John Bailey

Abstract: A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

Abstract: A method and apparatus for accomplishing source learning in a data switch of the type having a plurality of switching modules where each supports one or more external network devices and a backplane interconnecting the switching modules. Each switching module has logic resident thereon for performing distributed source learning, including configuring unknown source addresses “seen” in inbound packets and for notifying the other switching modules that such source addresses were “seen” on a port thereof. Address-port associations are thereby configured on the switch using distributed logic, i.e. without intervention by a centralized management entity. In regard to configuring destination addresses—when a destination address is unknown, packets are delivered over a multicast queue until the destination address is found. Once the destination address is found, a method of flow integrity is used to avoid out of order packet delivery when the device transitions from using a multicast flood queue to a unicast queue.

Abstract: The present invention features a data link layer processor for performing VLAN tagging operations, policing, shaping, and statistics acquisition integrally with one or more media access controllers (MACs). When a plurality of data link layer processors are operated in parallel in a switching device, the computational burden carried by the route engine is significantly reduced. Moreover, the data link layer processor in its several embodiments may be used to introduce various forms of pre-processing and post-processing into network switching systems that employ route engines that do not posses such functionality.

Abstract: A service for providing seamless communication between stations over an ATM network. Seamless communication services are distributed among intelligent “peer” members. A single service member is selected as a “master” member for purposes of service configuration. The master member advertises the addresses of all members to every other member so that every member can configure virtual circuits to every other member. In the provision of services, each member constructs a member table which associates other members with a point-to-point virtual circuit and a learning table which associates globally recognized representations of addresses of stations behind other peer members with a point-to-point virtual circuit. The service supports multiple LAN media and multiple virtual local area networks (VLANs).

Abstract: Lookup scheme in which a tuple representing a plurality of flow properties is parsed into multiple subtuples for application in recursive lookups. A first subtuple including a first subset of bits from the tuple is applied to the flow information database and returns a result including a nickname having a smaller bit count than the first subtuple. A second subtuple including a second subset of bits from the tuple and the nickname are combined and applied to the flow information database. The lookups continue until a result indicates that no recursion is required. The final lookup result includes flow information applicable to one or more of modifying, enqueuing or forwarding the packet. A truncated lookup capability enables common processing across a group of distinct flows having common flow properties.

Abstract: An architecture and methodology for designing, deploying, and managing a distributed application onto a distributed computing system is described.

Abstract: The specification discloses a method of doing business over the public Internet, particularly, a method which enables access to legacy management tools used by a telecommunications enterprise in the management of the enterprise business to the enterprise customer, to enable the customer to more effectively manage the business conducted by the customer through the enterprise, this access being provided over the public Internet. This method of doing business is accomplished with one or more secure web servers which manage one or more secure client sessions over the Internet, each web server supporting secure communications with the client workstation; a web page backplane application capable of launching one or more management tool applications used by the enterprise. Each of the management tool applications provide a customer interface integrated within said web page which enables interactive Web/Internet based communications with the web servers; each web server supports communication of messages entered via the integrated customer interface to one or more remote enterprise management tool application servers which interact with the enterprise management tool applications to provide associated management capabilities to the customer.

Abstract: A single secure sign-on gives a user access to authorized Web resources, based on the user's role in the organization that controls the Web resources. The information resources are stored on a protected Web server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource. The user is presented with a customized Web page showing only those resources that the user may access. Thereafter, the access server can resolve requests to use other resources without contacting the registry server. The registry server controls a flexible, extensible, additive data model stored in a database that describes the user, the resources, roles of the user, and functional groups in the enterprise that are associated with the user.

Abstract: Methods, devices, and systems are provided in a multi-level computer architecture which provides improved capabilities for managing courseware and other content in a shared use operating environment such as a computer network. In particular, the invention provides a commercial networked instruction content delivery method and system which does not exclude synchronous sharing but is focused on asynchronous sharing. Security means in the architecture provide content property holders with the ability to know how many minutes of use an individual made of licensed material and with increased certainty that their material cannot be used, copied, or sold in usable form unless and until a user site is connected or reconnected to a minute-by-minute counter which is located off the premises of the user. This security link helps protect software and other works which are being sold or licensed to an individual, organization, or entity, and creates income opportunities for owners of such content.

Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.