A smart network access point (SNAP) device is disclosed. In embodiments, the SNAP device includes trunk ports for accepting a network trunk cable (e.g., fiber optic trunk) and thereby connecting the SNAP device to an aircraft-based network of SNAP devices. The SNAP device includes switch ports for incorporating physical connections to mission systems (MS) or air vehicle systems (AVS) components and devices, providing a local smart point of presence (SPoP) throughout a physical subdivision (e.g., network district) of an aircraft. The SNAP device is configured for monitoring data exchanges between local MS/AVS components and the aircraft network. The SNAP device includes a cybersecurity module for connecting to local security components (e.g., data guards and multiple levels of security (MLS) encryption/decryption) or for providing built-in data guard and encryption/decryption services. The SNAP device includes power control components for managing power distribution to the connected local network components.

A method and system to facilitate session continuity where a user-plane function (UPF) serves user-equipment devices (UEs) and communicates with a transport network by default through a first firewall. As each of various ones of the UEs establishes a respective TCP session via the first firewall, the UPF determines if the UE is likely to engage in latency-sensitive communication, such as if the UE is a Ultra-Reliable Low-Latency Communication (URLLC) device and if so causes the first firewall to record the UE's TCP session 5-tuple to a centralized data storage. Thereafter when the UPF switches to use a second firewall instead of the first firewall (e.g., because the first firewall goes out of service), the UPF causes the second firewall to get from the centralized data store the TCP session 5-tuple of each such UE, for access-control use by the second firewall, to help provide session continuity.

Some embodiments provide a method for network management and control system that manages one or more logical networks. From a first user, the method receives a definition of one or more security zones for a logical network. Each security zone definition includes a set of security rules for data compute nodes (DCNs) assigned to the security zone. From a second user, the method receives a definition of an application to be deployed in the logical network. The application definition specifies a set of requirements. Based on the specified set of requirements, the method assigns DCNs implementing the application to one or more of the security zones for the logical network.

The current document is directed to methods and systems that generate microsegmentation quotients for computational entities and components of a distributed-computer-system. In the described implementation, microsegmentation quotients are generated for each component, subsystem, or computational entity, collectively referred to as “system entities,” of a set of specified system-entity types within the distributed computer system. Microsegmentation quotients are generated for system entities at any of the various hierarchical levels within a distributed computer system, including for the entire distributed computer system. Microsegmentation quotients are generated by an iterative process that refines initial estimates of the microsegmentation quotients for system entities within the distributed computer system. Microsegmentation quotients are displayed, through system-management interfaces, to administration and management personnel and provided to automated administration-and-management-system tools and facilities in order to facilitate analysis and monitoring of distributed-computer-system security as well as to facilitate rapid and accurate detection and amelioration of security-related deficiencies and problems.

Disclosed are methods, systems, and devices for management of a premises. The premises may comprise one or more devices, such as a gateway device, a control device, or a premises device. The gateway device may receive data and send the data to the control device. The data may comprise a command, an update, a configuration, or other information. Communication between the control device and any of the other devices at the premises may be configurable by a server device.

A system for automating identifications of forbidden network connections is configured to create a network connectivity matrix comprising allowability indications indicating whether establishing network connections between network zones are allowed or forbidden. The system determines whether there is any network connection between devices connected to a firewall device that violates a corresponding allowability indication in the network connectivity matrix. In response to determining at least one network connection between different devices that violates the corresponding allowability indication, the system determines that the at least one network connection is a forbidden network connection.

A method for transferring data from a first network to a second network using a gateway includes setting, by a security monitor, a state of the gateway to a first state indicating to a destination agent that access is granted to trusted memory and denied to the second network and untrusted memory. The destination agent is configured, while the gateway is in the first state, based on parameters stored in the trusted memory, to transfer data received from a source agent to the second network. The state of the gateway is changed to a second state indicating to the destination agent that access is denied to the trusted memory and granted to the second network and the untrusted memory. Transfer of the data from the source agent of the first network to the destination agent of the second network is controlled, while the gateway is in the second state.

Conventional security measures are generally intended for an IT system, and it has been difficult to satisfy a real-time property and availability requested to a control system. Furthermore, since a time-division type time slot communication method is not taken into consideration, such time slot communication has problems in efficient utilization of computer resources and decrease in availability. In order to solve the above-described problems, the present invention specifies a time slot from characteristics of a communication packet received by a reception unit 133 by using a time slot characteristic storage unit 130, and selects, in accordance with the specified time slot, an inspection pattern stored in an inspection pattern storage unit 136 by using an inspection pattern selection unit 131.

Systems and methods for filtering data network communications using a demilitarized zone (DMZ) are provided. One embodiment includes receiving a first communication from an untrusted network for delivery to a computing device on a trusted network, where the first communication includes a payload and a header. In some embodiments, the method includes filtering the header to determine an internet protocol (IP) address of a remote computing device of the first communication and to determine whether the IP address is associated with an approved remote computing device. Some embodiments include determining whether the header identifies an approved TCP port and/or an approved UDP port. Some embodiments include terminating transmission of the first communication and examining the first communication to determine whether the first communication includes malware. Embodiments may also include maintaining legitimate session records and ensuring the first communication originated from a trusted data source.

A method for network communication is disclosed. The method includes configuring a remote access point to have restricted access to an enterprise network, wherein the remote access point and the enterprise network are disposed in a first physical facility, the restricted access providing a guest Internet service to the remote access point, establishing, via the enterprise network and the Internet, a secure communication tunnel based on the restricted access to connect the remote access point and a remote network disposed in a second physical facility separate from the first physical facility, and transmitting, using the remote access point and through the secure communication tunnel, network communication data packets between a plurality of user devices disposed in the first physical facility and the remote network disposed in the second physical facility.