An ML-based method for conforming a target network to control requirements of a host network is provided. The method may include running a first digital scan of the host network and determining the host network's control requirements based on the first digital scan. The method may include identifying, based on the second digital scan, elements of the target network that violate the control requirements. The method may include generating a compliance report and/or an executable file. The compliance report may include a compatibility score of the target network vis-à-vis the host network, and a compatibility plan that includes steps which improve the compatibility score and conform the target network to the control requirements of the host network. The executable file, when executed at the target network, may execute the compatibility plan.

Described are examples for providing a system for managing configuration and policies for a virtualized wide area network (vWAN) support on a wide area network (WAN). The vWAN includes a plurality of virtual network entities associated with geographic locations including the physical computing resources of the WAN and virtual connections between the virtual network entities. The system includes a network safety component for managing configurations and policies of the vWAN on the WAN. The network safety component receives a change to a policy or configuration of the vWAN from an operator of a network connected to the vWAN. The network safety component evaluates a set of safety rules for the operator based on the change and a network state of a physical WAN underlying the vWAN. The network safety component generates an error message in response to at least one of the set of safety rules failing the evaluation.

This disclosure describes using a dynamic proxy for securing communications between a source within a cloud environment and an application container. The techniques include intercepting traffic directed to an application container, analyzing the traffic and traffic patterns, and allowing or preventing the traffic from being delivered to the application container based on the analysis. A traffic analysis engine may determine whether the traffic is considered safe and is to be allowed to be delivered to the application container, or whether the traffic is considered unsafe and is to be prevented from being delivered to the application container, According to some configurations, the address(es) to the network interfaces (e.g., WIFI or Eth0) are abstracted to help ensure security of the application containers.

A non-transitory machine-readable storage medium stores instructions that, when executed by the machine, cause the machine to provide a firewall interface between a plurality of registers of a controller and a host interface of the controller. Providing the firewall interface includes programming the firewall interface with a plurality of firewall rules. The registers are to control functions that are performed by the controller; and the plurality of firewall rules control whether requests to access the plurality of registers are denied, allowed or modified based on features of the request.

Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

The present disclosure describes systems and methods for reducing rule set sizes via statistical redistribution throughout a plurality of network security appliances. A rule set may be generated for each security appliance that includes (i) a first set of rules based on known attacks, identified as rules for mandatory inclusion in the rule set; and (ii) a subset of the second set of rules, identified as rules for potential inclusion in the rule set, selected randomly according to a distribution percentage, score, or weight for each potentially included rule. Higher scored rules, which may be more likely vectors for potential attack, may be distributed to a greater number of appliances; while lower scored rules that may be less likely or represent more speculative attacks may be distributed to fewer appliances.

A client node (CN) requests content from an access node (AN). Rule set ACR_CN is provided to CN and AN and ACR_AN is used by AN. A request sent by CN in violation of ACR_CN may be blocked and cause AN to block subsequent requests from CN that would be allowed per ACR_CN. A request blocked according to ACR_AN but not ACR_CN is blocked but subsequent requests may still be allowed according to ACR_CN and ACR_AN. Authenticated distribution of the ACR_CN and ACR_AN may be performed in cooperation with a controller using authenticated tokens (AT).

The subject of the invention is the method of adaptive creating network traffic filtering rules on a network device that autonomously detects anomalies and adaptively mitigates volumetric (DDoS) attacks on at least one network device (4) based on actual network flows (3) and after separating them into isolated packet flows (9), recognizes potentially harmful network flows, and then configures or tunes the network filters (19) and packet policing means (17), wherein filtering rules (18) can be propagated to other network devices (27) and selects for further analysis the isolated packet flows (9) associated with at least one configured or tuned network filter (19).

A containerized cross-domain solution (CDS) is disclosed herein. In some examples, a first network interface container can be executed on a server to run a first network interface application to receive a data packet that includes data generated by a first process executing at a first security domain. A filter container can be executed on the server to run a data filter to evaluate a data content of the data to determine whether the data content violates a set of data rules. A second network interface container can be executed on the server to run a second network interface application. The data packet can be provided to the second network interface application in response to determining that the data content does not violates the set of data rules. The second network interface application can provide the data packet to a second security domain for a second process executing therein.

An HTTP connection between a client computing device and an application is established through a reverse proxy. A response to the client computing device includes a payload instructing initiation of a non-HTTP connection (e.g., TCP, UDP). The response is modified to replace references to an original port with a dynamic port allocated to the non-HTTP connection and a temporary ACL entry is created. A subsequent connection request addressed to the dynamic port is authorized per the ACL, modified to replace the dynamic port with the original port, and forwarded to the application. Subsequent packets for the non-HTTP connection have port numbers translated between the original and dynamic ports.