Systems and methods are disclosed for protecting data. An example method includes creating an outer cluster on one or more host machines coupled to a network. The outer cluster includes a plurality of outer nodes. The method also includes creating an enclave cluster on the outer cluster. The enclave cluster includes a plurality of inner nodes, and each inner node of the plurality of inner nodes executes within an enclave of the one or more host machines. The method further includes exposing an application programming interface (API) to the outer cluster, where invocation of the API causes at least one inner node of the enclave cluster to perform an operation on data. The method also includes performing, by an inner node of the enclave cluster, the operation on the data in response to invocation of the API by an outer node of the outer cluster.

Homelessness and the burden that homelessness places on public health infrastructure can be reduced via a virtual cloud-based system and method that maintain an up-to-date availability of available resources, provide a way for a person-at-need, such as a homeless or a person at risk of homelessness, to gain access to those resources online or through dial-in, and provide advice to the person if the advice is necessary for connecting to the necessary resources. A virtual cloud-computing environment provides a scalable and secure environment where providers of resources can submit information about resources they are willing to contribute. An individual-at-need can access the system online and resources appropriate for that person are determined. Resource officers can access the system from any place that has Internet access and use the system as a tool to allocate resources to an individual in a social crisis that can lead or perpetuate homelessness.

Automated, intelligent selection of regions for cloud-based firewall deployment and scaling of firewalls down to as few as zero in a cloud region is described herein. The service collects and evaluates Usage metrics pertaining to firewalls deployed in each region are collected and evaluated to determine whether to scale firewalls in a region up or down. Scaling down of firewalls to zero is conditioned on at least one other region having a firewall(s) available for traffic inspection such that the number of total firewalls available for inspection of network traffic is at least one at any given time. When scaling up through deployment of additional firewalls, if endpoint devices located near a region in which a firewall is not available contribute substantially to firewall usage in another region, the region nearest to those endpoint devices is determined and selected for deployment of the additional firewalls.

Disclosed are various examples of management service based device platform creation and device configuration. In some examples, a domain join configuration is identified. The configuration can include a device name format and a domain server identifier of a domain server. Instructions to create a device object using an enterprise directory service are transmitted to a management connector service within an enterprise firewall. A domain join blob is received. The domain join blob is transmitted to a device to enable the device to join a domain of the domain server.

Examples described herein relate to extending a first trust domain of a service to a service mesh interface executed in a network interface device and to at least one device coupled to the network interface device. In some examples, extending the first trust domain of the service to the service mesh interface executed in the network interface device and to the at least one device coupled to the network interface device includes causing execution of the service mesh interface in a second trust domain in the network interface device; providing a third trust domain for the at least one device, when connected to the network interface device; and extending the first trust domain into the second trust domain or the third trust domain.

A method for creating a secure network is provided. The method comprises establishing an overlay domain to control routing between overlay edge routers based on an underlying transport network, wherein said establishing comprises running an overlay management protocol to exchange information within the overlay domain; in accordance with the overlay management protocol defining service routes that exist exclusively within the overlay domain wherein each overlay route includes information on at least service availability within the overlay domain; and selectively using the service routes to control routing between the overlay edge routers; wherein the said routing is through the underlying transport network in a manner in which said overlay routes is shared with the overlay edge routers but not with the underlying transport network via the overlay management protocol.

In an example, systems and methods enable automatic implementation of intent-based security policies in a network system, such as a software-defined wide area network system, in which network segment prefixes for network segments at one or more sites are dynamically learned. A service orchestrator controller translates an intent-based security policy input by a user to a security policy for a first site. The security policy for the first site specifies a segment-specific queryable resource associated with a second site. To implement the security policy, a device associated with the first site queries the segment-specific queryable resource associated with the second site, and updates one or more forwarding tables of the device with the network segment prefixes associated with one or more network segments at the second site received in response to the query. The first site forwards network traffic to the second site based on the updated forwarding tables.

Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy.

A network security system and method implements dynamic access control for a protected resource using run-time contextual information. In some embodiments, the network security system and method implements a dynamic access ticket scheme for access control where the access ticket is based on run-time application context. In other embodiments, the network security system and method implements policy enforcement actions in response to detected violations using application programming interface (API) to effectively block detected policy violations without negatively impacting the operation of the application or the user of the application. In some embodiments, the network security system uses enterprise social collaboration tools to interact with the end-user or with the system administrator in the event of detected security incidents.

Methods and apparatuses providing file type inspection in firewalls by moving the flow between deep inspection file and lightweight accelerated paths. The method includes obtaining, by a network security device, a packet flow of a file transfer session in which at least two files are transferred and determining, by the network security device, at least an offset parameter based on at least one attribute of at least a first packet in the packet flow. The offset parameter is for a first file being transferred of the at least two files and relates to an expected positon of a control data sequence within the packet flow. In this method, based on the offset parameter, directing, by the network security device, to an accelerated packet inspection path instead of to a deep packet inspection path, a portion of the packet flow including one or more packets that follow the first packet.