324 results about "Network strategy" patented technology

Systems and methods for managing a network are described. A view of current state of the network is maintained where the current state of the network characterizes network topology and network constituents, including network entities and network elements residing in or on the network. Events are announced that correspond to changes in the state of the network and one or more network elements can be configured accordingly. Methods for managing network traffic are described that ensure forwarding and other actions taken by network elements implement globally declared network policy and refer to high-level names, independently of network topology and the location of network constituents. Methods for discovering network constituents are described, whereby are automatically configured. Routing may be performed using ACL and packets can be intercepted to permit host to continue in sleep mode. The methods are applicable to virtual environments.

A policy agent of a network performs an out-of-band user authentication process to verify the identity of a user of a client computer and associates the network data received from the client computer with the user. When the client computer initiates a network data connection to or through the policy agent, the policy agent sends an encrypted challenge to the client computer. The challenge is encrypted with a private key of the policy agent. When the client computer receives the challenge, it decrypts the challenge and prepares a message digest value based on the challenge and the network data sent by the user. The message digest value is then encrypted with the private key of the user to form a response, and the response is sent to the policy agent. The policy agent decrypts the response with the public key of the user to obtain the message digest value and calculates a digest value based on the challenge and the received network data. The policy agent then compares the calculated digest value with the decrypted digest value. A match between the two digest values indicates that the user is successfully authenticated and that the received network data are associated with the user. The policy agent may then apply network policies based on the credentials of the authenticated user.

A prevention-based network auditing system includes a central compliance server generating network policies and configuring audits of the data communications network. The compliance server presents a graphical user interface (GUI) to describe the specific data gathering parameters, policies to be analyzed, and the schedule of analysis. One or more audit servers strategically deployed around the network employ heterogeneous data-gathering tools to gather information about the network in response to the configured audits, and transmit the gathered information to the compliance server. An audit repository stores the gathered information for use by the compliance server for security and regulatory policy assessment, network vulnerability analysis, report generation, and security improvement recommendations.

A method and an apparatus for analyzing a network configuration against a corporate network policy and determining violation(s) against the corporate network policy. A report indicating the violation(s) can be generated indicating instances of the violation(s). An analysis platform reads in a network policy. The analysis platform collects configuration files from the relevant network devices in the network and builds up an internal instance of a network configuration model based on the configuration files and the network topology. The analysis platform analyzes this network configuration model according to the network policy and adds an entry to its final report each time that it detects a violation against the network policy in the network configuration model. The data in the entries pinpoints the cause of the deviation(s) from the network policy.

The present invention provides the benefits of negotiated network resources to session-unaware applications. When a session-unaware application runs on a mobile device, the device, knowing that the application is session-unaware, negotiates appropriate network-policy parameters for the application. The application remains unaware, but it receives the benefits of the network-policy parameter negotiation. The network-policy parameter negotiation is carried on between the mobile device and a “network policy mediator” in the network. Together, they reserve the appropriate network resources and secure the appropriate guarantees. In some embodiments, a software “shim” runs in the network-protocol stack on the mobile device. By intercepting network-access attempts sent by the session-unaware application, the shim knows to begin the network-policy parameter negotiation. In some embodiments, the mobile device downloads information about session-unaware applications from the network. This information includes a list of which network-policy parameter guarantees would be most beneficial to each application.

Methods, signals, devices, and systems are provided for using proxy servers to transparently forward messages between clients and origin servers if, and only if doing so does not violate network policies. In some systems, a transparent proxy uses a combination of standard-format HTTP commands, embedding auxiliary information in URLs and other tools and techniques to redirect an initial client request to one or more policy modules, such as a login server or an identity broker or an access control server. The policy module authenticates the request, and uses HTTP redirection to have the client transmit authorization data to the proxy. The proxy extracts the authorization data, directs the client to use a corresponding cookie, and subsequently provides the implicitly requested proxy services to the client in response to the client's subsequently providing the authorization data in a cookie. This is accomplished without requiring installation of any invention-specific software or hardware on either the client or the origin server, and also works with proxy servers that are known to the client. Unless the client request violates network policy, a person using the client will generally perceive no reduction of services, and will instead benefit from the proxy's caching and/or other performance enhancements.

A resource negotiation service is provided to enable business logic decisions to be made when obtaining switched underlay network resources, to interface business logic with network conditions and schedules. The resource negotiation service may be implemented as a web service or other network service to enable business logic to be used in the selection of available network resources. This may allow policy to be used on both the subscriber side and the network provider side to optimize network resource allocations for a proposed transfer. The policy may include subscriber policy, network policy, and other factors such as current and expected network conditions. The resource negotiation service may include an interface to enable existing subscribers and new customers to obtain switched underlay resources.

Methods, apparatuses and systems allowing for deployment of volume-based network policies across a computer network. In one embodiment, the present invention monitors network utilization of a plurality of users and detects the occurrence of network utilization milestones or other events for individual users, such as exceeding a data transfer allotment or threshold. To enforce the allotment or threshold, the present invention is operative to deny, degrade, or otherwise affect a characteristic associated with network access provided to such users.

The invention discloses a service flow aware system and method combining flow detection and package detection in the SDN, and relates to the field of the SDN. The service flow aware method includes the steps that when an initial novel service flow enters the SDN, table items not matched with the novel service flow in an equipment flow table are forwarded, the novel service flow is forwarded to a controller, a flow detection module carries out flow detection, a package detection module carries out package detection to recognize the service type and the service characteristics of the novel service flow, the controller triggers the awareness of a specific service according to the characteristics of the service flow, flow signs, flow statistics and package statistics, for current continuous service flow, the controller samples a real-time service flow, the dynamic variation of the real-time service is discovered through service awareness, and network strategies are adjusted correspondingly. The service flow aware system and method combining flow detection and package detection in the SDN combines the flow detection technology and the package detection technology, expands the southing port of the controller in the SDN, and can completely obtain the states of network flows of different industries and different applications in the current network.

The invention discloses a method, a device and a system of distributing network safety strategies, wherein the system of distributing the network safety strategies comprises a safety strategy system, one or more resource control entities attributed to the safety strategy system and one or more communication entities respectively attributed to each resource control entity, wherein each resource control entity is used for sending a request message to the attributed safety strategy system thereof when receiving a communication request, and the request message is used for requesting a safety strategy related to the communication request; and the safety strategy system is used for obtaining the safety strategy related to the communication request according to the received request message and sending the safety strategy to each resource control entity. Through the invention, the integral defensive effect of a network can be enhanced, and the network safety threat is eliminated.

A prevention-based network auditing system includes an audit repository storing network information gathered by a plurality of heterogeneous information sources. A semantic normalization module identifies semantic equivalencies in the gathered information, and generates a map listing for each fact gathered by an information source, an equivalent fact or set of facts gathered by each of the other information sources. A network policy is then uniformly applied to the information that is identified as being semantically equivalent.

Routing protocols and algorithms, referred to collectively as “Link State Path Vector” (LSPV) techniques, are described. The LSPV allows the application of link-state techniques, such as flooding, to path vector protocols. Routing peers may be organized to form multiple levels of hierarchy. The LSPV mechanisms enable these peers to (1) exchange routing information via virtual links and (2) calculate the best network routes in light of the routing information. Routes may be selected on the basis of both topological distance and network policy. Such metrics may be determined by combining otherwise orthogonal metrics for IGPs and EGPs.

One networking device includes a switch module, a server, and a switch controller. The switch module has ports with a communications interface of a first type (CI1) and ports with a communications interface of a second type (CI2). The server, coupled to the switch module via a first CI2 coupling, includes a virtual CI1 driver, which provides a CI1 interface in the server, defined to exchange CI1 packets with the switch module via the first CI2 coupling. The virtual CI1 driver includes a first network device operating system (ndOS) program. The switch controller, in communication with the switch module via a second CI2 coupling, includes a second ndOS program controlling, in the switch module, a packet switching policy defining the switching of packets through the switch module or switch controller. The first and second ndOS programs exchange control messages to maintain a network policy for the switch fabric.

A system and method are provided for monitoring traffic in an enterprise network. Similar hosts may be grouped using flow information. Network policy may then be created at the group level based on the signatures of the hosts and groups of hosts in the enterprise. Hosts may be arranged in hierarchical clusters. Some of these clusters may be selected as groups based on a desired degree of similarity between hosts in a group. The similarity between hosts may be determined based on similarity of network behavior of the hosts.

A method and apparatus of a device that determines a network policy for an attached device based on one or more characteristics of the attached device is described. In one example, a network element detects a device on a port coupled to a link connecting the network element and the device. In response to the detecting of the device on the port, the network element further determines a device configuration signature from the device, where the device configuration signature based on a configuration of the device. The network element additionally determines a port-based network policy based on the device configuration signature. The network element applies the port-based network policy to the port, wherein the network element applies the port-based network policy to process network data communicated through the port.