Patent application number | Description | Published |
20090059957 | LAYER-4 TRANSPARENT SECURE TRANSPORT PROTOCOL FOR END-TO-END APPLICATION PROTECTION - Techniques for providing layer 4 transparent secure transport for end-to-end application protection are described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network, where the packet is destined to a server of a data center having a plurality of servers over a second network. The packet includes a payload encrypted without encrypting information needed for a layer 4 of OSI (open system interconnection) layers of network processes. The layer 4 process is performed on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 4 information. Other methods and apparatuses are also described. | 03-05-2009 |
20090063625 | HIGHLY SCALABLE APPLICATION LAYER SERVICE APPLIANCES - A highly scalable application layer service appliance is described herein. According to one embodiment, a network element includes a plurality of application service modules (ASMs), each providing one or more application services to network traffic, including layer 5-7 services, a lossless data transport fabric (LDTF), a network service module (NSM) coupled to each of the ASMs over the LDTF. In response to a packet of a network transaction received from a client over for accessing a server of a datacenter, the NSM is configured to perform layer 2-5 processes on the packet, generating a data stream. The NSM is configured to route the data stream to at least two ASMs over the LDTF to allow the ASMs to perform layer 5-7 services on the packet. Other methods and apparatuses are also described. | 03-05-2009 |
20090063665 | HIGHLY SCALABLE ARCHITECTURE FOR APPLICATION NETWORK APPLIANCES - A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described. | 03-05-2009 |
20090063688 | CENTRALIZED TCP TERMINATION WITH MULTI-SERVICE CHAINING - A network element having centralized TCP termination with multi-service chaining is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second and a third service modules coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network for access a server of a data center having multiple servers over a second network, the first service module is configured to terminate a TCP connection of the packets. The TCP terminated packets are transmitted to the second and third service modules over the switch fabric. The second and third service modules are configured to perform different application network services on the TCP terminated packets without having to perform a TCP process again. Other methods and apparatuses are also described. | 03-05-2009 |
20090063701 | LAYERS 4-7 SERVICE GATEWAY FOR CONVERGED DATACENTER FABRIC - Layer 4 gateway for a converged datacenter fabric is described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network for accessing a server of a datacenter having a plurality of servers over a second network. One or more network services are performed on the packet including terminating a TCP (transport control protocol) connection associated with the network transaction and generating a data stream. The data stream without TCP information is routed to the server via a converged I/O interface over the second network if the second network is a converged fabric network. The data stream with TCP information is routed via a TCP connection to the server if the second network is an Ethernet. Other methods and apparatuses are also described. | 03-05-2009 |
20090063747 | APPLICATION NETWORK APPLIANCES WITH INTER-MODULE COMMUNICATIONS USING A UNIVERSAL SERIAL BUS - An application network appliance having inter-module communication using a universal serial bus (USB) is described herein. According to one embodiment, a network element includes a lossless data transport fabric (LDTF), multiple service modules coupled to each other over the LDTF, and a service control module (SCM) coupled to each of the service modules over the LDTF for routing network data between the SCM and the service modules. The SCM is also coupled to each of the service modules via a universal serial bus (USB) for managing the service modules, where the network element operates as a security gateway to a datacenter having multiple servers. Other methods and apparatuses are also described. | 03-05-2009 |
20090063893 | REDUNDANT APPLICATION NETWORK APPLIANCES USING A LOW LATENCY LOSSLESS INTERCONNECT LINK - Redundant application network appliances using a low latency lossless interconnect link are described herein. According to one embodiment, in response to receiving at a first network element a packet of a network transaction from a client over a first network for accessing a server of a datacenter, a layer 2 network process is performed on the packet and a data stream is generated. The data stream is then replicated to a second network element via a layer 2 interconnect link to enable the second network element to perform higher layer processes on the data stream to obtain connection states of the network transaction. In response to a failure of the first network element, the second network element is configured to take over processes of the network transaction from the first network element using the obtained connection states without user interaction of the client. Other methods and apparatuses are also described. | 03-05-2009 |
20090064287 | APPLICATION PROTECTION ARCHITECTURE WITH TRIANGULATED AUTHORIZATION - Application protection architecture with triangulated authorization is described herein. According to one embodiment, a packet of a network transaction is received at a network element from a client system over a first network for accessing a destined server of a datacenter over a second network, where network element operates as a security gateway to the datacenter. In response to the packet, one or more user attributes associated with a user of the client system are obtained from an identity store, where the user attributes include a user identifier that identifies the user and a machine identifier that identifies the client system. Authentication and/or authorization are performed on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter. Other methods and apparatuses are also described. | 03-05-2009 |
20090064288 | HIGHLY SCALABLE APPLICATION NETWORK APPLIANCES WITH VIRTUALIZED SERVICES - An application network appliance with virtualized services is described herein. According to one embodiment, a packet of a network transaction is received from a client for accessing an application server of a datacenter, where the network element operates as an application services gateway of the datacenter. A context associated with the application server is identified based on the packet, including information that identifies application services to be performed on the packet and resources to be allocated for performing the application services. A context includes information representing a logical instance of physical resources of the network element shared by multiple contexts. One or more application services are performed on the packet using the resources identified by the context. Other methods and apparatuses are also described. | 03-05-2009 |
20090064300 | APPLICATION NETWORK APPLIANCE WITH BUILT-IN VIRTUAL DIRECTORY INTERFACE - An application network appliance with a built-in virtual directory interface is described herein. According to one embodiment, a network element includes a virtual directory interface (VDI) coupled to multiple directory servers, and an authentication and authorization unit coupled to the VDI. In response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit obtains user attributes from the directory servers via the VDI and performs authentication and authorization using the user attributes to determine whether a user of the client is eligible to access the server of the datacenter, where the network element operates as a security gateway to the datacenter. Other methods and apparatuses are also described. | 03-05-2009 |
20090076897 | LOCATION-BASED FILTERING AND ADVERTISING ENHANCEMENTS FOR MERGED BROWSING OF NETWORK CONTENTS - Location-based filtering and advertising enhancements for merged browsing of network content are described herein. In various embodiments, a client device may obtain its geographic location and provide that location to a server for filtering by the server of network content fragment suggestions based at least in part on the location. The client device may then receive some or all of the filtered suggestions for utilization in merged browsing. In some embodiments, a server may further receive an indicator of content being browsed. In response, the server may determine network content fragment suggestions, and may also determine an additional suggestion or prioritize a suggestion based an advertiser's interest. The server may then provide the suggestions and/or prioritization to the client device. In various embodiments, the server may also provide the advertisement(s) for display in a user interface of the client device along with the (prioritized) suggestions. | 03-19-2009 |
20090288135 | METHOD AND APPARATUS FOR BUILDING AND MANAGING POLICIES - Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described. | 11-19-2009 |
20110093342 | LOCATION-BASED FILTERING AND ADVERTISING ENHANCEMENTS FOR MERGED BROWSING OF NETWORK CONTENTS - Location-based filtering and advertising enhancements for merged browsing of network content are described herein. In various embodiments, a client device may obtain its geographic location and provide that location to a server for filtering by the server of network content fragment suggestions based at least in part on the location. The client device may then receive some or all of the filtered suggestions for utilization in merged browsing. In some embodiments, a server may further receive an indicator of content being browsed. In response, the server may determine network content fragment suggestions, and may also determine an additional suggestion or prioritize a suggestion based an advertiser's interest. The server may then provide the suggestions and/or prioritization to the client device. In various embodiments, the server may also provide the advertisement(s) for display in a user interface of the client device along with the (prioritized) suggestions. | 04-21-2011 |
20110106625 | LOCATION-BASED FILTERING AND ADVERTISING ENHANCEMENTS FOR MERGED BROWSING OF NETWORK CONTENTS - Location-based filtering and advertising enhancements for merged browsing of network content are described herein. In various embodiments, a client device may obtain its geographic location and provide that location to a server for filtering by the server of network content fragment suggestions based at least in part on the location. The client device may then receive some or all of the filtered suggestions for utilization in merged browsing. In some embodiments, a server may further receive an indicator of content being browsed. In response, the server may determine network content fragment suggestions, and may also determine an additional suggestion or prioritize a suggestion based an advertiser's interest. The server may then provide the suggestions and/or prioritization to the client device. In various embodiments, the server may also provide the advertisement(s) for display in a user interface of the client device along with the (prioritized) suggestions. | 05-05-2011 |
20110173441 | HIGHLY SCALABLE ARCHITECTURE FOR APPLICATION NETWORK APPLIANCES - A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described. | 07-14-2011 |
20130315252 | IMPLEMENTING PVLANs IN A LARGE-SCALE DISTRIBUTED VIRTUAL SWITCH - In one embodiment, a list of source identifiers is maintained at a virtual switch. These source identifiers are allowed to send packets through the virtual switch to ports in a private virtual local area network (PVLAN). When a packet is received at the virtual switch from a particular source destined for a particular port in the PVLAN, the virtual switch determines whether a particular identifier associated with the particular source matches one of the source identifiers in the list. If that particular source identifier is not on the list, the packet is prevented from being forwarded to the particular port in the PVLAN. | 11-28-2013 |
20130318341 | Highly Scalable Architecture for Application Network Appliances - A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described. | 11-28-2013 |
20130326059 | Network Accessibility to any Network Attached Device During Reboot and Power Loss - A data communication network (DCN) having a plurality of network devices coupled to the DCN with at least one of the network devices having a “boot once” connectivity manager processor (CMP). The CMP receives its power over the DCN rather than from the power applied to the network devices. The CMP can execute special operating system code and maintain network connectivity even if the network device itself is powered off, is being booted or is otherwise non-functional. The CMP is also coupled to the network device's memory so that it may respond to out-of-band polling requests for device status information from network management tools. With CMP, network administrators can monitor the boot process of network devices, determine that a network device is non-functional due to power loss and can maintain an accurate inventory status of spare network devices that are stored un-powered in a spares closet. | 12-05-2013 |