A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based on network layer data. To implement a virtual patch, the traffic filters are configured to redirect traffic to or from an application being patched to a transparent application proxy. The transparent application proxy implements an application layer filter that filters traffic based on application layer data to block specific types of traffic associated with a vulnerability addressed by the virtual patch.

A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based on network layer data. To implement a virtual patch, the traffic filters are configured to redirect traffic to or from an application being patched to a transparent application proxy. The transparent application proxy implements an application layer filter that filters traffic based on application layer data to block specific types of traffic associated with a vulnerability addressed by the virtual patch.

Apparatus for global policing of a bandwidth of a flow, the apparatus including a network device including a local policer configured to perform bandwidth policing on the flow within the network device, and a communications module configured to: send local policer state information from the local policer to a remote global policer, and receive policer state information from the remote global policer and update the local policer state information based on the remote global policer state information, Related apparatus and methods are also provided.

Apparatus for global policing of a bandwidth of a flow, the apparatus including a network device including a local policer configured to perform bandwidth policing on the flow within the network device, and a communications module configured to: send local policer state information from the local policer to a remote global policer, and receive policer state information from the remote global policer and update the local policer state information based on the remote global policer state information, Related apparatus and methods are also provided.

A switch in a slice-based network can be used to enforce quality of service (“QoS”). Agents can run in the switches, such as in the core of each switch. The switches can sort ingress packets into slice-specific ingress queues in a slice-based pool. The slices can have different QoS prioritizations. A switch-wide policing algorithm can move the slice-specific packets to egress interfaces. Then, one or more user-defined egress policing algorithms can prioritize which packets are sent out into the network first based on slice classifications.

A switch in a slice-based network can be used to enforce quality of service (“QoS”). Agents can run in the switches, such as in the core of each switch. The switches can sort ingress packets into slice-specific ingress queues in a slice-based pool. The slices can have different QoS prioritizations. A switch-wide policing algorithm can move the slice-specific packets to egress interfaces. Then, one or more user-defined egress policing algorithms can prioritize which packets are sent out into the network first based on slice classifications.

Systems, devices, and techniques described herein relate to efficient Evolved Packet System (EPS) fallback. A method may include receiving a rejection message that indicates a rejection to set up a call through a 5th Generation (5G) network by a 5G Radio Access Network (RAN). In response to receiving the rejection message, the method may include transmitting a request to establish a dedicated bearer through a 4th Generation (4G) network. A confirmation that the second dedicated bearer has been established through the 4G network may be received within a predetermined time after transmitting the request.

Systems, devices, and techniques described herein relate to efficient Evolved Packet System (EPS) fallback. A method may include receiving a rejection message that indicates a rejection to set up a call through a 5th Generation (5G) network by a 5G Radio Access Network (RAN). In response to receiving the rejection message, the method may include transmitting a request to establish a dedicated bearer through a 4th Generation (4G) network. A confirmation that the second dedicated bearer has been established through the 4G network may be received within a predetermined time after transmitting the request.

Mobile management method and system. The method includes receiving from an application on a client a DNS query for a host name; retrieving reputation data associated with the host name from a local cache on the client; determining whether a policy associated with the host name and the reputation data associated with the host name exists; and one of: sending network flows one of: through a VPN tunnel to a server or out a local proxy on the client to a private or public network; or blocking the network flow based on the determined policy for the host name.

Mobile management method and system. The method includes receiving from an application on a client a DNS query for a host name; retrieving reputation data associated with the host name from a local cache on the client; determining whether a policy associated with the host name and the reputation data associated with the host name exists; and one of: sending network flows one of: through a VPN tunnel to a server or out a local proxy on the client to a private or public network; or blocking the network flow based on the determined policy for the host name.