Mitigation of NTP amplification and reflection based DDoS attacks
Granted: December 15, 2020
Patent Number:
10868828
Systems and methods for mitigating DDoS attacks utilizing NTP are provided. According to one embodiment, a tracking table is maintained by a network security device protecting a private network. The tracking table contains information regarding NTP requests originated by clients of the private network and observed by the network security device. An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device. An NTP request…
Configuration of sub-interfaces to enable communication with external network devices
Granted: December 15, 2020
Patent Number:
10868792
Systems and methods for facilitating communication between applications associated with virtual domains (VDOMs) of a virtualized network device and an external network are provided. According to one embodiment, a sub-interface is created for a physical Ethernet interface of the network device. A unique MAC address is assigned to the sub-interface. An application associated with a first VDOM is bound to the sub-interface. When the first VDOM is operating in transparent mode and an egress…
Logical network abstraction for network access control
Granted: December 8, 2020
Patent Number:
10862895
Systems and methods for NAC access policy creation and reconfiguration of access points to enforce same are provided. A NAC device maintains (i) an access point model that maps logical networks to a corresponding enforcement action implementation for each access point associated with a private network and (ii) access policies each specifying a current state of a particular endpoint device and an enforcement action, specified with reference to a logical network. Responsive to an event…
Policy-based configuration of internet protocol security for a virtual private network
Granted: November 17, 2020
Patent Number:
10841341
A method for performing policy-based configuration of IPSec for a VPN is provided. According to one embodiment, a request for a VPN connection to be established between a network device and a peer network device is received by the network device from the peer network device. Responsive to receipt of the request, the VPN connection is established by the network device in accordance with a policy associated with the request without requiring manual entry of VPN settings by a network…
Learning network topology and monitoring compliance with security goals
Granted: November 17, 2020
Patent Number:
10841279
Systems and methods for monitoring compliance with security goals by a network or part thereof are provided. According to one embodiment, a topology of a network segment of a private network is discovered by a network security device associated with the private network. Security policies implemented by one or more network security devices that form part of the network segment are learned by the network security device. Compliance with a security goal associated with the network segment…
Proactive network security assessment based on benign variants of known threats
Granted: November 17, 2020
Patent Number:
10839703
Systems and methods for performing a proactive assessment of the network security of a private network are provided. According to one embodiment, computer systems and users of the private network are caused to react to a benign variant of a network security threat (“benign threat”) by deploying the benign threat within the private network. The benign threat is created by leaving in tact symptoms and propagation mechanisms associated with the network security threat and replacing…
Systems and methods for centrally managed host and network firewall services
Granted: November 3, 2020
Patent Number:
10826941
A method for protecting an enterprise network includes, at a system that is remote from the enterprise network: controlling communications to and from the enterprise network according to a set of security policies; controlling endpoint to endpoint connections within the enterprise network according to the set of security policies; receiving a request for modifications to the set of policies; automatically generating a policy digest formatted according to a predefined format, the policy…
Synchronizing a forwarding database within a high-availability cluster
Granted: October 6, 2020
Patent Number:
10795912
Systems and methods for synchronizing an EMACVLAN FDB among cluster units of an HA cluster are provided. According to one embodiment, real-time synchronization of a first FDB maintained within a kernel space of a first network security operating system running on a primary unit and a second FDB maintained within a kernel space of a second network security operating system running on a secondary unit is performed by: transferring information regarding an entry from the kernel space of the…
Automated learning of externally defined network assets by a network security device
Granted: October 6, 2020
Patent Number:
10798061
Systems and methods for automated learning of externally defined network assets by a network security device are provided. According to one embodiment, updated information for a network asset associated with a private network is received by a network security device from an external asset management device associated with the private network. The updated information includes a change in a definition or an attribute of the network asset. The existence of a current definition and attribute…
Secure just-in-time (JIT) code generation
Granted: October 6, 2020
Patent Number:
10795989
A method of securely executing a Just-In-Time (JIT) compiled code in a runtime environment, comprising using one or more processors for receiving from a JIT executing process a request to compile in runtime a code segment, initiating a JIT compiling process to compile the code segment in order to generate an executable code segment, storing the executable code segment in a shared memory and providing to the JIT executing process a pointer to the executable code segment in the shared…
Network security framework based scoring metric generation and sharing
Granted: September 29, 2020
Patent Number:
10791146
Systems and methods are described for analysing, sharing and comparing security configurations. According to one embodiment, a security metric for a network segment of a private network is generated based on determination and analysis of network assets, network topology, and one or more defined security criteria representing security features being implemented by one or more network security devices that form part of the network segment, wherein the scoring metric is a quantitative…
Preventing connections to unauthorized access points with channel switch announcements
Granted: September 22, 2020
Patent Number:
10785703
An unauthorized access point is identified during a periodic scan on the wireless network and storing a MAC address for the unauthorized access point and monitored for connection attempts. In response to an attempt by the unauthorized access point to connect to a wireless station or in response to the wireless station attempt to connect to the unauthorized access point, a spoofed probe response is transmitted to prevent a connection. The probe response can include a channel switching…
Predicting the risk associated with a network flow, such as one involving an IoT device, and applying an appropriate level of security inspection based thereon
Granted: September 22, 2020
Patent Number:
10785249
Systems and methods for applying a risk-based approach to security inspection of network flows is provided. According to one embodiment, a packet of a flow between a first and second device coupled with a private network is received by a network security device. If an explicit flow policy is defined for the flow, it is applied to the flow; otherwise: (i) a risk level associated with the flow is obtained based on one or more of attributes of the flow, one or more derived attributes of the…
Fingerprinting BYOD (bring your own device) and IOT (internet of things) IPV6 stations for network policy enforcement
Granted: September 22, 2020
Patent Number:
10785114
IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least…
Scalable cloud switch for integration of on premises networking infrastructure with networking services in the cloud
Granted: September 15, 2020
Patent Number:
10778465
Systems and methods are described for integration of networking infrastructure with network services running in a Virtual Private Cloud (VPC) of an enterprise network. According to one embodiment, a cloud switch implemented by cloud services provided by a cloud service provider, creates a logical cloud port to provide connectivity to one of multiple resources provided by the cloud service provider. The cloud switch creates a physical cloud port to provide connectivity to a physical,…
Automatic management of firewall rules and policies in accordance with relevancy to network traffic of a wireless network
Granted: September 8, 2020
Patent Number:
10771433
Firewall rules and policies are automatically managed in accordance with relevancy to network traffic on a wireless network. A specific firewall rule is applied to the network packet being examined based on the identified application based on a ranking of a relevancy score. Responsive to the specific firewall rule application, the relevancy score associated with the specific firewall rule are increased, and relevancy scores for other firewall rules of the predetermined firewall rule…
Enhanced context-based command line interface auto-completion using multiple command matching conditions
Granted: September 1, 2020
Patent Number:
10761614
Systems and methods for improved command line interface (CLI) auto-completion. According to one embodiment, a command auto-complete assistant running on a network security device receives input text entered by a user via a command line interface (CLI) console associated with the network security device. A list of auto-complete suggestions is determined by the command auto-complete assistant by matching the input text with multiple commands of a command set based on a matching condition.…
Notifying users within a protected network regarding events and information
Granted: August 11, 2020
Patent Number:
10742601
Systems and methods are provided for notifying users within a protected network about various events and information. According to one embodiment, a method includes receiving, by a filtering device, a request originated by an application running on a client device. The method further includes making a determination, by the filtering device, whether the request is to be blocked or allowed, based on the one or more policies. If the request is to be blocked, a notification is provided to a…
Wireless charging of multiple wireless devices using RF (radio frequency) engergy
Granted: July 28, 2020
Patent Number:
10727683
RF (radio frequency) charging access points charge IoT (Internet of things) devices. RF charging service is advertised through periodically broadcast beacons. A MU-MIMO group or other group is formed from a plurality of stations connected to the access point for RF charging. RF packets are transmitted to stations in the MU-MIMO group, each station including RF charging circuitry to harvest reusable energy from the RF packets.
Providing differentiated QoS by dynamically segregating voice and video clients into different BSSIDs
Granted: July 21, 2020
Patent Number:
10721138
An access category assigned to stations making probe requests, based on a station type determined. Responsive to a voice access category type determination, deep packet inspection on one or more network packets from a specific flow of the specific station to identify a specific voice application running on the specific station can be performed. A GSSID is assigned to the specific station based on the specific voice application identified, each GSSID from a plurality of GSSIDs having…
