公开(公告)号：US08151323B2

公开(公告)日：2012-04-03

申请号：US11566975

申请日：2006-12-05

Applicant: James Harris ,  Max He ,  Arkesh Kumar ,  Ajay Soni ,  Charu Venkatraman ,  Shashi Najundaswamy ,  Amarnath Mullick

Inventor： James Harris ,  Max He ,  Arkesh Kumar ,  Ajay Soni ,  Charu Venkatraman ,  Shashi Najundaswamy ,  Amarnath Mullick

IPC: H04L29/06

CPC classification number: H04L67/06 ,  H04L63/0272 ,  H04L63/105 ,  H04L63/166 ,  H04L67/02 ,  H04L67/2842 ,  H04L67/34 ,  H04L69/10 ,  H04L69/16 ,  H04L69/165

Abstract: The present invention relates to systems and methods to identify a level of access for a resource being accessed via a secure socket layer virtual private network (SSL VPN) connection to a network, and to control the action on the resource based on the identified level of access. The appliance described herein provides intelligent secure access and action control to resources based on a sense and respond mechanism. When a user requests access to a resource via the SSL VPN connection of the appliance, the appliance obtains information about the client to determine the user access scenario—the location, device, connection and identify of the user or client. Based on the collected information, the appliance responds to the detected user scenario by identifying a level of access to the resource for the user/client, such as rights to view, print, edit or save a document, Based on the identified level of access, the appliance controls the actions performs on the resource by various techniques described herein so that the user can only perform the allowed action n accordance with the level of access. As such, the present invention allows organization to control and provide the appropriate level of access to valuable, confidential or business critical information accessed remotely or via a pubic network while protecting such information by controlling the types of actions performed or allowed to be performed remotely on the information.

Abstract translation: 本发明涉及用于识别经由到网络的安全套接字层虚拟专用网（SSL VPN）连接被访问的资源的访问级别的系统和方法，并且基于所识别的级别来控制对资源的动作 访问。 本文所述的设备基于感测和响应机制来提供对资源的智能安全访问和动作控制。 当用户通过设备的SSL VPN连接请求访问资源时，设备将获取有关客户端的信息，以确定用户访问场景 - 用户或客户端的位置，设备，连接和标识。 基于收集的信息，设备通过识别用户/客户端对资源的访问级别（例如查看，打印，编辑或保存文档的权限）来响应所检测的用户场景。基于所识别的访问级别 ，设备通过本文描述的各种技术控制对资源执行的操作，使得用户只能根据访问级别执行允许的动作。 因此，本发明允许组织控制并提供对远程访问或通过公共网络访问的有价值的，机密的或业务关键信息的适当级别的访问，同时通过控制远程执行或允许执行的动作的类型来保护这些信息， 信息。

公开(公告)号：US08145217B2

公开(公告)日：2012-03-27

申请号：US11086148

申请日：2005-03-21

Applicant: Jun Wang ,  Raymond T. Hsu

Inventor： Jun Wang ,  Raymond T. Hsu

IPC: H04W36/00 ,  H04W4/00

CPC classification number: H04W36/0005 ,  H04L29/06027 ,  H04L65/1069 ,  H04L67/14 ,  H04L69/14 ,  H04L69/16 ,  H04L69/165 ,  H04L69/168 ,  H04L69/329 ,  H04W36/0011 ,  H04W36/18 ,  H04W80/04 ,  H04W92/02

Abstract: Method and apparatus for effecting handoff in a system supporting both wireless and packet data service communications. In one embodiment, the serving network provides information to the target network sufficient to establish the Point-to-Point Protocol (PPP) connections for handoff. In an alternate embodiment, the serving network and the target network do not share capabilities with respect to concurrent multiple service instances. When the serving network knows the status of the target network, the serving network takes responsibility for the handoff.

Abstract translation: 在支持无线和分组数据业务通信的系统中实现切换的方法和装置。 在一个实施例中，服务网络向目标网络提供足以建立用于切换的点对点协议（PPP）连接的信息。 在替代实施例中，服务网络和目标网络不共享关于并发多个服务实例的能力。 当服务网络知道目标网络的状态时，服务网络负责切换。

公开(公告)号：US20110320623A1

公开(公告)日：2011-12-29

申请号：US13228271

申请日：2011-09-08

Applicant: Tero Kivinen ,  Tatu Ylonen

Inventor： Tero Kivinen ,  Tatu Ylonen

IPC: G06F15/16

CPC classification number: H04L61/256 ,  H04L12/4633 ,  H04L29/12009 ,  H04L29/12367 ,  H04L29/12471 ,  H04L29/125 ,  H04L29/12528 ,  H04L29/12537 ,  H04L45/026 ,  H04L61/2007 ,  H04L61/25 ,  H04L61/2514 ,  H04L61/2553 ,  H04L61/2564 ,  H04L61/2575 ,  H04L61/2578 ,  H04L61/6063 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/04 ,  H04L63/0428 ,  H04L63/164 ,  H04L67/2842 ,  H04L69/16 ,  H04L69/161 ,  H04L69/165

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract translation: 本发明提供了一种通过网络地址转换（NAT）来提供诸如由IPSEC协议提供的网络安全服务的方法。 该方法基于确定在分组上发生的变换并补偿变换。 由于只有TCP和UDP协议通过NAT工作，所以IPSEC AH / ESP报文被封装成UDP报文进行传输。 执行特殊操作以允许在这种环境中的可靠通信。

公开(公告)号：US20110252161A1

公开(公告)日：2011-10-13

申请号：US13084238

申请日：2011-04-11

Applicant: Matthew J. RANNEY

Inventor： Matthew J. RANNEY

IPC: G06F15/16

CPC classification number: H04L65/4092 ,  H04L45/00 ,  H04L51/04 ,  H04L65/4084 ,  H04L65/80 ,  H04L67/24 ,  H04L69/14 ,  H04L69/16 ,  H04L69/165 ,  Y02D50/30

Abstract: A communication services network is described that enables client communication devices to synchronously or asynchronously communicate with one another or with legacy communication devices through a gateway in either (i) a real-time mode or (ii) a time-shifted mode and (iii) to seamlessly transition between the two modes. As the media of a message is either created or retrieved from memory, the sending client device progressively transmits the media over the network. The network progressively routes the media as it is transmitted to the recipient client device or gateway, which progressively stores the media as it is received. With progressive storage, the recipient has the option of rendering the media as it is received in the real-time mode, rendering the media out of storage in the time-shifted mode, or seamlessly transitioning between the two modes. In addition, users may communicate with each other “live”, similar to a conventional full duplex telephone call, when messages are synchronously transmitted and rendered in real-time with respect to one another. Alternatively, users may communicate with each other asynchronously by sending messages back and forth at discrete times, or by time-shifting the review of received messages.

Abstract translation: 描述了通信服务网络，其使得客户端通信设备能够以（i）实时模式或（ii）时移模式通过网关彼此同步或异步地与旧式通信设备进行通信，以及（iii） 在两种模式之间无缝转换。 由于消息的媒体是从内存创建或检索的，所以发送客户端设备通过网络逐渐传输媒体。 当传输媒体逐渐将媒体路由到接收方客户端设备或网关时，该接收方客户端设备或网关在收到媒体时逐渐存储媒体。 对于逐行存储，接收者可以选择在实时模式下呈现媒体，使媒体以时移模式退出存储，或者在两种模式之间无缝转换。 此外，当消息被相对于彼此实时地同步发送和呈现时，用户可以与传统的全双工电话呼叫相似地“彼此”进行通信。 或者，用户可以通过在离散时间来回发送消息或者通过对所接收的消息的审查进行时移来异步地彼此通信。

公开(公告)号：US20110249667A1

公开(公告)日：2011-10-13

申请号：US12792680

申请日：2010-06-02

Applicant: Matthew J. Ranney

Inventor： Matthew J. Ranney

IPC: H04L12/66

CPC classification number: H04L65/4092 ,  H04L45/00 ,  H04L51/04 ,  H04L65/4084 ,  H04L65/80 ,  H04L67/24 ,  H04L69/14 ,  H04L69/16 ,  H04L69/165 ,  Y02D50/30

Abstract: A method and apparatus for transmitting voice media over a network where the voice media may be consumed either in a real-time mode or a time-shifted mode. The method comprising transmitting the voice media over the network using a network efficient protocol when either (i) the media is not being consumed in the real-time mode or (ii) the condition on the network is good enough to support the real-time transmission and consumption of the voice media in the real-time mode. Alternatively, the voice media is transmitted using a loss tolerant transmission protocol when the media is being consumed in the real-time mode and the condition on the network is sufficiently poor to prevent the real-time consumption of the voice media in real-time using the network efficient protocol. The apparatus, which may be a communication device or a server, implements the above-described method.

Abstract translation: 一种用于通过网络发送语音媒体的方法和装置，其中语音媒体可以以实时模式或时移模式被消费。 所述方法包括当（i）媒体不在实时模式中消费时使用网络有效协议在网络上传输语音媒体，或者（ii）网络上的状况足以支持实时 语音媒体在实时模式下的传输和消耗。 或者，当媒体在实时模式下被消费时，使用损耗容忍传输协议传输语音媒体，并且网络上的状况足够差以防止实时地使用语音媒体的实时消费 网络高效协议。 可以是通信设备或服务器的设备实现上述方法。

公开(公告)号：US08036139B2

公开(公告)日：2011-10-11

申请号：US10428442

申请日：2003-05-01

Applicant: Isidor Kouvelas

Inventor： Isidor Kouvelas

IPC: H04L12/28

CPC classification number: H04L45/16 ,  H04L12/4633 ,  H04L45/04 ,  H04L69/16 ,  H04L69/164 ,  H04L69/165

Abstract: Improved systems and methods for distributing interdomain routing information within an Autonomous System (AS). A protocol extension to BGP, iBGPd (internal Border Gateway Protocol downloader), has been developed to replace IBGP in distributing BGP interdomain routing information within an AS. The iBGPd technique distributes routing information hop-by-hop using a reliable multi-party transport protocol. Scalability is greatly improved since the use of a full mesh of TCP connections is avoided. Also, there are improvements in routing information propagation delay and routing stability. Drawbacks related to the use of route reflectors and confederations are avoided.

Abstract translation: 改进的用于在自治系统（AS）内分发域间路由信息的系统和方法。 已经开发了对BGP的协议扩展，iBGPd（内部边界网关协议下载器），以在AS内分发BGP域间路由信息来替代IBGP。 iBGPd技术使用可靠的多方传输协议逐跳分发路由信息。 可避免可扩展性，因为避免了使用全网TCP连接。 此外，路由信息传播延迟和路由稳定性有所改善。 避免了与使用路由反射器和联盟相关的缺点。

公开(公告)号：US20110216707A1

公开(公告)日：2011-09-08

申请号：US13108481

申请日：2011-05-16

Applicant: Kevin L. Farley ,  James A. Proctor, JR.

Inventor： Kevin L. Farley ,  James A. Proctor, JR.

IPC: H04W4/00

CPC classification number: H04W28/0268 ,  H04L1/0015 ,  H04L1/0017 ,  H04L1/18 ,  H04L43/00 ,  H04L43/0829 ,  H04L43/0852 ,  H04L43/087 ,  H04L47/2416 ,  H04L47/2441 ,  H04L65/60 ,  H04L65/80 ,  H04L69/16 ,  H04L69/165 ,  H04L69/18 ,  H04W24/00 ,  H04W28/06 ,  H04W28/18 ,  H04W80/00

Abstract: A packet data system such as a TCP/IP network transmits packets containing a variety of data types along links in the network. Packets are transmitted in a stream between nodes interconnected by the links connections which conform to a transport layer protocol such as TCP, UDP, and RSTP, and includes wireless links, which transmit packets using a radio frequency (RF) medium. Typical protocols, however, are usually developed to optimize throughput and minimize data error and loss over wired links, and do not lend themselves well to a wireless link. By examining the data in a packet, performance characteristics such as a port number are determined. The performance characteristics indicate the application type, and therefore, the data type, of the packets carried on the connection. Since certain data types, such as streaming audio and video, are more loss tolerant, determination of the data type is used to compute link control parameters for the wireless link which that are optimal to the type of data being transmitted over the link.

Abstract translation: 诸如TCP / IP网络的分组数据系统沿着网络中的链路发送包含各种数据类型的分组。 分组在通过符合诸如TCP，UDP和RSTP之类的传输层协议的链路连接互连的节点之间的流中传输，并且包括使用射频（RF）介质传输分组的无线链路。 然而，通常开发典型的协议是为了优化吞吐量，并通过有线链路最小化数据错误和损失，并且不适合于无线链路。 通过检查数据包中的数据，确定端口号等性能特征。 性能特征表示连接上携带的分组的应用类型，因此表示数据类型。 由于诸如流式音频和视频之类的某些数据类型具有更大的容错能力，所以使用数据类型的确定来计算无线链路的链路控制参数，这对通过链路传输的数据类型是最佳的。

公开(公告)号：US08005966B2

公开(公告)日：2011-08-23

申请号：US10458844

申请日：2003-06-10

Applicant: Ashish A. Pandya

Inventor： Ashish A. Pandya

IPC: G06F15/173 ,  G06F15/16

CPC classification number: H04L67/1097 ,  H04L29/06 ,  H04L67/34 ,  H04L69/10 ,  H04L69/12 ,  H04L69/16 ,  H04L69/161 ,  H04L69/163 ,  H04L69/165 ,  H04L69/166 ,  H04L69/18 ,  H04L69/32 ,  H04L69/329

Abstract: Disclosed are systems employing an architecture that provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol processing and may also perform packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory.

Abstract translation: 公开的是采用架构的系统，其提供通过传输协议处理从第2层传输和处理互联网协议（IP）分组的能力，并且还可以通过层7执行分组检​​查。一组引擎可以执行传递分组分类，策略处理 和/或使得能够以几乎全线速率通过架构的分组流传输的安全处理。 调度器将数据包安排到数据包处理器进行处理。 内部存储器或本地会话数据库高速缓存存储一定数量的活动会话的会话信息数据库。 不在内部存储器中的会话信息被存储并从附加存储器检索。

公开(公告)号：US07970923B2

公开(公告)日：2011-06-28

申请号：US12568410

申请日：2009-09-28

Applicant: Brad J. Pedersen ,  Rajiv Sinha ,  Prabakar Sundarrajan ,  Terry Treder

Inventor： Brad J. Pedersen ,  Rajiv Sinha ,  Prabakar Sundarrajan ,  Terry Treder

IPC: G06F15/16 ,  G06F9/44

CPC classification number: H04L67/06 ,  H04L63/0272 ,  H04L63/105 ,  H04L63/166 ,  H04L67/02 ,  H04L67/2842 ,  H04L67/34 ,  H04L69/10 ,  H04L69/16 ,  H04L69/165

Abstract: The present invention is directed towards a method and system for accelerating delivery of a computing environment to a remote client. The computing environment may include a plurality of files comprising an application program and may be streamed to a remote client from a server. Responsive to a determination of whether transmission of the application may be accelerated, an appliance, intercepting the plurality of files, may accelerate transmission of the application program by applying one or more transport layer transmission acceleration techniques to the plurality of files.

Abstract translation: 本发明涉及用于加速向远程客户端传递计算环境的方法和系统。 计算环境可以包括包括应用程序的多个文件，并且可以从服务器流传输到远程客户端。 响应于确定是否可以加速应用程序的传输，通过对多个文件应用一个或多个传输层传输加速技术，可以拦截多个文件来加速应用程序的传输。

公开(公告)号：US07969998B2

公开(公告)日：2011-06-28

申请号：US11149681

申请日：2005-06-10

Applicant: Krishna Kanakasapapathi ,  Lee Alan Shombert ,  Stephen Daniel Darryl James ,  Alec Hothan ,  Thomas Wesley Hoffman ,  Jin Huai

Inventor： Krishna Kanakasapapathi ,  Lee Alan Shombert ,  Stephen Daniel Darryl James ,  Alec Hothan ,  Thomas Wesley Hoffman ,  Jin Huai

IPC: H04L12/16 ,  H04L12/28 ,  H04L12/56 ,  H04Q11/00 ,  H04B7/00 ,  H04B1/02 ,  H04B1/034 ,  H04W4/00

CPC classification number: H04L47/10 ,  H04L12/4633 ,  H04L41/0213 ,  H04L41/0233 ,  H04L47/27 ,  H04L69/14 ,  H04L69/16 ,  H04L69/165 ,  Y10S370/901 ,  Y10S370/908

Abstract: A method and system for providing network management communication between a plurality of network elements are disclosed. A method includes creating a tunnel configured for transmitting data between the network elements and transmitting network management information over the tunnel using a network management protocol. The tunnel passes through a gateway network element configured to communicate with the network elements utilizing the network management protocol.

Abstract translation: 公开了一种用于在多个网络元件之间提供网络管理通信的方法和系统。 一种方法，包括：创建隧道，用于在网元之间传输数据，并使用网络管理协议通过隧道传输网络管理信息。 隧道通过被配置为利用网络管理协议与网络元件进行通信的网关网元。