公开(公告)号：US10268656B1

公开(公告)日：2019-04-23

申请号：US13111131

申请日：2011-05-19

申请人： Yonghui Cheng ,  Siu-Wang Leung ,  Wilson Xu ,  Liang Li

发明人： Yonghui Cheng ,  Siu-Wang Leung ,  Wilson Xu ,  Liang Li

IPC分类号： G06F17/30 ,  G06F16/957

摘要： Enforcing a policy based at least in part on URL information is disclosed. A uniform resource locator (URL) is received. A portion of the URL, or a transformation thereof, is matched against a bloom filter. Based on a result of the match, a first query is performed. A policy is enforced based at least in part on a category received as a result of a second query. In some cases, the first and second query are the same.

公开(公告)号：US08873556B1

公开(公告)日：2014-10-28

申请号：US12344067

申请日：2008-12-24

申请人： Nir Zuk ,  Yonghui Cheng ,  Wilson Xu ,  Monty S. Gill

发明人： Nir Zuk ,  Yonghui Cheng ,  Wilson Xu ,  Monty S. Gill

IPC分类号： H04L12/28 ,  H04J3/24

CPC分类号： H04L45/306 ,  H04L45/38 ,  H04L45/74

摘要： Methods, systems, and apparatus, including computer program products, featuring receiving at a network device a plurality of packets associated with a flow, one or more of the plurality of packets having associated header data and content. Based on the content of one or more first packets in the plurality of packets, the network device identifies an application associated with the flow, where none of the first packets is addressed to the network device. For one or more second packets associated with the flow, the network device determines a forwarding destination for the second packets based on the application associated with the flow and forwards the packet according to the determined forwarding destination.

摘要翻译： 方法，系统和装置，包括计算机程序产品，其特征在于，在网络设备处接收与流相关联的多个分组，所述多个分组中的一个或多个具有相关联的报头数据和内容。 基于多个分组中的一个或多个第一分组的内容，网络设备识别与流相关联的应用，其中没有第一分组被寻址到网络设备。 对于与流相关联的一个或多个第二分组，网络设备基于与流相关联的应用来确定第二分组的转发目的地，并根据确定的转发目的地转发分组。

公开(公告)号：US09047109B1

公开(公告)日：2015-06-02

申请号：US13528748

申请日：2012-06-20

申请人： Song Wang ,  Martin Walter ,  Zhipu Jin ,  Wilson Xu

发明人： Song Wang ,  Martin Walter ,  Zhipu Jin ,  Wilson Xu

IPC分类号： G06F9/455 ,  G06F9/46

CPC分类号： G06F9/45533 ,  G06F9/45558 ,  G06F2009/45587

摘要： Policy enforcement in an environment that includes virtualized systems is disclosed. Virtual machine information associated with a first virtual machine instance executing on a host machine is received. The information can be received from a variety of sources, including an agent, a log server, and a management infrastructure associated with the host machine. A policy is applied based at least in part on the received virtual machine information.

摘要翻译： 披露了包含虚拟化系统的环境中的策略实施。 接收与在主机上执行的第一虚拟机实例相关联的虚拟机信息。 可以从各种来源接收信息，包括代理，日志服务器和与主机相关联的管理基础设施。 至少部分地基于所接收的虚拟机信息应用策略。

公开(公告)号：US08769664B1

公开(公告)日：2014-07-01

申请号：US12363102

申请日：2009-01-30

申请人： Nir Zuk ,  Wilson Xu ,  Yuming Mao

发明人： Nir Zuk ,  Wilson Xu ,  Yuming Mao

IPC分类号： G06F9/00 ,  G06F15/16 ,  H04L29/06

CPC分类号： H04L63/02 ,  H04L63/0236

摘要： Methods, systems, and apparatus, including computer program products, featuring receiving at a first security device a packet. The first security device determines that the packet is associated with a flow assigned to a distinct second security device. The first security device sends the packet to the second security device. After the second security device performs security processing using the packet, the first security device receives from the second security device a message regarding the packet. The first security device transmits the packet.

摘要翻译： 方法，系统和装置，包括计算机程序产品，其特征在于在第一安全装置处接收分组。 第一安全设备确定分组与分配给不同的第二安全设备的流相关联。 第一个安全设备将数据包发送到第二个安全设备。 在第二安全设备使用该分组执行安全处理之后，第一安全设备从第二安全设备接收关于分组的消息。 第一安全设备发送数据包。

公开(公告)号：US09178885B1

公开(公告)日：2015-11-03

申请号：US13113939

申请日：2011-05-23

申请人： Michael Jacobsen ,  Song Wang ,  Wilson Xu

发明人： Michael Jacobsen ,  Song Wang ,  Wilson Xu

IPC分类号： H04L29/06 ,  G06F21/30

摘要： Enforcing a policy is described. A mapping between an IP address of a device and a user identity is identified, at least in part by correlating event information. A policy is applied to the device based at least in part on the user identity. One example of an event is an access to a mail server, such as an access to a Microsoft Exchange server.

公开(公告)号：US07093280B2

公开(公告)日：2006-08-15

申请号：US09967893

申请日：2001-09-27

申请人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

发明人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

IPC分类号： H04L9/32 ,  G06F17/00

CPC分类号： H04L63/02 ,  H04L12/4641 ,  H04L12/4645 ,  H04L12/467 ,  H04L49/25 ,  H04L49/351 ,  H04L49/354 ,  H04L63/0209 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/20

摘要： Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.

公开(公告)号：US08930529B1

公开(公告)日：2015-01-06

申请号：US13246472

申请日：2011-09-27

申请人： Song Wang ,  Suiqiang Deng ,  Wilson Xu ,  Martin Walter

发明人： Song Wang ,  Suiqiang Deng ,  Wilson Xu ,  Martin Walter

IPC分类号： G06F15/173

CPC分类号： H04L63/02 ,  H04L61/15 ,  H04L61/2076 ,  H04L63/0236 ,  H04L63/102 ,  H04L63/20

摘要： Policy enforcement is disclosed. An identity notification is received from a network device. The identity notification is usable to determine a user identifier associated with the network device. The identity notification is also usable to determine an IP address associated with the network device. A policy is updated based on the received identity notification.

摘要翻译： 披露政策执行。 从网络设备接收身份通知。 身份通知可用于确定与网络设备相关联的用户标识符。 身份通知也可用于确定与网络设备相关联的IP地址。 基于收到的身份通知更新策略。

公开(公告)号：US08875223B1

公开(公告)日：2014-10-28

申请号：US13222868

申请日：2011-08-31

申请人： Yueh-Zen Chen ,  Wilson Xu ,  Monty Sher Gill

发明人： Yueh-Zen Chen ,  Wilson Xu ,  Monty Sher Gill

IPC分类号： G06F17/00

CPC分类号： H04L63/0272 ,  G06F21/6272 ,  G06F2221/2103 ,  G06F2221/2141 ,  H04L63/0254 ,  H04L63/029 ,  H04L63/164 ,  H04L63/20

摘要： Techniques for configuring and managing remote security devices are disclosed. In some embodiments, configuring and managing remote security devices includes receiving a registration request for a remote security device at a device for configuring and managing a plurality of remote security devices; verifying the registration request to determine that the remote security device is an authorized remote security device for an external network; and sending a response identifying one or more security gateways to the remote security device, in which the remote security device is automatically configured to connect to each of the one or more security gateways using a distinct Layer 3 protocol tunnel (e.g., a virtual private network (VPN)).

摘要翻译： 公开了用于配置和管理远程安全设备的技术。 在一些实施例中，配置和管理远程安全设备包括在用于配置和管理多个远程安全设备的设备处接收远程安全设备的注册请求; 验证所述注册请求以确定所述远程安全设备是用于外部网络的授权远程安全设备; 以及向所述远程安全设备发送标识一个或多个安全网关的响应，其中所述远程安全设备被自动配置为使用不同的第3层协议隧道（例如，虚拟专用网络）连接到所述一个或多个安全网关中的每一个 （VPN））。

公开(公告)号：US09215235B1

公开(公告)日：2015-12-15

申请号：US13113939

申请日：2011-05-23

申请人： Michael Jacobsen ,  Song Wang ,  Wilson Xu

发明人： Michael Jacobsen ,  Song Wang ,  Wilson Xu

IPC分类号： H04L29/06 ,  G06F21/30

CPC分类号： H04L63/20 ,  G06F21/30 ,  H04L61/25 ,  H04L63/0209 ,  H04L63/08 ,  H04L63/10 ,  H04L63/105

摘要： Enforcing a policy is described. A mapping between an IP address of a device and a user identity is identified, at least in part by correlating event information. A policy is applied to the device based at least in part on the user identity. One example of an event is an access to a mail server, such as an access to a Microsoft Exchange server.

摘要翻译： 描述执行策略。 至少部分地通过关联事件信息来识别设备的IP地址与用户身份之间的映射。 至少部分地基于用户身份将策略应用于设备。 事件的一个示例是访问邮件服务器，例如对Microsoft Exchange服务器的访问。

公开(公告)号：US09185075B2

公开(公告)日：2015-11-10

申请号：US11422477

申请日：2006-06-06

申请人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

发明人： Yan Ke ,  Yuming Mao ,  Wilson Xu ,  Brian Yean-Shiang Leu

IPC分类号： H04L29/06 ,  H04L12/46 ,  H04L12/931 ,  H04L12/947

CPC分类号： H04L63/02 ,  H04L12/4641 ,  H04L12/4645 ,  H04L12/467 ,  H04L49/25 ,  H04L49/351 ,  H04L49/354 ,  H04L63/0209 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/20

摘要： Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.