公开(公告)号：US20150096008A1

公开(公告)日：2015-04-02

申请号：US14041107

申请日：2013-09-30

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721

CPC classification number: H04L63/0227 ,  H04L45/306 ,  H04L45/566 ,  H04L63/0245 ,  H04L63/08 ,  H04L63/10 ,  H04L67/02

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

Abstract translation: 描述了一种用于提供权威的基于应用的路由和改进的应用防火墙的方法以及应用分类的方法。 提供用于基于权威应用的路由的方法的第一实施例包括使用应用标识符来标记分组，并且将标记的分组推送到网络以使应用标识符能够用于路由和优先级决策。 在第二实施例中，用于改进应用防火墙的方法包括使用应用标识符来最小化防火墙在分析分组信息时所需的处理量。

公开(公告)号：US09369435B2

公开(公告)日：2016-06-14

申请号：US14041107

申请日：2013-09-30

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L12/721 ,  H04L29/06 ,  H04L12/725

CPC classification number: H04L63/0227 ,  H04L45/306 ,  H04L45/566 ,  H04L63/0245 ,  H04L63/08 ,  H04L63/10 ,  H04L67/02

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

Abstract translation: 描述了一种用于提供权威的基于应用的路由和改进的应用防火墙的方法以及应用分类的方法。 提供用于基于权威应用的路由的方法的第一实施例包括使用应用标识符来标记分组，并且将标记的分组推送到网络以使应用标识符能够用于路由和优先级决策。 在第二实施例中，用于改进应用防火墙的方法包括使用应用标识符来最小化防火墙在分析分组信息时所需的处理量。

公开(公告)号：US10027626B2

公开(公告)日：2018-07-17

申请号：US15156646

申请日：2016-05-17

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721 ,  H04L12/725 ,  H04L29/08

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

公开(公告)号：US20160294797A1

公开(公告)日：2016-10-06

申请号：US14674938

申请日：2015-03-31

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin ,  Syam Sundar Appala ,  Joseph Salowey

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/08 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0272 ,  H04L63/0815 ,  H04L63/0892 ,  H04L63/1466 ,  H04L63/168 ,  H04L63/30 ,  H04L67/02 ,  H04L67/2814

Abstract: In an embodiment a method is performed by a network access device (NAD). The NAD transfers a first HTTPS request from a client computer (UE) to an identity provider computer (IdP). The NAD transfers, from the IdP, a preceding redirected URL in response to the first HTTPS request, to the UE and configured to cause the UE to redirect to said preceding redirected URL. Over a secure network link, the NAD receives a particular request specifying said preceding redirected URL, from the UE. Responsive to receiving the particular request, the NAD generates a response, comprising a subsequent redirected URL and a session identifier, and configured to cause the UE to redirect to the IdP over an HTTPS connection. The NAD transfers said subsequent redirected URL over the secure network link to the UE. The NAD transfers a second HTTPS request, comprising the session identifier, from the UE to the IdP.

Abstract translation: 在一个实施例中，一种方法由网络接入设备（NAD）来执行。 NAD将第一个HTTPS请求从客户端计算机（UE）传送到身份提供者计算机（IdP）。 NAD从IdP将响应于第一HTTPS请求的先前重定向的URL传送到UE并且被配置为使得UE重定向到所述先前的重定向URL。 通过安全网络链路，NAD从UE接收指定所述先前重定向URL的特定请求。 响应于接收到特定请求，NAD生成响应，包括随后的重定向URL和会话标识符，并且被配置为使得UE通过HTTPS连接重定向到IdP。 NAD通过安全网络链路将所述后续的重定向URL传送给UE。 NAD将包括会话标识符的第二HTTPS请求从UE传送到IdP。

公开(公告)号：US09578007B2

公开(公告)日：2017-02-21

申请号：US14674938

申请日：2015-03-31

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin ,  Syam Sundar Appala ,  Joseph Salowey

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L63/08 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0272 ,  H04L63/0815 ,  H04L63/0892 ,  H04L63/1466 ,  H04L63/168 ,  H04L63/30 ,  H04L67/02 ,  H04L67/2814

Abstract: In an embodiment a method is performed by a network access device (NAD). The NAD transfers a first HTTPS request from a client computer (UE) to an identity provider computer (IdP). The NAD transfers, from the IdP, a preceding redirected URL in response to the first HTTPS request, to the UE and configured to cause the UE to redirect to said preceding redirected URL. Over a secure network link, the NAD receives a particular request specifying said preceding redirected URL, from the UE. Responsive to receiving the particular request, the NAD generates a response, comprising a subsequent redirected URL and a session identifier, and configured to cause the UE to redirect to the IdP over an HTTPS connection. The NAD transfers said subsequent redirected URL over the secure network link to the UE. The NAD transfers a second HTTPS request, comprising the session identifier, from the UE to the IdP.

Abstract translation: 在一个实施例中，一种方法由网络接入设备（NAD）来执行。 NAD将第一个HTTPS请求从客户端计算机（UE）传送到身份提供者计算机（IdP）。 NAD从IdP将响应于第一HTTPS请求的先前重定向的URL传送到UE并且被配置为使得UE重定向到所述先前的重定向URL。 通过安全网络链路，NAD从UE接收指定所述先前重定向URL的特定请求。 响应于接收到特定请求，NAD生成响应，包括随后的重定向URL和会话标识符，并且被配置为使得UE通过HTTPS连接重定向到IdP。 NAD通过安全网络链路将所述后续的重定向URL传送给UE。 NAD将包括会话标识符的第二HTTPS请求从UE传送到IdP。

公开(公告)号：US20160261562A1

公开(公告)日：2016-09-08

申请号：US15156646

申请日：2016-05-17

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721 ,  H04L29/08

CPC classification number: H04L63/0227 ,  H04L45/306 ,  H04L45/566 ,  H04L63/0245 ,  H04L63/08 ,  H04L63/10 ,  H04L67/02

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

公开(公告)号：US09258315B2

公开(公告)日：2016-02-09

申请号：US14153742

申请日：2014-01-13

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin

IPC: H04L29/06 ,  G06F21/56 ,  H04L12/24

CPC classification number: H04L63/14 ,  G06F21/562 ,  H04L41/0813 ,  H04L63/0227 ,  H04L63/0245 ,  H04L63/0263 ,  H04L63/08 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/168

Abstract: Presented herein are techniques to reduce the vulnerabilities of network elements to malicious API calls. One or more filters that validate data across an API boundary at a network element are dynamically loaded into the network element such that a reboot of the network element is not required to use the one or more filters. An API call is received for an API function, wherein the API call contains one or more parameter values associated with the API function. The parameters may be validated using the one or more filters. If it is determined that the one or more filters validate the parameters for the API function, the API function may be executed using the parameter values. If it is determined that the one or more filters do not validate the parameters for the API function, the execution of the API function may be aborted.

Abstract translation: 这里提出的技术是减少网络元素对恶意API调用的漏洞。 在网络元件上跨越API边界验证数据的一个或多个过滤器被动态地加载到网络元件中，使得网络元件的重新启动不需要使用一个或多个过滤器。 接收API函数的API调用，其中API调用包含与API函数相关联的一个或多个参数值。 可以使用一个或多个过滤器来验证参数。 如果确定一个或多个过滤器验证API函数的参数，则API函数可以使用参数值执行。 如果确定一个或多个过滤器不验证API函数的参数，则API函数的执行可能会中止。

公开(公告)号：US20150200955A1

公开(公告)日：2015-07-16

申请号：US14153742

申请日：2014-01-13

Applicant: Cisco Technology, Inc.

Inventor： Antonio Martin

IPC: H04L29/06 ,  G06F21/56

CPC classification number: H04L63/14 ,  G06F21/562 ,  H04L41/0813 ,  H04L63/0227 ,  H04L63/0245 ,  H04L63/0263 ,  H04L63/08 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/168

Abstract: Presented herein are techniques to reduce the vulnerabilities of network elements to malicious API calls. One or more filters that validate data across an API boundary at a network element are dynamically loaded into the network element such that a reboot of the network element is not required to use the one or more filters. An API call is received for an API function, wherein the API call contains one or more parameter values associated with the API function. The parameters may be validated using the one or more filters. If it is determined that the one or more filters validate the parameters for the API function, the API function may be executed using the parameter values. If it is determined that the one or more filters do not validate the parameters for the API function, the execution of the API function may be aborted.

Abstract translation: 这里提出的技术是减少网络元素对恶意API调用的漏洞。 在网络元件上跨越API边界验证数据的一个或多个过滤器被动态地加载到网络元件中，使得网络元件的重新启动不需要使用一个或多个过滤器。 接收API函数的API调用，其中API调用包含与API函数相关联的一个或多个参数值。 可以使用一个或多个过滤器来验证参数。 如果确定一个或多个过滤器验证API函数的参数，则API函数可以使用参数值执行。 如果确定一个或多个过滤器不验证API函数的参数，则API函数的执行可能会中止。