A network address translation device or similarly situated network device can cooperate with endpoints on a subnet of an enterprise network to secure endpoints within the subnet. For example, the network address translation device may be configured, either alone or in cooperation with other network devices, to block traffic from a compromised endpoint to destinations outside the subnet, and to direct other endpoints within the subnet to stop network communications with the compromised endpoint.

Various embodiments are directed to receiving, at a receiving device, a packet from a node in a first network. determining a version identifier for the packet, encoding the version identifier into the packet, and transmitting the packet containing the encoded version identifier to a load balancing device in a second network. The version identifier may be encoded into a destination port field of the packet. The receiving device may be a perimeter network address translation device. The packet is received at the load balancing device, where the version identifier is extracted and a hash of source address information is performed. The version and hash are used to select a back-end device in the second network. The packet is transmitted to the selected back-end device.

A computing system includes a computing device and an input data path connecting an interface device to the computing device. The input data path has at least two data relays and at least one buffer memory temporarily storing data. Each of the data relays has first and second terminals and a central terminal and selectively interconnects the first and central terminals or the second and central terminals and leaves the first and second terminals constantly separated from each other. The first terminal of a first relay is connected to the interface device, and the second terminal is connected to the computing device. The central terminal of the first data relay is connected to the buffer memory. The intermediate buffer memory is selectively connected by the first data relay solely to the interface device or the second terminal of the first data relay, but not to both simultaneously.

A computing system has with a computing device. The computing system has an input data path, which unidirectionally connects an interface device of the computing system to the computing device, and an output data diode, which unidirectionally connects the computing device to at least one output interface of the computing system. The input data path has a series circuit which is arranged downstream of the interface device and contains an input data diode and a data lock. The input data diode allows a transmission of data in the direction of the computing device and prevents the transmission of data in the opposite direction. The data lock has a first and a second terminal and a temporary storage unit for temporarily storing data and is configured such that the temporary storage unit can be selectively connected solely to the first or second terminal but not simultaneously to both terminals.

Described herein are systems, methods, and non-transitory computer readable media for automating the transfer/syncing of datasets or other artifacts from one security domain (e.g., a low security side environment) to another security domain (e.g., a high security side environment) in a seamless manner that complies with requirements of a data transfer mechanism used to transfer data between the two security domains while ensuring data integrity and consistency between the two security domains.

Provided is a method for discovering security information. A first device sends a broadcast or multicast message to M second devices in a network where the first device is located, M is an integer greater than or equal to 1, and the broadcast or multicast message contains a request for performing security domain discovery; the first device receives representations of security domain resources fed back by N second devices, wherein N is an integer greater than or equal to 1 and less than or equal to M; the first device obtains L pieces of security domain information on the basis of the representations of the security domain resources fed back by the N second devices, and displays the L pieces of security domain information, L is an integer greater than or equal to 1, and the security domain information comprises a security domain identification (ID) and a security domain name.

A method includes transmitting, by a first interface card in a trusted domain, data. A second interface card in an untrusted domain receives the data. The second interface card stores the data to a first memory location in the untrusted domain, and verifies integrity of the data. The second interface card writes a result of the verifying in a second memory location in the untrusted domain. The first interface card in the trusted domain retrieves the result of the verifying from the second memory location in the untrusted domain. The first interface card in the trusted domain determines if the data in the transmitting was received by the second interface card based on the result.

A method includes transmitting data by a first interface card in a trusted domain. A second interface card in an untrusted domain receives the data. The second interface card stores the data in a first memory location of a plurality of first memory locations in the untrusted domain and verifies integrity of the data. The second interface card writes a result of the verifying in a second memory location of a plurality of second memory locations in the untrusted domain. The first interface card retrieves the result of the verifying from the second memory location of the plurality of second memory locations in the untrusted domain. The first interface card creates a table configured to identify and track a state of the second memory location of the plurality of second memory locations in the untrusted domain corresponding to the data received from the first interface card in the trusted domain.

A computer-implemented method includes: connecting, by a computing device, to a database using an outbound connection, wherein the computing device is an information technology (IT) product in a private network and the database is outside the private network; receiving, by the computing device, a response from the database, the response including a command; executing, by the computing device, the command; and sending, by the computing device, result data to the database, wherein the result data is data that results from executing the command on the computing device.

The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to process an incoming request from a client and generate metadata. The network security system is further configured to transmit the incoming request to a cloud application. The network security system is further configured to configure the metadata to expire after an expiration window. The network security system is further configured to receive, after the expiration window, a further incoming request from the client. The further incoming request is directed towards the cloud application and subject to policy enforcement that requires the expired metadata. The network security system is further configured to hold the further incoming request and transmit a synthetic request to the cloud application. The synthetic request is configured to retrieve the expired metadata from the cloud application.