Network security framework based scoring metric generation and sharing
Granted: September 29, 2020
Patent Number:
10791146
Systems and methods are described for analysing, sharing and comparing security configurations. According to one embodiment, a security metric for a network segment of a private network is generated based on determination and analysis of network assets, network topology, and one or more defined security criteria representing security features being implemented by one or more network security devices that form part of the network segment, wherein the scoring metric is a quantitative…
Preventing connections to unauthorized access points with channel switch announcements
Granted: September 22, 2020
Patent Number:
10785703
An unauthorized access point is identified during a periodic scan on the wireless network and storing a MAC address for the unauthorized access point and monitored for connection attempts. In response to an attempt by the unauthorized access point to connect to a wireless station or in response to the wireless station attempt to connect to the unauthorized access point, a spoofed probe response is transmitted to prevent a connection. The probe response can include a channel switching…
Predicting the risk associated with a network flow, such as one involving an IoT device, and applying an appropriate level of security inspection based thereon
Granted: September 22, 2020
Patent Number:
10785249
Systems and methods for applying a risk-based approach to security inspection of network flows is provided. According to one embodiment, a packet of a flow between a first and second device coupled with a private network is received by a network security device. If an explicit flow policy is defined for the flow, it is applied to the flow; otherwise: (i) a risk level associated with the flow is obtained based on one or more of attributes of the flow, one or more derived attributes of the…
Fingerprinting BYOD (bring your own device) and IOT (internet of things) IPV6 stations for network policy enforcement
Granted: September 22, 2020
Patent Number:
10785114
IoT stations are profiled in an IPv6 protocol environment. Responsive to sending the modified router advertisement instead of the router advertisement to the station, a DHCPv6 solicitation packet is snooped. The DHPv6 solicitation packet is sent from the station to a DHCPv6 server to gather network configuration information stored in the router advertisement withheld by the access point. In turn, the access point examines the DHCPv6 solicitation packet to determine an identity of least…
Scalable cloud switch for integration of on premises networking infrastructure with networking services in the cloud
Granted: September 15, 2020
Patent Number:
10778465
Systems and methods are described for integration of networking infrastructure with network services running in a Virtual Private Cloud (VPC) of an enterprise network. According to one embodiment, a cloud switch implemented by cloud services provided by a cloud service provider, creates a logical cloud port to provide connectivity to one of multiple resources provided by the cloud service provider. The cloud switch creates a physical cloud port to provide connectivity to a physical,…
Automatic management of firewall rules and policies in accordance with relevancy to network traffic of a wireless network
Granted: September 8, 2020
Patent Number:
10771433
Firewall rules and policies are automatically managed in accordance with relevancy to network traffic on a wireless network. A specific firewall rule is applied to the network packet being examined based on the identified application based on a ranking of a relevancy score. Responsive to the specific firewall rule application, the relevancy score associated with the specific firewall rule are increased, and relevancy scores for other firewall rules of the predetermined firewall rule…
Enhanced context-based command line interface auto-completion using multiple command matching conditions
Granted: September 1, 2020
Patent Number:
10761614
Systems and methods for improved command line interface (CLI) auto-completion. According to one embodiment, a command auto-complete assistant running on a network security device receives input text entered by a user via a command line interface (CLI) console associated with the network security device. A list of auto-complete suggestions is determined by the command auto-complete assistant by matching the input text with multiple commands of a command set based on a matching condition.…
Notifying users within a protected network regarding events and information
Granted: August 11, 2020
Patent Number:
10742601
Systems and methods are provided for notifying users within a protected network about various events and information. According to one embodiment, a method includes receiving, by a filtering device, a request originated by an application running on a client device. The method further includes making a determination, by the filtering device, whether the request is to be blocked or allowed, based on the one or more policies. If the request is to be blocked, a notification is provided to a…
Wireless charging of multiple wireless devices using RF (radio frequency) engergy
Granted: July 28, 2020
Patent Number:
10727683
RF (radio frequency) charging access points charge IoT (Internet of things) devices. RF charging service is advertised through periodically broadcast beacons. A MU-MIMO group or other group is formed from a plurality of stations connected to the access point for RF charging. RF packets are transmitted to stations in the MU-MIMO group, each station including RF charging circuitry to harvest reusable energy from the RF packets.
Packet processing with per-CPU (central processing unit) flow tables in a network device
Granted: July 21, 2020
Patent Number:
10721186
A plurality of network packets is received at an input network interface of the network device coupled to the data communication network. The network packets are stored in a plurality of network packets in a hardware queue of a plurality of hardware queues dedicated to a CPU of a plurality of CPUs in accordance with a flow assigned to the network packet. Responsive to successfully identifying a stored hash matching the hash result in the hash table, an associated flow entry is fetched,…
Providing differentiated QoS by dynamically segregating voice and video clients into different BSSIDs
Granted: July 21, 2020
Patent Number:
10721138
An access category assigned to stations making probe requests, based on a station type determined. Responsive to a voice access category type determination, deep packet inspection on one or more network packets from a specific flow of the specific station to identify a specific voice application running on the specific station can be performed. A GSSID is assigned to the specific station based on the specific voice application identified, each GSSID from a plurality of GSSIDs having…
Extending airtime fairness in WLANS (wireless local access networks) with selective dynamic allocation of quantum
Granted: July 14, 2020
Patent Number:
10716027
A set of priority parameters for network traffic on the data communication network is stored. Based on a specific application determination, based at least in part on a source IP address, a source port address, a destination IP address, a destination port address and a protocol, an airtime fairness ratio (ATR) for the session with a specific station from the set of priority parameters concerning application priority is assigned. A higher ATR results in more packets being stored in the…
Selective key caching for fast roaming of wireless stations in communication networks
Granted: July 14, 2020
Patent Number:
10715999
Authentication keys are selectively cached locally for faster roaming of wireless stations in a communication network. An attempt by a station to reassociate with an access point is detected. Responsive to identifying a key corresponding to the station as evidence of a previous association, the key is retrieved from the key cache without contracting a controller or an authentication server, for faster responses. At least one modified response frame is generated to include the identified…
Transfering soft tokens from one mobile device to another
Granted: July 7, 2020
Patent Number:
10708771
Systems and methods for securely transferring tokens from one device to another are provided. According to one embodiment, a token transfer request (TTR), requesting transfer of a soft token stored on a first mobile device to a second mobile device, is received by a provisioning server from the first device. A transfer activation code (TAC) is generated by the provisioning server responsive to receipt of token data associated with the soft token from the first device. The token data…
Mitigating effects of flooding attacks on a forwarding database
Granted: July 7, 2020
Patent Number:
10708299
Systems and methods for mitigating effects of source-Media Access Control (MAC) flooding attacks on a forwarding database (FDB) that maps MAC addresses to enhanced MAC Virtual Local Area Network (EMACVLAN) sub-interfaces of a physical Ethernet interface are provided. A Virtual Domain (VDOM) operating in transparent mode receives an ingress packet by an internal switch running on the virtualized network device via a sub-interface. When an entry, corresponding to a source MAC address of…
Detection and mitigation of time-delay based network attacks
Granted: July 7, 2020
Patent Number:
10708283
Systems and methods for mitigation of time-delay based network attacks are provided. According to one embodiment, an email directed to a user of an enterprise and containing a potentially malicious link is received by a mail server of the enterprise. At a first time, a file to which the potentially malicious link points is evaluated within a sandbox environment and a first hash value is generated based on contents of the file. At a second time, evaluating, by the sandbox environment, a…
User authentication via a combination of a fingerprint and a tactile pattern
Granted: July 7, 2020
Patent Number:
10706304
Systems and methods for authenticating a user by a combination of the user's fingerprint and a tactile pattern are provided. According to one embodiment, a computing device captures a tactile pattern that is drawn by a user's finger on a touch panel that is operationally connected to the computing device. The computing device captures one or more fingerprints of the user using a fingerprint reader component of the computing device at one or more locations on the touch panel while the…
Extension of Wi-Fi services multicast to a subnet across a wi-fl network using software-defined network (SDN) to centrally control data plane behavior
Granted: June 23, 2020
Patent Number:
10694341
Wi-Fi services multicast to a subnet in a software-defined network (SDN) are extended. An SDN controller centrally monitors a data plane of a Wi-Fi network. Advertisements for services within a first subnet by an advertising station are forwarded to the SDN controller. Parameters of the service of the advertising station are extracted for storage by performing deep packet inspection on the one or more packets. Queries for services within a second subnet by a querying station are also…
Building a cooperative security fabric of hierarchically interconnected network security devices
Granted: June 16, 2020
Patent Number:
10686839
Systems and methods for implementing a cooperative security fabric (CSF) protocol are provided. According to one embodiment, a CSF of multiple network security devices (NSDs) deployed within a protected network is constructed in a form of a tree, having a root node, one or more intermediate nodes and one or more leaf nodes, based on hierarchical interconnections among the NSDs by determining a relative upstream or downstream relationship among each NSD. Backend daemons of the NSDs…
DNS-enabled communication between heterogeneous devices
Granted: June 2, 2020
Patent Number:
10673815
Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the…
