POLICY-BASED CONTENT FILTERING
Granted: September 15, 2011
Application Number:
20110225646
Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes…
ELECTRONIC MESSAGE AND DATA TRACKING SYSTEM
Granted: September 8, 2011
Application Number:
20110219086
Systems and methods for tracking electronic messages and data are provided. According to one embodiment, a linking object insertion routine identifies an electronic mail (email) message as a candidate for user feedback based on the email message having been previously classified as spam by a real-time email spam scanning routine associated with a commercial anti-spam service. The linking object insertion routine facilitates user submission of the user feedback regarding the email message…
HARDWARE-ACCELERATED PACKET MULTICASTING IN A VIRTUAL ROUTING SYSTEM
Granted: August 18, 2011
Application Number:
20110200044
Methods and systems are provided for hardware-accelerated packet multicasting in a virtual routing system. According to one embodiment, a virtual routing engine (VRE) including virtual routing processors and corresponding memory systems are provided. The VRE implements virtual routers (VRs) operable on the virtual routing processors and associated routing contexts utilizing potentially overlapping multicast address spaces resident in the memory systems. Multicasting of multicast flows…
Virtual Memory Protocol Segmentation Offloading
Granted: August 18, 2011
Application Number:
20110200057
Methods and systems for a more efficient transmission of network traffic are provided. According to one embodiment, a method is provided for performing transport layer protocol segmentation offloading. Multiple buffer descriptors are stored in a system memory of a network device. The buffer descriptors contain information indicative of a starting address of a payload buffer stored in a user memory space of the system memory. The payload buffers contain payload data originated by a user…
FAULT TOLERANT ROUTING IN A NON-HOT-STANDBY CONFIGURATION OF A NETWORK ROUTING SYSTEM
Granted: July 28, 2011
Application Number:
20110185221
Methods and systems for facilitating fault tolerance in a non-hot-standby configuration of a network routing system are provided. According to one embodiment, a failover method is provided. One or more processing engines of a network routing system are configured to function as active processing engines, each of which having one or more software contexts. A control blade is configured to monitor the active processing engines. One or more of the processing engines are identified to…
MANAGING INTERWORKING COMMUNICATIONS PROTOCOLS
Granted: July 21, 2011
Application Number:
20110176552
Systems and methods for managing interworking protocols are provided. According to one embodiment, a service management system (SMS) communicatively coupled with multiple service processing switches of a service provider provisions transport network interfaces of the service processing switches to provide a transport between subscriber interfaces of the service processing switches. The subscriber interfaces are configured to communicate data in accordance with a first protocol. The…
SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE
Granted: July 7, 2011
Application Number:
20110167050
Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, file or operating system activity relating to a code module is intercepted. A cryptographic hash value of the code module is authenticated with reference to a multi-level whitelist, which includes a remote global whitelist and a local whitelist. The remote global whitelist is maintained by a trusted service provider and contains cryptographic hash values of approved…
SOFTWARE LICENSE ENFORCEMENT
Granted: July 7, 2011
Application Number:
20110167259
Systems and methods for performing software license enforcement are provided. According to one embodiment, file or operating system activity relating to a code module are intercepted by a kernel mode driver of a computer system. The kernel mode driver causes a cryptographic hash value of the code module to be authenticated with reference to a local whitelist containing cryptographic hash values of approved code modules known not to contain malicious code. The local whitelist also…
COMPUTER SYSTEM LOCK-DOWN
Granted: July 7, 2011
Application Number:
20110167260
Systems and methods for allowing authorized code to execute on a computer system are provided. According to one embodiment, a method is provided for locking down a computer system. A customized, local whitelist database is stored with a memory of the computer system. The whitelist database forms a part of an authentication system operable within the computer system and contains therein cryptographic hash values of code modules expressly approved for execution by the computer system. A…
SELECTIVE AUTHORIZATION OF THE LOADING OF DEPENDENT CODE MODULES BY RUNNING PROCESSES
Granted: July 7, 2011
Application Number:
20110167261
Systems and methods for selective authorization of dependent code modules are provided. According to one embodiment, file system or operating system activity relating to a first code module is initiated by a running process associated with a second code module. The file system or operating system activity is intercepted by a kernel mode driver of a computer system. The kernel mode driver selectively authorizes loading of the first code module by the running process based at least in part…
MANAGING AND PROVISIONING VIRTUAL ROUTERS
Granted: June 2, 2011
Application Number:
20110128891
Methods and systems are provided for provisioning and managing network-based virtual private networks (VPNs). According to one embodiment, a routing configuration for each of multiple network-based customer VPNs is generated for multiple customers based on (i) site reachability information for multiple service processing switches and (ii) a global customer routing profile for a network-based customer VPN of the plurality of network-based customer VPNs. Multiple virtual routers (VRs)…
SCALABLE IP-SERVICES ENABLED MULTICAST FORWARDING WITH EFFICIENT RESOURCE UTILIZATION
Granted: May 26, 2011
Application Number:
20110122872
Methods, apparatus and data structures are provided for managing multicast IP flows. According to one embodiment, a network switch module includes a memory and multiple processors partitioned among multiple virtual routers (VRs). Each VR maintains a data structure including information relating to multicast sessions handled by the VR and including a first pointer for each multicast session, a chain of blocks of second pointers and one or more TCBs. Each first pointer points to a chain of…
NETWORK ADVERTISING SYSTEM
Granted: May 26, 2011
Application Number:
20110125869
Systems and methods for transmitting content to a client via a communication network are provided. According to one embodiment, a system includes a content server, an insertion server and a policy server. The content server stores and selects substitute or supplemental content. The insertion server monitors client traffic, detects client TCP/IP requests or destination TCP/IP responses and sends the selected substitute or supplemental content retrieved from the content server to the…
MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK
Granted: March 31, 2011
Application Number:
20110078331
Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. According to one embodiment, a border component of a network of switches receives a first packet intended for a first host having a first L2 address and a first L3 address associated therewith. The first packet includes the first L3 address and a substitute L2 address as destination addresses. The substitute L2 address is associated with a communication channel of the border…
ACCELERATING DATA COMMUNICATION USING TUNNELS
Granted: March 24, 2011
Application Number:
20110069715
Methods and systems are provided for increasing application performance and accelerating data communications in a WAN environment. According to one embodiment, packets are received at a flow classification module operating at the Internet Protocol (IP) layer of a first wide area network (WAN) acceleration device via a shared connection-oriented tunnel, which is operable to convey application layer data for connection-oriented applications between WAN acceleration devices. Packets that…
FAST PATH COMPLEX FLOW PROCESSING
Granted: February 10, 2011
Application Number:
20110032942
Methods and systems for processing complex flows are provided. According to one embodiment, a packet associated with a complex flow is received. A first flow-based packet classification is performed based on a first set of attributes of the packet. A first flow processing operation is identified by performing a first flow cache lookup based on the first flow-based packet classification and the first flow processing operation is performed on the packet. After performing the first flow…
DETECTION OF UNDESIRED COMPUTER FILES IN DAMAGED ARCHIVES
Granted: January 27, 2011
Application Number:
20110023121
Systems and methods for an anti-virus detection module that can detect known undesired computer files in damaged archives that may be encrypted, compressed and/or password-protected are provided. According to one embodiment, a damaged or incomplete RAR, CAB or ZIP archive is received. Without decrypting or decompressing the contents, an anti-virus detection module identifies the archive as a RAR, CAB or ZIP archive by assuming each of multiple possible archive types in turn and searching…
DETECTION OF UNDESIRED COMPUTER FILES IN ARCHIVES
Granted: January 20, 2011
Application Number:
20110016530
Systems and methods that can detect known undesired computer files in protected archives are provided. According to one embodiment, an archive file in transit across a network as an attachment to an email message destined for a client workstation is scanned, without decrypting or decompressing contents of the archive, by an anti-virus detection module running on a network gateway. A type and associated structure of the archive are identified by examining primary or secondary…
DETERMINING A CONGESTION METRIC FOR A PATH IN A NETWORK
Granted: December 9, 2010
Application Number:
20100309811
Methods and systems for determining a congestion metric for a path in a network are provided. According to one embodiment, multiple paths are provided between each pair of multi-path load balancing (MPLB) components within a Layer 2 network by establishing overlapping loop-free topologies in which each MPLB component is reachable by any other via each of the overlapping topologies. A first MPLB component associated with a first network device sends a latency request packet, including a…
DETERMINING LINK FAILURE WITHIN A NETWORK
Granted: November 25, 2010
Application Number:
20100296392
Methods and systems for determining link failure in a network are provided. According to one embodiment, multiple paths are provided between each pair of multi-path load balancing (MPLB) components within a Layer 2 network by establishing overlapping loop-free topologies in which each MPLB component is reachable by any other via each loop-free topology. A first MPLB component sends latency requests to a second MPLB component via a particular path. Responsive thereto, the first MPLB…
