An enterprise organization may operate a central network and one or more remote networks, each comprising a plurality of computing devices. For protection against malicious actors, the central network may be configured to filter network traffic associated with the computing devices based on identified threats. Traffic corresponding to computing devices connected to the remote network may be tunneled to the central network for filtering by the central network. A tunnel gateway device, associated with the remote network, may efficiently identify which communications are associated with Internet threats, and tunnel such identified traffic to the central network, where actions may be taken to protect the enterprise network.

Methods and systems for managing authorized data flows using software defined networking include receiving flow criteria sent from a firewall and extracted from a first data packet, determining whether flow criteria of the first data packet matches an entry in a master data flow list, inserting the flow criteria from the first data packet into the master data flow list on a software defined networking controller, and sending the flow criteria of the first data packet to the router. The router may forward a second data packet associated with the data flow toward a destination based on the validation of the first data packet by the firewall. The flow criteria may not match an entry in a router data flow list on the router and may include at least two of: a source IP address, a destination IP address, a destination port, and a protocol of transmission.

Apparatuses, methods, and systems are disclosed for creating service rules based on user information retrieved from an application server. One apparatus includes a processor and a transceiver that communicates with one or more network functions in a mobile communication network. The transceiver receives a request to provide service rules for a user in response to a request received by the mobile communication network from the user to establish a data connection. The processor identifies one or more service contexts associated with the user and retrieves user information by using each of the identified one or more service contexts. A service context holds information for accessing user information in an application server. The processor creates one or more service rules by using the user information, wherein the mobile communication network applies the one or more service rules to configure the data connection.

Techniques for detecting malicious activity on an endpoint based on real-time system events are disclosed. In some embodiments, a system/process/computer program product for detecting malicious activity on an endpoint based on real-time system events includes monitoring an endpoint for malicious activity using an endpoint agent, in which the endpoint comprises a local device; detecting malicious activity associated with an application on the endpoint based on real-time system events using the endpoint agent based on a set of rules; and in response to detecting malicious activity on the endpoint based on real-time system events using the endpoint agent, performing a security response based on a security policy.

Improved tools and techniques for generating stateful rules for behavior-based threat detection enable threat analysts, who do not have advanced computer programming skills, to quickly and easily generate high-level representations of stateful behavioral rules, which are then compiled into a format suitable for execution by a stateful rule processing engine. In some examples, the high-level representations of stateful rules are coded in a high-level, domain specific language (DSL). The DSL may provide high-level primitives suitable for (1) expressing sequences of attack behaviors, (2) tagging computational entities (e.g., threads, processes, applications, systems, users, etc.) with states (e.g., user-defined states), and/or (3) performing operations on endpoint nodes (e.g., reporting activity, blocking activity, terminating processes, etc.).

In one embodiment, a method includes receiving, by a network node, a packet associated with a session. The method also includes performing, by the network node, a sequence-based anti-replay check and determining, by the network node, that the sequence-based anti-replay check rejected the packet. The method further includes performing, by the network node, a time-based anti-replay check, performing, by the network node, a selective anti-replay check, and determining, by the network node, whether to dynamically adjust a time-based anti-replay window size.

Some embodiments of the invention provide novel methods for providing a stateful service at a network edge device (e.g., an NSX edge) that has a plurality of north-facing interfaces (e.g., interfaces to an external network) and a plurality of corresponding south-facing interfaces (e.g., interfaces to a logical network). A set of interfaces on each side of the network edge device for a set of equal cost paths, in some embodiments, are bonded together in the network edge device to correspond to a single interface on either side of a logical bridge including at least one logical switch providing a stateful service implemented by the network edge device. The bond is implemented, in some embodiments, by a bonding module executing on the network edge device that maintains a mapping between ingress and egress interfaces to allow deterministic forwarding through the network edge device in the presence of bonded interfaces.

A proxy server receives from a client network application a request for an action to be performed on an identified network resource of a domain of an origin server. The request is received at the proxy server as a result of a DNS request for the domain returning an IP address of the proxy server. The proxy server determines that the first request is indicative of being from a bot. Responsive to this determination, the proxy server transmits a block page to the client network application that includes a mechanism to allow a human user of the client network application to provide input that indicates that they are human and not a bot. If the proxy server does not receive input from the client network application through the mechanism in the block page that indicates that the first request is not from a bot, the proxy server blocks the request.

Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Systems and methods for file sharing over secure connections. An example method comprises: receiving a client request identifying a file sharing host and a file residing on the file sharing host; establishing a secure client connection; responsive to identifying a management connection with the file sharing host, transmitting an identifier and a parameter of the secure client connection via the management connection; receiving a host request to establish a secure host connection, the host request comprising the identifier of the secure client connection; establishing the secure host connection using the parameter of the secure client connection identified by the received identifier; forwarding, over the secure host connection, a first data packet received over the secure client connection, the first data packet comprising at least part of the client request; and forwarding, over the secure client connection, a second data packet received over the secure host connection, the second data packet comprising at least part of the file identified by the client request.