A method of user equipment (UE) implemented network slice security protection is disclosed. The method comprises the UE receiving a request to initialize an application, querying a UE Route Selection Policy (URSP) stored on the UE, and receiving traffic descriptors and security descriptors in response to the querying. The traffic descriptors identify a network slice for the application. The security descriptors comprise a security flag and a virtualization container ID. The method also comprises the UE initiating the application within a virtualization container corresponding to the virtualization container ID based on the security flag indicating that the network slice is secure and binding traffic for the application in the virtualization container to a PDU session based on the traffic descriptors. The method further comprises communicating, by the application executing within the virtualization container, with a core network over the PDU session via the network slice bound to the virtualization container.

The disclosure provides an approach for processing communications between connected data centers. Embodiments include receiving, at a first gateway of a first data center from a second gateway of a second data center, one or more policies associated with traffic attributes. Embodiments include programming priority routes between the first gateway and the second gateway over a virtual private network (VPN) tunnel based on the one or more policies, wherein each of the priority routes is associated with a traffic attribute of the traffic attributes. Embodiments include providing the one or more policies to a central controller of the first data center and programming, by the central controller, one or more tables associated with a centrally-managed virtual switch based on the one or more policies. Embodiments include updating a database associated with each of a plurality of hosts based on the programming of the one or more tables.

To reduce overhead generated by maintaining a full mesh network with static spoke-to-spoke tunnels while providing the efficiency of spoke-to-spoke communication, BGP configuration is automated to provide for dynamic establishment of spoke-to-spoke tunnels. A virtual Internet Protocol (VIP) address is assigned to each spoke in the network. Spokes advertises their VIP address to the hub for communication to the other spokes. A spoke sets the route next hop in its routing table for a remote spoke to the VIP of the remote spoke. Establishment of a tunnel between spokes is initiated after detecting data is to be communicated between the spokes while data is temporarily routed through the hub. Data is routed directly to the receiving spoke through the dynamic tunnel once the tunnel is active. Tunnels between spokes are terminated dynamically after a period of inactivity to reduce overhead caused by consistent maintenance of dynamic tunnels with low use.

Embodiments are directed to host discovery for firewall coordination. An embodiment of a storage medium includes instructions for discovering a network topology for a network branch, the network branch including multiple access points including a first access point, the first access point having an interface to a network, the discovery of the network topology including identifying any access point that is linked to the first access point directly or via one or more intermediary access points; discovering one or more host devices that are connected by wireless or wired connections to one or more access points in the network branch; and generating a firewall coordination plan for the network branch based on the discovered network topology and the discovered one or more hosts, the firewall coordination plan including applying a firewall process for an access point to which a first host device is attached and bypassing one or more other firewall processes.

In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.

Example approaches for processing task deployment in adapter devices and accelerators, are described. In an example, a service request is received by an adapter device. The service request is indicative of a service associated with a virtual multi-layer network switch. An accelerator may be integrated to the adapter device or coupled to the adapter device. A set of processing tasks associated with the service is identified based on the service request. A processing task instance corresponding to at least one of the set of processing tasks is deployed in one of the adapter device and the accelerator, based on predefined configuration information. The predefined configuration information includes policies for executing each of the set processing tasks in one of the adapter device and the accelerator.

A network device may receive, from an application on a user device, a first network packet associated with a packet flow. The network device may identify an application identifier of the first network packet, wherein the application identifier identifies the application on the user device. The network device may select, based on the application identifier, a security protocol, wherein the security protocol is associated with at least one of an authentication header (AH) or an encryption algorithm. The network device may selectively apply, to a second network packet associated with the packet flow, at least one of the AH or the encryption algorithm, associated with the security protocol, to generate a protected network packet. The network device may transmit the protected network packet.

A method (500) for toggling multi-network connectivity of a mobile device (110) includes, for the mobile device simultaneously connected to one or more carrier-mediated wireless networks (120) associated with a network operator (70), executing a graphical user interface that renders a status graphic (320) indicating the mobile device is currently connected to at least one carrier-mediated wireless network associated with the network operator, and an interactive graphic (330) for selecting between disabling and enabling connections (122) between the mobile device and carrier-mediated wireless networks associated with the network operator. The method includes receiving a user input indication (312) indicating selection of the interactive graphic and in response, disconnecting the mobile device from each of the carrier-mediated wireless networks associated with the network operator and updating the status graphic to indicate that the mobile device is not currently connected to any carrier-mediated wireless networks associated with the network operator.

A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

A packet forwarding method and a network device are provided, and the method is applied to the network device. The network device includes a first virtual routing and forwarding (VRF) table and a second VRF table. The method includes: the network device receives a first packet. If the first packet carries tunnel attribute information, the network device forwards the first packet based on the first VRF table. The first VRF table includes one or more local routes, and next-hop outbound interfaces of the one or more local routes are all local outbound interfaces. The network device forwards the first packet based on the first VRF table, so that a packet from a tunnel may be forwarded to a local virtual machine for processing and may not be forwarded to another tunnel endpoint device, to avoid a routing loop during packet forwarding.