A firewall intelligence system, includes a data storage storing a set of firewall rules for a network; a recommendation engine that receives, from a log service, traffic logs detailing traffic for the network and firewall logs detailing the usage of firewall rules in response to the traffic for the network, accesses, from the data storage, the set of firewall rules for the network; processes the set of firewall rules to evaluate the firewall rules against a set of quantitative evaluation rules to determine one or more firewall rule recommendations, wherein each firewall rule recommendation is a recommendation to change at least one of the firewall rules in the set of firewall rules; and a front end API that provides data describing the one or more firewall rule recommendations to a user device.

A method for processing security events by applying a rule-based alarm scheme may be provided. The method includes generating a rule index of rules and an indicator of compromise index for each of the rules. The method includes also processing the incoming security event by applying the rules, increasing a current rule counter relating to a triggered rule, and increasing a current indicator of compromise counter pertaining to the triggered rule. Furthermore, the method includes generating a pseudo security event from received data about known attacks and related indicators of compromise, processing the pseudo security events by sequentially applying the rules, increasing a current rule counter of pseudo security events, and increasing a current indicator of compromise counter for pseudo security events, and sorting the rules and sorting within each rule the indicator of compromise values in the indicator of compromise index.

A segmentation server configures and distributes rules for enforcing a segmentation policy that includes one or more virtual patches. The rules including the virtual patches are enforced by distributed enforcement modules that may execute on host devices or on network devices upstream from the host devices. An enforcement module enforces the rules using traffic filters that filter traffic based on network layer data. To implement a virtual patch, the traffic filters are configured to redirect traffic to or from an application being patched to a transparent application proxy. The transparent application proxy implements an application layer filter that filters traffic based on application layer data to block specific types of traffic associated with a vulnerability addressed by the virtual patch.

Systems, methods, and computer-readable media for preserving source host context when firewall policies are applied to traffic in an enterprise network fabric. A data packet to a destination host from a source host can be received at a first border node instance in an enterprise network fabric as part of network traffic. The data packet can include a context associated with the source host. Further, the data packet can be sent to a firewall of the enterprise network fabric and can be received at a second border node instance after the firewall applies a firewall policy to the data packet. The data packet can then be selectively encapsulated with the context associated with the source host at the second border node instance for applying one or more policies to control transmission of the network traffic through the enterprise network fabric.

A firewall host uses a shared memory to pass arguments to, and receive results from, a remote procedure executing on a locally coupled network processing unit that offloads processing for the firewall.

A method for generating enterprise cyber reports through linking IP access control logic with error handler and audits compartmentalized by web application for different user groups with multiple monitoring tools data. Business logic may be defined in access control tables for multiple user groups sharing multiple different application data and programmable access control logic applied to subfolders within the website subfolders based on functional user group role permissions. A common network event field name may be used to map multiple different monitoring tools data into common field alias. The field alias mapping allows multiple networking capture tools to be included within the same cyber report. Joining multiple network events field alias with an IP location allows for groups of different IP zone reports to be created within the enterprise being monitored by different monitoring tools.

The technology disclosed herein enables the detection and subsequent mitigation of threats in virtualized workload environments. In a particular embodiment, a method provides, in a workload orchestration platform, managing one or more first logical networks that include a plurality of first workloads and a plurality of shadow workloads. One or more initial processes of the shadow workloads, when instantiated, are known to a security application. The method further includes providing security permissions to the security application that enable the security application to manage the shadow workloads. Also, the method includes providing admin permissions to an administrator application that enable the administrator application to manage the first workloads irrespective of the shadow workloads.

Methods and systems for service integrated domain name servers are described. A method for out of path border gateway protocol (BGP) validation includes receiving, at a network component, a prefix announcement. The network component denies acceptance of the prefix announcement. A BGP monitor at the network component sends the prefix announcement to an out of path validation controller. The out of path validation controller evaluates the prefix announcement against one or more validation tests, sends a validation notification based on the one or more validation tests, and programs the network component for a validated prefix announcement.

An embodiment of the present invention is directed to analyzing historical network capacity allocations, using machine learning to predict future capacity needs and automating network capacity management activities such as allocations and de-allocations.

Systems, methods and non-transitory computer readable media for detecting identified information in privacy firewalls are provided. A repeating field in a data collection may be analyzed to determine whether the field is likely to include information that identifies particular individuals. An access request of a user may be received. A permission record associated with the user may be accessed. In response to the field being likely to include information that identifies particular individuals and a first value in the permission record, access to the field may be denied, in response to the field not being likely to include information that identifies particular individuals and the first value in the permission record, access to the field may be provided, and in response to a second value in the permission record, access to the field may be provided.