A detection device which is suitable for receiving a service within a network assembly is provided, having the following: means for providing cryptographic security at or above the transport level of the communication protocol levels which can be used in the network assembly for at least one first existing communication connection between the detection device and a network access device which is arranged in the network assembly and which can be used to monitor data detected by the detection device and/or control an additional device within the network assembly using the data detected by the detection device, means for generating and/or determining network access configuration data for at least one additional second communication connection, which is to be cryptographically secured below the transport level, between the detection device and the network access device, means for providing the generated and/or determined network access configuration data to the network access device.

A device may receive an input associated with deploying a virtual firewall on a computing device. The device may determine a first set of characteristics associated with the virtual firewall and a second set of characteristics associated with a hypervisor associated with the computing device. The device may automatically tune the virtual firewall based on the first set of characteristics and the second set of characteristics. The device may deploy the virtual firewall after tuning the virtual firewall.

Various embodiments include techniques for processing transactions via a computer system interconnect with a distributed firewall. The distributed firewall includes separate firewalls for various initiators of transactions and separate firewalls for various targets of those transactions. As a result, transactions proceed, for example, along the shortest path from the initiator to the target, rather than being routed through a centralized firewall. In addition, firewall transactions, for example, may be remapped such that initiators address the initiator firewalls and target firewalls via a unified address space, without having to maintain separate base addresses for each initiator firewall and target firewall. As a result, application programs, for example, can execute transactions with increased performance on a computer system as compared to prior approaches.

Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

Some embodiments provide a method or tool for automatically configuring a logical router on one or more edge nodes of an edge cluster (e.g., in a hosting system such as a datacenter). The method of some embodiments configures the logical router on the edge nodes based on a configuration policy that dictates the selection method of the edge nodes. In some embodiments, an edge cluster includes several edge nodes (e.g., gateway machines), through which one or more logical networks connect to external networks (e.g., external logical and/or physical networks). In some embodiments, the configured logical router connects a logical network to an external network through the edge nodes.

A system and method for firewall policy control in a system comprising endpoints, including functionality for isolating network elements on endpoints under management. An endpoint management agent cooperates with a remote management service to carry out policy management and synchronization, implement isolation mode when required, and perform related supporting tasks.

A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

An agent device transmits certain data, which is used for generating display data, of data relating to a plurality of pieces of operation data collected from an instrument to a computation server device. A service broker device relays certain data transmitted from the agent device to the server device. The server device generates display data on the basis of certain data relayed by the service broker device.

Disclosed herein are systems and methods for rapid password evaluation. A method may include: configuring a web application firewall (WAF) to monitor login credentials for one or more web applications; intercepting, using the WAF, a password input during a login attempt to a web application by an entity; calculating a hash value of the password input; transmitting the hash value to a dedicated server configured to: determine whether the hash value is in a database of hashes corresponding to weak passwords; and in response to determining that the hash value is in the database of hashes, transmit a message to the WAF indicating that the password input corresponds to a weak password; and generating for display, using the WAF, a web page prompting for a password reset for the web application.

Distributed firewalls reside at different points across a network. Each distributed firewall can include one or more rules that govern traffic over and/or access to the network. The rules can be discovered, converted into a standardized format, and indexed at a centralized rule database. The rules or data of the rules can be verified. The rules can be certified at the centralized database. The certification process can be based on a direction of traffic to which the rule governs. The certification process may have different levels based on the direction of traffic.