John M Brawn, 932928 Varden Ave, San Jose, CA 95124

7024686, Apr 4, 2006

May 11, 2001

09/854359

John Melvin Brawn - San Jose CA, US
Christian Klein - Herrenberg, DE

Hewlett-Packard Development Company, L.P. - Houston TX

H04K 1/00
H04L 9/32

726 1, 726 2, 726 3

A secure network is provided which includes a plurality of anti-bubbles having a plurality of anti-bubble partitions. Each anti-bubble partition has at least one network device configured to transmit and receive data. All the network devices that belong to or correspond to a particular anti-bubble have the same network security policy. Data may not be transmitted between two network devices in the same anti-bubble or two network devices in different anti-bubble partitions of the same anti-bubble. The secure network also includes a plurality of network control points, which has one or more network control point devices having at least one interface. Each anti-bubble partition is connected to at least one network control point. The network control point is used to provide a connection between at least two network devices. Each network control point device is configured to enforce the network security policy of all the anti-bubbles that are connected to it.

7353539, Apr 1, 2008

Jan 16, 2003

10/345701

John Melvin Brawn - San Jose CA, US
Andrew Patrick Norman - Bristol, GB
Chris Ralph Dalton - Bristol, GB
Jonathan Griffin - Bristol, GB

Hewlett-Packard Development Company, L.P. - Houston TX

G06F 12/14
G06F 11/30
H04L 9/32
G06F 15/173

726 25, 726 22, 709224, 713187, 713188

A method of identifying a software vulnerability in computer systems in a computer network includes a multiple level scanning process controlled from a management system connected to the network. The management system runs a root scanner which applies an interrogation program to remote systems having network addresses in a predefined address range. When a software vulnerability is detected, the interrogation program causes the respective remote system to scan topologically local systems, the remote system itself applying a second interrogation program to the local systems to detect and mitigate the vulnerability using an associated mitigation payload. Whilst that local scanning process is in progress, the root scanner can be applied to remote systems in other predefined address ranges.

7376965, May 20, 2008

May 14, 2001

09/861986

Brian Jemes - Moscow ID, US
John Melvin Brawn - San Jose CA, US
Leif Buch-Pedersen - St. Martin d'Uriage, FR

Hewlett-Packard Development Company, L.P. - Houston TX

G06F 15/177
G06F 15/173

726 3, 709220, 709221, 709222, 709223, 709224, 709225

A method of creating a structured access list template, which includes dividing an access list template into a plurality of sections, creating an inbound local rule group for the bubble, creating an outbound local rule group for the bubble, creating an inbound remote rule group for the bubble, and creating an outbound remote rule group for the bubble. A method of creating an access list for each of the plurality of bubble boundary devices, which includes creating an address table that includes a plurality of addresses corresponding to devices in a bubble partition, creating a protocol table that includes a list of network services and whether each of the network services are granted or denied access to the bubble partition, creating an access list template using the address table and the protocol table, generating an access list from the access list template, and providing the access list to one of the plurality of bubble boundary devices.

7400591, Jul 15, 2008

Jun 1, 2005

11/142643

John Melvin Brawn - San Jose CA, US
Brian Jemes - Palo Alto CA, US
Stephen F. Froelich - Corvallis OR, US

Hewlett-Packard Development Company, L.P. - Houston TX

G06F 15/177

370254, 370392, 370400, 370476, 709222, 709226, 709245, 711217

A method of creating a discontiguous address plan for an enterprise is provided which includes determining a hierarchy of routing optimization for an enterprise, determining a number of route advertisement aggregation points at each level of the hierarchy, determining a number of network security policy areas for the enterprise, and determining a number of addresses for each of the network security policy areas. The number of addresses is rounded up to a power of the address scheme base number to produce a plurality of rounded addresses. The method further includes allocating an address range for each of the plurality of rounded addresses so that a starting address of the address range begins on a power of the base number and determining a size of the plurality of address ranges. The size of the plurality of address ranges is rounded up to a power of the base number to produce the size of a repeating policy pattern. The method further includes assigning an instance of the repeating policy pattern to each of the route advertisement aggregation points at each hierarchy, and determining an address and a mask for each of the network security policy areas in the repeating policy pattern.

7703124, Apr 20, 2010

Mar 31, 2005

11/094989

Brian L. Jemes - Moscow ID, US
John M. Brawn - San Jose CA, US
Farid Filsoof - Bournemouth, GB

Hewlett-Packard Development Company, L.P. - Houston TX

H04L 9/00

726 1, 726 2, 726 3, 709225

A network security system is provided comprising a plurality of network bubbles wherein each bubble includes bubble members configured to transmit and receive data. Bubbles have network security policies that may be enforced by a plurality of network control point devices. The system further includes a private virtual backbone configured to interconnect the plurality of network control points connected to known bubbles. The privacy of the private virtual backbone is maintained by an inter-bubble device and/or set of two network control points. The inter-bubble device and set of control points enforce the network security policies of any connected bubble and relay data packets between address spaces. The private virtual backbone may operate in private address space. The system also includes an instance-specific virtual backbone that interconnects only bubble partitions from the same network bubble, thus simplifying the enforcement of a network security policy.

8230497, Jul 24, 2012

Nov 4, 2002

10/287125

Andrew Patrick Norman - Bristol, GB
John Melvin Brawn - San Jose CA, US
John P Scrimsher - Albany OR, US
Jonathan Griffin - Bristol, GB

Hewlett-Packard Development Company, L.P. - Houston TX

G06F 12/14
G06F 21/00

726 22, 726 23, 726 25, 726 26, 709229

A method of identifying a software vulnerability on a computer system is disclosed in which the computer system has software stored thereon and is connected to a management system over a computer network. The method comprises the steps of: applying an interrogation program to the software, the interrogation program being capable of exploiting a known software vulnerability if it is present in the software to which the interrogation program is applied; in the event that the software vulnerability is exploited by the interrogation program, operating the interrogation program to generate a set of management information from which can be derived the identification of the computer system; and sending the management information to the management system.

7263719, Aug 28, 2007

Nov 29, 2000

09/726072

Brian Jemes - Palo Alto CA, US
John Melvin Brawn - San Jose CA, US
Joseph Garcia - Mountain View CA, US
Michael Milligan - Palo Alto CA, US
John M. Pape - Fort Collins CO, US
Jeff Hansell - Fremont CA, US

Hewlett-Packard Development Company, L.P. - Houston TX

G06F 15/16

726 12, 726 3, 726 11, 726 14, 726 15, 709220

A secure network is provided which includes a plurality of network bubbles having a plurality of bubble partitions. Each bubble partition has at least one network device configured to transmit and receive data. All the network devices that belong to or correspond to a particular network bubble have the same network security policy. The secure network also includes a plurality of network control points, which has one or more network control point devices having at least one interface. Each bubble partition is connected to at least one network control point. The network control point is used to provide a connection between at least two network devices. Each network control point device is configured to enforce the network security policy of all the network bubbles that are connected to it. During the transmission of data from one network device to another network device, one or more network control points are traversed.

2002003, Mar 28, 2002

May 14, 2001

09/855862

John Brawn - San Jose CA, US
Brian Jemes - Palo Alto CA, US
Stephen Froelich - Corvallis OR, US

G06F015/16
G06F015/173

709/238000, 713/201000, 709/245000

A method of creating a discontiguous address plan for an enterprise is provided which includes determining a hierarchy of routing optimization for an enterprise, determining a number of route advertisement aggregation points at each level of the hierarchy, determining a number of network security policy areas for the enterprise, and determining a number of addresses for each of the network security policy areas. The number of addresses is rounded up to a power of the address scheme base number to produce a plurality of rounded addresses. The method further includes allocating an address range for each of the plurality of rounded addresses so that a starting address of the address range begins on a power of the base number and determining a size of the plurality of address ranges. The size of the plurality of address ranges is rounded up to a power of the base number to produce the size of a repeating policy pattern. The method further includes assigning an instance of the repeating policy pattern to each of the route advertisement aggregation points at each hierarchy, and determining an address and a mask for each of the network security policy areas in the repeating policy pattern.