machine wherein an administration console (AC) (12-25-2008
20090138957METHOD AND APPARATUS OF MANAGING ENTITLEMENT MANAGEMENT MESSAGE FOR SUPPORTING MOBILITY OF DCAS HOST - A method of supporting a mobility of a Downloadable Conditional Access System (DCAS) host is provided. The method includes: by the second authentication proxy server: performing mutual authentication with a secure micro of the host to generate a session key; requesting an integrated personalization system to download a secure micro client to the host, wherein the secure micro client is encoded using the session key; and transmitting, to a DPS, mapping information between the second authentication proxy server and the secure micro of the host, wherein, in response to receiving the mapping information, the DPS instructs a CAS server to transmit an entitlement management message to the network of the second authentication proxy server without transmitting the entitlement management message to the network of the first authentication proxy server.05-28-2009
20080313729Method and Apparatus for Automatic Filter Generation and Maintenance - A method is disclosed for automatic filter generation and maintenance. From information transmitted on a network, a first device identifier and a second device identifier are detected. Based on the first and second device identifiers, a filter is automatically configured to deny network-transmitted information that attempts to establish an association between the first device identifier and a device identifier other than the second device identifier.12-18-2008
20110047612 Method for Network Access, Related Network and Computer Program Product Therefor - A method of providing access of a mobile terminal to an IP network includes establishing a security association between the mobile terminal and a first security gateway of a first router in said plurality of routers. The mobile terminal is provided access to the IP network via the first router, and the data exchanged between the mobile terminal and the first router is encapsulated by using the security association. The security association is made available to at least one second router having a second security gateway. The mobile terminal is provided access to the IP network via said the second router, and data exchanged between the mobile terminal and the second router is encapsulated by using the same security association. Establishing the security association includes assigning a Security Parameter Index that identifies univocally the first security gateway and the security association. Making the security association available to the second router includes making available to the second router the Security Parameter Index. The second router may thus have access to the security association either by requesting it from the first router or by identifying it in a set of security associations sent from the first router to a set of routers candidate to become the second router as result of the mobility of the mobile terminal.02-24-2011
20110055915METHODS OF PROVIDING DIGITAL CONTENT TAILORED TO USERS OF PRIVATE NETWORKS WITHIN A PROTECTED VIRTUAL ENVIRONMENT - A method of communicating valuable digital information to users is provided that utilizes, in some cases, a proxy server to white list significantly greater amounts of information available on the internet to penetrate protective virtual barriers such as firewalls or walled gardens, and in which such digital information is conveyed in a significantly tailored arrangement by assessing more precise geographic location data of the user during the process.03-03-2011
20110055914PERSONAL INFORMATION LEAKAGE PREVENTIVE DEVICE AND METHOD - Conventional service providing systems personalized according to the user's information need to provide personal information. Therefore, there has been a problem that personal information might be leaked by service providers. A reliable proxy is installed between a user terminal and a service provider server to manage the personal information on the user. The proxy receives information necessary to create a content from the service provider server, creates a content reflecting the personal information from the information necessary to create the content, and transmits it to the user's terminal A countermeasure against estimation of personal information is taken for even a request of a user to acquire a sub-content and so forth.03-03-2011
20110119748VIRTUAL COMPUTING INFRASTRUCTURE - A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. Virtual infrastructures of different users share physical resources but are isolated and have their own management entities. An interface between infrastructures allows controlled relaxation of the isolation, using a gateway between virtual nets, or shared virtual storage devices. This can allow businesses to share data or applications, while maintaining control of security.05-19-2011
20120311691SYSTEMS AND METHODS FOR DECOY ROUTING AND COVERT CHANNEL BONDING - Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.12-06-2012
20110126276CROSS PLATFORM GATEWAY SYSTEM AND SERVICE - A method, system, and apparatus for delivering content to a user of a registered platform are provided. Assets retrieved from a number of content sources may be stored on a database at a service provider. Information related to a number of content items retrieved from the assets may be presented to the user of the registered platform. In response to a request from the user, a content item associated with a content source may be delivered to the user without a need for user authentication.05-26-2011
20090113537PROXY AUTHENTICATION SERVER - Techniques and systems for allowing a client to interact with a Microsoft Windows Server via a proxy authentication server are disclosed. Instead of engaging in the NTLM authentication protocol with a Microsoft Windows Server directly, a client may interact with a proxy authentication server. The proxy authentication server may perform all of the necessary NTLM interactions with the Microsoft Windows Server. Thus, the proxy authentication server authenticates itself with the Microsoft Windows Server, and acts as the client's agent. Because the client does not directly interact with the Microsoft Windows Server, the client does not need to authenticate itself with the Microsoft Windows Server; instead, after the proxy authentication server authenticates itself with the Microsoft Windows Server, the client can transact the client's business with the Microsoft Windows Server through the authenticated proxy authentication server. The proxy authentication server can act on behalf of multiple different clients in a network.04-30-2009
20100205665SYSTEMS AND METHODS FOR ENFORCING POLICIES FOR PROXY WEBSITE DETECTION USING ADVERTISING ACCOUNT ID - In embodiments of the present invention improved capabilities are described for systems and methods that enforce policies with respect to proxy communications.08-12-2010
20100242105SYSTEMS AND METHODS FOR SELECTIVE AUTHENTICATION, AUTHORIZATION, AND AUDITING IN CONNECTION WITH TRAFFIC MANAGEMENT - The present invention provides a system and method for authentication of network traffic managed by a traffic management virtual server. A traffic management virtual server may determine that a client has not been authenticated from a request of the client to access a server. Responsive to the request, the traffic management virtual server may transmit a response to the client with instructions to redirect to an authentication virtual server. The authentication virtual server may receive a second request from the client. The authentication virtual server may then authenticate credentials received from the client and establish an authentication session for the client. Further, the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server. The second response identifies the authentication session. The traffic management virtual server then receives a request from the client with an identifier to the authentication session.09-23-2010
20090300749METHOD AND SYSTEM FOR DEFEATING THE MAN IN THE MIDDLE COMPUTER HACKING TECHNIQUE - A method for constructing a secure Internet transaction, the method includes: receiving a user identification (userid) and user password on a client device for filling out a form generated by a secure web site; concatenating the user's Internet Protocol (IP) address with a separate password that is maintained on the secure web site that the user is authenticating to; encrypting the concatenated user IP and separate password to form an Internet Protocol password (IPPW); wherein the encrypting is carried out with asymmetric public-key cryptography using a public key; building a transaction consisting of the IPPW and userid; transmitting the transaction and form via a network towards the secure web site; wherein in response the secure website performs the following: decrypts the IPPW, and determines if the IP portion of the decrypted IPPW is equal to the user's IP address.12-03-2009
20090300750Proxy Based Two-Way Web-Service Router Gateway - A system for providing two-way Web services is disclosed that enables the client and server to be in different enterprise domains—behind firewalls—with few or no changes to the firewalls. In accordance with the illustrative embodiment, a “tunnel hub” is deployed in the public domain and “tunnel gateways” are deployed behind the firewalls where the clients request two-way services and the servers provide two-way services. Each tunnel gateway initiates a secure tunnel out through the firewall to the target hub. Thereafter, a request for service enters the tunnel gateway, travels to the tunnel hub and to the appropriate tunnel gateway where the server is that provides the service. When the server provides the service, it enters the tunnel gateway, travels to the tunnel hub and to the appropriate tunnel gateway where the client is that requested the service.12-03-2009
20090293113CONTROLLED DELIVERY OF EVENT INFORMATION TO IPTV USERS - A method and a gateway are provided for controlling delivery of event information to users sharing a user device. The gateway is informed of activity states of each user sharing a same user device. Events related to services used by the users are detected by the gateway. Because some users of a same device may be active while others are inactive, the gateway verifies the activity state of each user for whom an event is detected. Active users are informed of events that are of interest for them.11-26-2009
20090282471NAMED SOCKETS IN A FIREWALL - A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.11-12-2009
20110191844TECHNIQUES FOR MANAGING SECURITY IN NEXT GENERATION COMMUNICATION NETWORKS - Disclosed techniques provide enhanced security for a communications network. Access terminal devices intended for operation via the network are expected to have security agent functionality, e.g. in the form security agent software loaded into or otherwise enabled on each of the access terminal devices. Registration procedures include verification that such an agent is present/enabled on an access terminal and that the agent currently implemented on the terminal device provides adequate security for the communications network against malicious traffic from that device.08-04-2011
20100031338Collaboration gateway - Method for exchanging information between heterogeneous secured networks. Method supports synchronous communications across security domains including text chat, instant messaging, audio applications, video applications, and whiteboard collaboration. The invention intercepts incoming information traffic on either side and employs a guard for filtering information traffic between security domains according to a policy engine.02-04-2010
20100031339Streaming Media Service For Mobile Telephones - A mobile client (02-04-2010
20090064307Systems and/or methods for streaming reverse HTTP gateway, and network including the same - In certain example embodiments of this invention, there is provided systems and/or methods for a streaming reverse HTTP gateway, and/or networks including the same. In such a network, a reverse HTTP gateway is located within a demilitarized zone (DMZ) disposed between public (or external) and private (or internal) networks for providing security therebetween. Requests from external clients may be streamed from the external network to the internal network over various connections and ports, including a substantially persistent reverse connection between an internal server and a reverse HTTP gateway. The reverse HTTP gateway architecture of certain example embodiments removes the need for proprietary protocols implemented between the reverse HTTP gateway located in the DMZ and the internal server located in the internal network. In certain example embodiments, the reverse HTTP gateway architecture is configured to leverage the capabilities of HTTP 1.1.03-05-2009
20110307950Net-Based Email Filtering - A local gateway device receives email across the internet from a sender of the email and forwards it across the internet to an email filtering system. The email filtering system analyzes the email to determine whether it is spam, phishing or contains a virus and sends it back to the local gateway device along with the filtered determination. The local gateway device forwards the received email and the filtered determination to a local junk store which handles the email appropriately. For example, if the email has been determined to be spam, phishing or containing a virus, the junk store can quarantine the email and if the email has been determined to be non-spun and/or not phishing and/or not containing a virus, the junk store can forward the email to a local mail server for delivery.12-15-2011
20120060211Detecting Secure or Encrypted Tunneling in a Computer Network - Aspects of the present disclosure relate to a computer assisted method for detecting encrypted tunneling or proxy avoidance which may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection.03-08-2012
20120210417DISTRIBUTED FIREWALL ARCHITECTURE USING VIRTUAL MACHINES - A distributed firewall of a gateway device includes at least one IO module for performing IO functionality of the distributed firewall, at least one security processing module for performing security functionality of the distributed firewall and a firewall controller for managing the IO module and the security processing module. Each of the at least one IO and security processing modules is executed within a virtual machine. In response to a packet received from an ingress interface, the at least one IO module is to identify a security processing module corresponding to a connections session associated with the packet, to transmit the packet to the identified security processing module to perform a security process on the packet, and in response to a signal received from the identified security processing module indicating that the security process has been completed, to transmit the packet to the egress interface.08-16-2012
20120005742METHOD AND SYSTEM FOR HANDLING SECURITY IN AN IP MULTIMEDIA GATEWAY - An IP multimedia gateway (IMG) may be operable to identify a client device which may not currently possess a security capability that is compatible with a security capability of a service manager for receiving a service from the service manager. A security process between the client device and the service manager may be enabled by the IMG to enable the client device to receive the service from the service manager. The client device may be local to the IMG or remote with respect to the IMG. The IMG may enable an authentication process between the client device and the service manager by performing authentication translation. The IMG may enable a cryptography process between the client device and the service manager by performing cryptography translation. The IMG may enable an authorization process for authorizing the client device to access a particular content by performing access control conversion.01-05-2012
20120011582SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.01-12-2012
20120011581SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.01-12-2012
20120023569SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.01-26-2012
20120023571IDENTITY-BASED-ENCRYPTION MESSAGE MANAGEMENT SYSTEM - Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.01-26-2012
20120023570WEB VPN - Web-based VPN system and corresponding service. The inventive web VPN system/service could be accessed by the users using only a conventional web browser without the need to install any specialized VPN client software on the user terminal, as it is the case with conventional VPN systems. User's terminal could be a user's desktop computer, notebook or a mobile device, such as a cell prone or a PDA, or any other computing platform what so ever, used by the user to access various network resources, such as web pages. One aspect is a web VPN service that encrypts, using, for example, SSL encryption, all web traffic going between the user's terminal and the Internet. System comprises a VPN server/proxy and an associated web server accessible by the user via a communication network, such as Internet. The web server associated with the VPN server/proxy communicates with the latter and enables the user to access and use the functionality provided by the private VPN server/proxy by means of a conventional web browser installed on the user's terminal.01-26-2012
20120159606CODE DOMAIN ISOLATION - A method for achieving code domain isolation. A first set of data is received in a first domain format. The first set of data is changed to a second domain format. The first set of data in the second domain format is captured. The first set of data in the second domain format is changed to a third domain format. The first set of data in the third domain format is prepared for receipt by a user computer system.06-21-2012
20080320582REAL-TIME INDUSTRIAL FIREWALL - Providing for employing a real time firewall to secure components of an automation control network from unauthorized communication to or from such components is disclosed herein. A monitoring component can inspect at least a portion of an instance of communication directed toward or originating from a component of the automation control network. Such inspection can, e.g., be a deep packet inspection based on information received from a communication request and/or response protocol. A filtering component can selectively admit or deny propagation of the instance of communication based on the inspection and a predetermined security criterion. In such a manner, the subject innovation can provide for limited access to network components from office network machines and for securing components of an automation control network from influence by unauthorized entities.12-25-2008
20120124660VIRTUAL PRIVATE NETWORK NODE INFORMATION PROCESSING METHOD, RELEVANT DEVICE AND SYSTEM - A Virtual Private Network (VPN) node information processing method and a VPN node information processing device are provided, in which the method comprises: receiving an access request message sent by a node, in which the access request message at least carries authentication information, a current real Internet Protocol (IP) address, a node name and information indicating whether to accept extranet connection of the node; allocating a virtual IP address for the node when the authentication information of the node is correct; and registering the current real IP address, the node name, the information indicating whether to accept the extranet connection, and the virtual IP address of the node as registration information. Through the method and the device, when a node is added into a VPN, configuration of other nodes does not need to be adjusted.05-17-2012
20110107413METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR PROVIDING A VIRTUAL PRIVATE GATEWAY BETWEEN USER DEVICES AND VARIOUS NETWORKS - A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed.05-05-2011
20100095367DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE - A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.04-15-2010
20110099620Malware Detector - A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.04-28-2011
20090133114METHOD FOR IMPLEMENTING AN INTERNET PROTOCOL (IP) CHARGING AND RATING MIDDLEWARE PLATFORM AND GATEWAY SYSTEM - A method for Internet Protocol (IP) charging and rating gateway within a system having: (i) a proxy server for connection to an Authentication, Authorization, and Accounting (AAA) server; (ii) an access gateway, (iii) an IP classification engine for connection between a data network and the access gateway; and (iv) a gateway controller connected to the proxy server and the IP classification engine, including the steps of: (a) receiving IP packets at the IP classification engine, the IP packets originating from the data network and destined for a subscriber device via the access gateway; (b) classifying the IP packets according to the protocol of each of the packets at the IP classification engine; and (c) selectively instructing the IP classification engine to permit or deny the flow of IP packets between the data network and the access gateway at the gateway controller. Preferably, the proxy server is configured to emulate the access gateway and the AAA server.05-21-2009
20090133113ADDING CLIENT AUTHENTICATION TO NETWORKED COMMUNICATIONS - A pass-through agent receives a request from a client and authenticates the client before forwarding the request to a target server that lacks client authentication capability. The target server is configured to accept requests from the pass-through agent, and may be configured to reject requests that do not come from the pass-through agent.05-21-2009
20120222107METHOD AND APPARATUS FOR PROVIDING PROXY-BASED ACCESS CONTROLS - An approach is provided for proxy-based access controls. A proxy platform causes, at least in part, designation of at least one monitoring client of a proxy server. The proxy platform receives an input for associating one or more accessing clients with the at least one monitoring client. The at least one monitoring client manages access to one or more resources of the proxy server by the one or more accessing clients.08-30-2012
20090158416Proxy with Layer 3 Security - A proxy system may use Layer 3 security mechanisms to establish secure communications between two devices. Each device may establish a secure session with the proxy using the same or a different configuration of a secure session. The proxy may pass traffic between the two devices and perform translation of the traffic between the two secure sessions. The proxy may also perform application layer gateway translations for communication traffic. Some embodiments may comprise a distribution or master proxy that may assign a communication session to a slave proxy in a scalable architecture.06-18-2009
20120216272ROUTING VOIP CALLS THROUGH MULTIPLE SECURITY ZONES - Call setup signaling is performed across at least a first security zone, a second security zone, and a third security zone to set up a call. At least one gate is then established between the first security zone and the third security zone to enable traffic flow for the call between the first security zone and the third security zone.08-23-2012
20120254977METHOD, DEVICE, AND SYSTEM FOR NETWORK ATTACK PROTECTION - The present invention discloses a method for network attack protection, a device, and a system thereof. The method includes: receiving information about attack source, in which the information about the attack source carries address information about an attacker; obtaining address information about a gateway corresponding to the attacker according to the address information about the attacker and a preset mapping relationship between the attacker and the gateway corresponding to the attacker; and sending a first control message to the gateway corresponding to the attacker according to the address information about the gateway corresponding to the attacker, wherein the first control message instructs the gateway corresponding to the attacker to control traffic of the attacker. The present invention may be used on a communications network to prevent the attacker from attacking victim hosts on the network from the root, avoid blockage on the upstream network of the victim hosts.10-04-2012
20090089873SERVER MESSAGE BLOCK (SMB) SECURITY SIGNATURES SEAMLESS SESSION SWITCH - The present invention relates to systems, apparatus, and methods of securely transmitting data between a client and a server. The method includes receiving an initial security message from the client. The security message is to establish security between the server and the client. Further, the client's security parameters are set to enabled and not required. The method further includes forwarding the initial security message to the server and intercepting a security response from the server. The response includes security data and security parameters set to enabled and required. The method includes extracting the security data from the security response, and using the security data to establish a secure socket connection between the proxy server and the server. Furthermore, the method alters the request by changing the security parameters to not enabled and not required, and transmits the altered request and establishes a non-secure socket connection.04-02-2009
20120137357SYSTEM AND METHOD FOR TESTING NETWORK FIREWALL FOR DENIAL-OF-SERVICE (DOS) DETECTION AND PREVENTION IN SIGNALING CHANNEL - A device may measure a first performance, associated with legitimate traffic without attack traffic, of a Session Initiation Protocol (SIP)-based protection device implementing authentication; measure a second performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication; and measure a third performance, associated with legitimate traffic and attack traffic, of the SIP-based protection device implementing authentication and return routability filtering. The device may also measure a first performance associated with legitimate traffic of a Session Initiation Protocol (SIP)-based protection device implementing rate-limiting filtering; measure a second performance associated with legitimate traffic and attack traffic of the SIP-based protection device implementing scheme filtering; and measure a third performance associated with legitimate traffic of the SIP-based protection device not implementing rate-limiting filtering without attack traffic.05-31-2012
20120216271SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY - A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel.08-23-2012
20100175123ADDRESS TRANSLATION DEVICE AND ADDRESS TRANSLATION METHOD - In order to more efficiently use port resources, which are finite global address resources assigned to an address translation device, the address translation device holds a session-port assignment table showing a correspondence between an existing session and a local endpoint (port resource) in the address translation device, and a port assignment rule indicating port usage about assignable ports. An address translation unit translates address information of a packet received according to the correspondence between the existing session and the port resource shown in the session-port assignment table, and assigns the port according to the port usage indicated by the port assignment rule for a packet for opening a new session. An assignment rule update unit changes a ratio of the port usage in the port assignment rule while the correspondence between the existing session and the port resource in the session-port assignment table is not changed.07-08-2010
20120317637COMMUNICATION BETWEEN PRIVATE NETWORK AND PUBLIC NETWORK - A first device in a private network is assigned a public network address that is shared in the private network, and a port number range that uniquely identifies the first device in the private network. The first device sends a network device an outgoing packet which is intended for a second device in the public network. The outgoing packet includes the assigned public network address as a source network address, a port number within the assigned port number range as a source port number, and a public network address of the second device as a destination network address. The packet is transmitted by the network device to the second device, according to the destination network address.12-13-2012
20100011433METHOD OF CONFIGURING A SECURITY GATEWAY AND SYSTEM THEREOF - There is provided a rule-set generator and a method of automated configuration of a security gateway. The method comprises setting-up an initial rule-set; obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records; transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “Accept”, thus giving rise to a transformation-based rule-set; and processing the transformation-based rule-set so as to generate an operable rule-set by processing the transformation-based rule-set.01-14-2010
20120084852Walled Garden System for Providing Access to One or More Websites that Incorporate Content from Other websites and Method Thereof - A cleared sites list includes one or more hostname descriptors. A firewall includes rules associated with a cleared IP list including cleared IP addresses, and permits transfer of a cleared HTTP request from a user device to a cleared destination IP address that matches one of the cleared IP addresses. A controller examines a non-cleared HTTP request from the user device to a non-cleared destination IP address that does not match one of the cleared IP addresses, and acts as a transparent proxy between the user device and the non-cleared destination IP address when a destination host header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list. The controller further acts as a transparent proxy between the user device and the non-cleared destination IP address when a referrer header of the non-cleared HTTP request matches a hostname descriptor of the cleared sites list.04-05-2012
20120227101Method for providing media communication across firewalls - The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network.09-06-2012
20090019535METHOD AND REMOTE SYSTEM FOR CREATING A CUSTOMIZED SERVER INFRASTRUCTURE IN REAL TIME - System and method enabling creating a server environment in real or near-real time. Major elements of the system include a provisioning engine that controls server chassis coupled to frontend network and backend network. The frontend network enable connection of any server to the Internet or Intranet through a firewall and IDS security systems. The backend network couples specific servers to specific storage resources of a network storage. A GUI or direct API functions enables a user to specify server environment parameters, and the provisioning engine then controls the frontend and backend networks and other system elements to create the specified server environment.01-15-2009
20080301797Method for providing secure access to IMS multimedia services to residential broadband subscribers - The present invention provides a method for providing secure access for a communication unit to an IP Multimedia Network in a communication system. The communication system includes a local area network (LAN), an Internet, and the IP Multimedia Network. A first secure connection is established between the LAN and the IP Multimedia Network. The first secure connection traverses the Internet. Secure access is provided to the communication unit by utilizing the first secure connection and a second connection between the communication unit and the LAN.12-04-2008
20080301796Adjusting the Levels of Anti-Malware Protection - A client transmits requests via a gateway to a server in a network environment. The requests indicate content on a server to be transmitted as part of download process. The gateway receives into its memory the requested content and also maintains characteristics of the server and the client. The gateway adjusts the depth of scanning of the content for malware based on the retrieved server and client characteristics in order to optimize a balance between effectiveness of anti-malware scanning and a resulting user experience.12-04-2008
20120266231Secure Network Cloud Architecture - Apparatuses, computer readable media, methods, and systems are described for requesting creation of virtual machine (VM) in a cloud environment comprising a virtual private cloud. Through various communications between a cloud DMZ, cloud provider, and/or company's network, a VM instance may be securely created, initialized, booted, unlocked, and/or monitored through a series of interactions building, in some examples, upon a root of trust.10-18-2012
20120240214SYSTEM, METHOD OF AUTHENTICATING INFORMATION MANAGEMENT, AND COMPUTER-READABLE MEDIUM STORING PROGRAM - In response to a service request designating a service identifier, a proxy server reads out at least two processing system identifiers corresponding to the designated service identifier from a first storage unit, and transmits an acquisition request containing the read-out at least two processing identifiers to a management server. The management server acquires respective authentication information items corresponding to the at least two processing identifiers contained in the received acquisition request from a second storage unit, and transmits the acquired authentication information items to the proxy server. The proxy server transmits user authentication requests for respective processing systems containing the received authentication information items to the at least two processing systems, respectively.09-20-2012
20110047611User Role Mapping in Web Applications - Roles and policies are used to provide display and access to data in a flexible manner. Users and/or web applications can be mapped to user roles that dictate which displays or other application resources are available to the user or application. Roles are assigned to web applications individually, allowing for user roles to be used without requiring an independent mapping of users to roles. In some cases, application roles can be centrally managed, so that presentation systems also avoid the need for an independent mapping of user or application roles.02-24-2011
20110047610Modular Framework for Virtualization of Identity and Authentication Processing for Multi-Factor Authentication - Identity access appliance works in conjunction with the edge network devices and provides the necessary protocol authentication, user authentication statement, authorization summary and its attributes. Besides authentication these appliances protect the infrastructure against intrusions such as possible authentication vulnerabilities, authentication connection attacks, denial of service attacks, spam and scanning/hacking the credentials, in a short span of time and generate real time alerts, statistics and reports.02-24-2011
20120324567Method and Apparatus for Home Network Discovery - Methods of remotely discovering information of hosts connected to a local area network (LAN) are provided. Electronic communications sent from a gateway behind which the LAN is configured are received by a remote server connected to a wide area network (WAN). The electronic communications include information of a list of hosts connected to the LAN, a log of LAN events, or diagnostic data concerning the LAN. Apparatus for remotely discovering information of hosts or devices connected to a LAN behind a gateway are also disclosed.12-20-2012
20120324565NEURAL NETWORK DATA FILTERING AND MONITORING SYSTEMS AND METHODS - Systems and methods are disclosed for filtering data in a neural network environment to filter out inappropriate content. In some embodiments, a data signal including a sensible representation is received. The sensible representation included in the data signal is produced in a sensible format. From the sensible representation in the sensible format, a clean copy of the sensible representation can be generated such that any inappropriate content present within the received data signal is not reproduced in the clean copy. Optionally, additional filtering can occur before and/or after the generating of the clean copy. The (filtered) clean copy of the sensible representation is sent to a network. Embodiments can permit the filtering of input to and/or output from a network.12-20-2012
20120324566Takeover Processes In Security Network Integrated With Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller.12-20-2012
20110239289System and Method to Associate a Private User Identity with a Public User Identity - The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.09-29-2011
20120278877Takeover Processes In Security Network Integrated With Premise Security System - An integrated security system is described comprising a gateway located at a first location. The gateway includes a takeover component that establishes a coupling with a first controller of a security system installed at the first location. The security system includes security system components coupled to the first controller. The takeover component automatically extracts security data of the security system from the first controller. The gateway automatically transfers the security data extracted from the controller to a second controller. The second controller is coupled to the security system components and replaces the first controller.11-01-2012
20120102562SECURING NETWORK COMMUNICATIONS WITH LOGICAL PARTITIONS - Embodiments of the present invention provide methods, systems, and computer program products that enable secure network communications with logical partitions. A gateway between a physical network adapter and at least one virtual network trunk adapter receives a packet. The gateway tags the packet with an indication of an origin of the packet. The gateway delivers the tagged packet to an intrusion prevention system for intrusion analysis. When the gateway receives the tagged packet from the intrusion prevention system, the gateway forwards the tagged packet according to the indication of origin of the tagged packet.04-26-2012
20100199346SYSTEM AND METHOD FOR DETERMINING SYMANTIC EQUIVALENCE BETWEEN ACCESS CONTROL LISTS - Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting rules. An aspect of the invention determines whether two or more access control lists are equivalent or not. Order-dependent access control lists are converted into order-independent access control lists, which enable checking of semantic equivalence of different access control lists. Upon conversion to an order-independent access control list, lower-precedence rules in the order-free list are checked for overlap with a current higher precedence entry. If overlap exists, existing order-free rules are modified so that spinoff rules have no overlap with the current entry. This is done while maintaining semantic equivalence.08-05-2010
20100132029USING STATISTICAL ANALYSIS TO GENERATE EXCEPTION RULES THAT ALLOW LEGITIMATE MESSAGES TO PASS THROUGH APPLICATION PROXIES AND GATEWAYS - A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.05-27-2010
20080250490Authenticated session replication - Apparatus, systems, and methods may operate to receive, at an authentication agent in a first local area network (LAN), a virtual proxy authentication identification from a virtual proxy serving as a single point of trust for a second LAN across a wide area network. The virtual proxy authentication identification may be included in a modified session message originated within the second LAN. As a result, the apparatus, systems, and methods can operate to transmit content associated with the modified session message to a first plurality of individual proxy modules in the first LAN. Additional apparatus, systems, and methods are disclosed.10-09-2008
20080244724Consumer computer health validation - Consumer computers that are not properly configured for safe access to a web service are protected from damage by controlling access to web services based on the health of the client computer. A client health web service receives health information from the client computer, determines the health status of the consumer computer, and issues a token to the consumer computer indicating its health status. The consumer computer can provide this token to other web services, which in turn may provide access to the consumer computer based on the health status indicated in the token. The client health web service may be operated as a web service specifically to determine the health of consumer computers or may have other functions, including providing access to the Internet. Also, the health information may be proxied to another device, such as a gateway device, that manages interactions with the client health web service.10-02-2008
20080235782PROVIDING REMOTE SERVICES TO LEGACY APPLICATIONS - A developer can provide complex services to existing legacy applications using one or more components configured to tap into a service abstraction framework. In one implementation, for example, a developer of a remote service provider adds one or more authentication attributes to the remote service provider, and further creates a local client driver that incorporates a client proxy. When a legacy application generates a function request (e.g., to print, send a text message, initiate a voice communication), the client proxy intercepts the request through an appropriate communication subsystem, and relays the request to the server proxy. The server proxy determines the extent to which authentication measures may be required. If required, the client proxy can initiate out-of-band processing with various authentication managers to validate/process the request at the remote service provider.09-25-2008
20120254978POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection. The content processing configuration schemes each include multiple content processing configuration settings for each of one or more network service protocols. Application-level content of a packet stream associated with the network connection is then processed by the proxy module reassembling the application-level content from multiple packets of the packet stream and scanning the application-level content based on the retrieved content processing configuration schemes.10-04-2012
20130091560SEAMLESS DATA NETWORKING - A roaming client in communication with an enterprise site through a virtual private network (VPN) gateway maintains an address for a virtual network interface upon becoming a resident client at the enterprise site. A physical interface for the resident includes two valid addresses. Seamless data networking is achieved while promoting routing efficiency by reducing the amount of local traffic addressed to and from the virtual address that is unnecessarily routed through VPN gateways.04-11-2013
20130104224NETWORK RESOURCE COMMUNICATION SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.04-25-2013
20130104222NETWORK RESOURCE CONTROL SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.04-25-2013
20130104225SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.04-25-2013
20130104223NETWORK RESOURCE COMMUNICATION SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.04-25-2013
20130104226METHOD AND SYSTEM FOR SECURING A THIRD PARTY COMMUNICATION WITH A HOSTING WEB PAGE - A method and system for securing hosting web pages from malicious third party modules. The method includes uploading a third party module to a hosting web page; validating a proxy API call received from the third party module, wherein the proxy API call includes at least a payload parameter provided by the third party module; generating an engine API call including at least the payload parameter; validating the engine API call; and executing the payload parameter if the engine API call is validated.04-25-2013
20110061099UPLOAD SECURITY SCHEME - The need for upload security arises during content sharing between users in communication link with each other and a server. In one embodiment, providing the upload security involves the server identifying a mobile device that sends an upload message destined to a user. Providing the upload security further involves the server accessing opt-in parameters predetermined by the user, determining if the identity of the sending mobile device is included in the opt-in parameters, and, if so, allowing the upload to the user's account, otherwise blocking the upload. The opt-in parameters include the identity of mobile devices that are authorized by the user to upload data to the user's account. In one embodiment, the communication link includes a wireless carrier network with capability for security screening of the upload message before it reaches the server based on the identity of the wireless carrier network.03-10-2011
20080282337CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS - Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a transparent proxy running within a network gateway logically interposed between a client and a server intercepts remote file-system access protocol requests/responses. Responsive to receipt of a remote file-system access protocol request from the client, the network gateway issues the remote file-system access protocol request to the server on behalf of the client. The network gateway buffers into a holding buffer associated with the network gateway data being read from or written to a file associated with a share of the server. Then, responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network gateway determines the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.11-13-2008
20080209537Self-Initiated End-to-End Monitoring of an Authentication Gateway - An example embodiment of the present invention provides processes relating to self-initiated end-to-end monitoring for an authentication gateway. In one particular implementation, the authentication gateway periodically creates and stores a temporary logon for access to a network and then sends a message including the temporary logon over a secure connection to a client. When the client receives the temporary logon, the client responds to the message by attempting to access a configurable network site. The authentication gateway redirects the client to a captive portal which prompts the client for a logon and the client enters the temporary logon at the captive portal. Then upon validating the temporary logon against the stored temporary logon, the authentication gateway authorizes access to the network. If the client successfully accesses the site, the client sends a verification report to the authentication gateway indicating successful access. Otherwise, the client reports on the failed access.08-28-2008
20090119768Using Application Gateways to Protect Unauthorized Transmission of Confidential Data Via Web Applications - A security gateway receives messages transmitted between a server and a client device on a network and parses the messages into a plurality of data objects, such as strings and name-value pairs. The data objects may represent user personal identification information, such as user name, social security number, credit card number, patient code, driver's license number, and other personal identification information. The security gateway uses rules to recognize data objects and validate the data objects to determine whether the recognized data objects are appropriately included within the context. The security gateway may also perform an action on the data objects. Data objects that are not appropriately included in the context may be transformed, suppressed or disallowed.05-07-2009
20130152188PORT ALLOCATION IN A FIREWALL CLUSTER - A firewall cluster having three or more firewall processing nodes sharing the same shared IP address. Port numbers are assigned to the firewall processing nodes within the cluster and are used to distinguish between traffic sent to the cluster. Each network connection is assigned a destination port number. Each node receives the network connection and its assigned port number and determines if the assigned destination port number matches one of its assigned port numbers. If so, the node processes the network connection. If the assigned destination port number does not match one of its assigned port numbers, the network connection is discarded.06-13-2013
20100299740SYSTEM AND METHOD FOR REMOTE FORENSIC ACCESS - A system for providing remote access to a storage device (11-25-2010
20130185786WIRELESS INTERNET PRODUCT SYSTEM - Low resource internet devices such as consumer electronics products connect to web service by means of a proxy method where the connected device does not need to maintain the expensive and fragile web service interface itself, but rather uses simple low level protocols to communicate through a gateway that executes software to translate a low level proprietary wireless protocol to a proprietary low level internet protocol that can pass through a firewall to proxy servers that translate the low level protocols thus presenting an interface that makes the internet device appear to have a full web service interface to enable communication between the internet devices and the web server.07-18-2013
20110307951SYSTEM AND METHOD FOR BLOCKING THE TRANSMISSION OF SENSITIVE DATA USING DYNAMIC DATA TAINTING - Blocking transmission of tainted data using dynamic data tainting is described. For example, sensitive information is stored on a client device as tainted data. The client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and the network. The gateway receives computer code from the non-trusted entity via the network. The gateway executes the computer code. The gateway tracks the execution of the computer code to determine whether the computer code attempts to access tainted data and transmit the tainted data to an outside entity. The gateway blocks the transmission of the tainted data to the outside entity responsive to determining that the computer code has attempted to access tainted data and transmit the tainted data to an outside entity.12-15-2011
20110314536System and Method for Testing Functionality of a Firewall - Described are computer-based methods and apparatuses, including computer program products, for testing functionality of a firewall. The testing the functionality of the firewall can include a method. The method can include selecting a plurality of valid message types, generating a percentage of valid and invalid messages from the plurality of valid message types, transmitting the plurality of valid and invalid messages to the firewall, receiving an indication of the firewall's handling of valid and invalid messages based on the transmitted message, and determining the functionality of the firewall from the received indication.12-22-2011
20110321152TRUSTED INTERMEDIARY FOR NETWORK LAYER CLAIMS-ENABLED ACCESS CONTROL - Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.12-29-2011
20120011583SECURE NETWORK RESOURCE ACCESS SYSTEM - A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.01-12-2012
20120030749DYNAMIC LOAD REDISTRIBUTION AMONG DISTRIBUTED SERVERS - Embodiments are directed to redistributing authentication requests among a plurality of authentication servers and to centrally managing authentication affinities among distributed servers using a secure channels affinity service. A computer system instantiates a secure channel management service configured to manage secure channel connections. The secure channel management service receives state inputs from currently deployed authentication servers. The authentication servers may be configured to queue authentication requests for transmission to authentication servers. The computer system determines that, based on the received state input, at least one of the secure channels is to be remapped to a different authentication server. The computer system also remaps the determined secure channels to distribute future authentication requests among the authentication servers. In some cases, the current state of an authentication proxy server is embedded in communications transmitted by the authentication server, such that the secure channel connections are managed using the embedded state information.02-02-2012
20130198830ACCESS RELAY METHOD AND ACCESS GATEWAY DEVICE - A gateway device disposed at front stage before a server has a dispersion rule of data dispersed on server side and analyzes communication data to specify a server to be accessed finally, so that identification information of the specified server is added to packet option of IP layer to thereby omit higher-rank routing processing than IP layer of gateway devices on the way. Consequently, transfer processing of a gateway device at back stage can be performed at high speed and access passing through a network route intended by manager is possible.08-01-2013
20120304276METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ADAPTIVE ASSIGNMENT OF AN ACTIVE SECURITY ASSOCIATION INSTANCE IN A REDUNDANT GATEWAY CONFIGURATION - According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.11-29-2012
20130212669Detecting and Combating Attack In Protection System of an Industrial Control System - A method for detecting and combating an attack in an industrial control system includes sending a command stream from a protection network of an industrial control system to at least one zone, the command stream comprising at least one command; concatenating the at least one command into at least one sequential command package comprising units or work; passing the at least one sequential command package to a crypto hash generator; generating at least one of unit of work hash codes or sequence hash codes; comparing the generated hash codes against a database of existing valid unit of work hash codes and sequence hash codes; and if a command stream fault is detected, generating an alert and accessing a database comprising emergency procedures.08-15-2013

Patent applications in class Proxy server or gateway