VIRTUAL MEMORY PROTOCOL SEGMENTATION OFFLOADING
Granted: May 12, 2016
Application Number:
20160134724
Methods and systems for a more efficient transmission of network traffic are provided. According to one embodiment, payload data originated by a user process running on a host processor of a network device is fetched by an interface of the network device by performing direct virtual memory addressing of a user memory space of a system memory of the network device on behalf of a network interface unit of the network device. The direct virtual memory addressing maps physical addresses of…
COMPUTERIZED SYSTEM AND METHOD FOR ADVANCED NETWORK CONTENT PROCESSING
Granted: May 5, 2016
Application Number:
20160127419
A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected…
HUMAN USER VERIFICATION OF HIGH-RISK NETWORK ACCESS
Granted: April 21, 2016
Application Number:
20160112439
Systems and methods for performing a human user test when a high-risk network access is captured by an intermediary security device are provided. According to one embodiment, network security application includes a network traffic control module, a human user test engine and a risk management module. The network traffic control module identifies a high-risk network access initiated by a device associated with a private network protected by the network security appliance. The human user…
LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES
Granted: April 21, 2016
Application Number:
20160112325
A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet…
DATA LEAK PROTECTION IN UPPER LAYER PROTOCOLS
Granted: April 14, 2016
Application Number:
20160105396
Methods and systems for Data Leak Prevention (DLP) in a private network are provided. A data structure is maintained within a network security appliance identifying candidate upper layer protocols, corresponding commands of interest and a corresponding suspect field within each of the commands that is to be subjected to DLP scanning as a result of its potential for carrying sensitive information. A packet is received by the network security appliance. A protocol associated with the…
SELECTING AMONG MULTIPLE CONCURRENTLY ACTIVE PATHS THROUGH A NETWORK
Granted: April 14, 2016
Application Number:
20160105366
Methods and systems for selecting among multiple concurrently active paths through a network are provided. According to one embodiment, a method is performed by a network interface of a source network device within a loop-free, reverse-path-learning network. The network is divided into multiple virtual local area networks (VLANs). Network traffic destined for a destination network device and specifying an address for the destination or including information from which the address can be…
DATA LEAK PROTECTION
Granted: April 7, 2016
Application Number:
20160099942
Methods and systems for Data Leak Prevention (DLP) in an enterprise network are provided. According to one embodiment, a data leak protection method is provided. Information regarding a watermark filtering rule is received by a network security device. The information includes a sensitivity level and an action to be applied to files observed by the network security device that match the watermark filtering rule. A file attempted to be passed through the network security device is…
VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH
Granted: April 7, 2016
Application Number:
20160098559
Circuits and methods for detecting, identifying and/or removing undesired content are provided. According to one embodiment, a virus processing system includes a virus co-processor, a first memory, a general purpose processor (GPP) and a second memory. The first memory is communicably coupled to the co-processor via a first memory interface. The first memory includes a first signature compiled for execution on the co-processor. The GPP is communicably coupled to the co-processor. The…
DIRECT CACHE ACCESS FOR NETWORK INPUT/OUTPUT DEVICES
Granted: March 31, 2016
Application Number:
20160094519
Methods and systems for improving efficiency of direct cache access (DCA) are provided. According to one embodiment, a set of DCA control settings are defined by a network I/O device of a network security device for each of multiple I/O device queues based on network security functionality performed by corresponding CPUs of a host processor. The control settings specify portions of network packets that are to be copied to a cache of the corresponding CPU. A packet is received by the…
MOBILE HOTSPOT MANAGED BY ACCESS CONTROLLER
Granted: March 31, 2016
Application Number:
20160095153
Systems and methods are described for a mobile hotspot that can be managed by an access controller. According to an embodiment, a WAN connection is established by a mobile hotspot through a telecommunication data network via a wireless WAN module. When in a first mode, the mobile hotspot: (i) sets up a secure tunnel through the WAN connection with an AC of the enterprise that manages APs of a wireless network of an enterprise; (ii) broadcasts an SSID that is also broadcast by the APs;…
MOBILE HOTSPOT MANAGED BY ACCESS CONTROLLER
Granted: March 31, 2016
Application Number:
20160094515
Systems and methods are described for a mobile hotspot that can be managed from an access controller. According to an embodiment, a mobile establishes a wide area network (WAN) connection through a wireless WAN module and establishes a wireless local area network (WLAN) connection with a wireless fidelity (WiFi)-enabled device using a first wireless access point (AP) profile, wherein the first AP profile is also used for multiple APs of an enterprise that are controlled by an access…
CACHE-BASED WIRELESS CLIENT AUTHENTICATION
Granted: March 24, 2016
Application Number:
20160088475
Methods and systems for caching of remote server MAC authentication to enable fast roaming are provided. According to one embodiment, a wireless network controller of a wireless local area network (WLAN) receives an authentication request relating to a wireless client device from a wireless access point (AP) managed by the wireless network controller. It is determined whether a prior authentication result associated with the client is present in a cache of the controller. The client is…
CACHE-BASED WIRELESS CLIENT AUTHENTICATION
Granted: March 24, 2016
Application Number:
20160087954
Methods and systems for caching of remote server MAC authentication to enable fast roaming are provided. According to one embodiment, MAC addresses of wireless client devices contained within authentication requests associated with the wireless client devices and corresponding authentication status information provided by an authentication server associated with a wireless local area network (WLAN) responsive to the authentication requests are cached by a wireless network controller of…
LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION
Granted: March 24, 2016
Application Number:
20160087938
Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously established traffic sessions from a particular source to a particular destination and forming an association between the previously established session and a particular FSD, is maintained for each port of a session-aware switching device. When a TCP SYN packet is received, the switching device: (i) reduces…
WIRELESS RADIO ACCESS POINT CONFIGURATION
Granted: March 17, 2016
Application Number:
20160081139
Methods and systems for configuring an access point (AP) are provided. According to one embodiment, a dual radio AP includes: two radios, a first operating at 2.4 GigaHertz (GHz) or 5 GHz and a second operating at 5 GHz; first and second directional antennas coupled to the first and second radios, respectively; first and second transmit queues buffering packets for transmission by the first and second radios, respectively; a location determination module configured to compute locations…
WIRELESS RADIO ACCESS POINT CONFIGURATION
Granted: March 17, 2016
Application Number:
20160081092
Methods and systems for configuring an access point (AP) are provided. According to one embodiment, a wireless network architecture includes multiple dual concurrent wireless access points, each including dual radios and dual antennas. The dual radios are configured to operate in a same frequency band and include multiple channels within the frequency band. The dual radios in each of the dual concurrent wireless access points are configured with different channels. The dual concurrent…
HARDWARE-LOGIC BASED FLOW COLLECTOR FOR DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK MITIGATION
Granted: March 17, 2016
Application Number:
20160080411
Methods and systems for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure are provided. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is…
INTERFACE GROUPS FOR RULE-BASED NETWORK SECURITY
Granted: March 17, 2016
Application Number:
20160080321
Systems and methods for designating interfaces of a network security appliance as source/destination interfaces in connection with defining a security rule are provided. According to one embodiment, a security rule configuration interface is displayed through which a network administrator can specify parameters of security rules to be applied to traffic attempting to traverse the network security appliance. Information defining a traffic flow to be controlled by a security rule is…
CLOUD BASED LOGGING SERVICE
Granted: March 3, 2016
Application Number:
20160065606
Methods and systems are provided for facilitating access to a cloud-based logging service. According to one embodiment, access to a cloud-based logging service is integrated within a network security appliance by automatically configuring access settings for the logging service and providing a basic level of service from the logging service by registering a user account for the security appliance with the logging service. A log is transparently created within the logging service by…
AUTOMATED CONFIGURATION OF ENDPOINT SECURITY MANAGEMENT
Granted: February 11, 2016
Application Number:
20160044114
Systems and methods for managing configuration of a client security application based on a network environment in which the client device is operating are provided. According to one embodiment, a network connection state of a client device with respect to a private network is determined by a client security application running on the client device. The client security application, then selects a configuration based on the determined network connection state. Finally, the client security…
