公开(公告)号：US20240179125A1

公开(公告)日：2024-05-30

申请号：US18072374

申请日：2022-11-30

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Venkatesh Nataraj ,  Kannan Kumar ,  Padmanabha Nallur ,  Abha Jain ,  Kushal Patel

IPC: H04L9/40

CPC classification number: H04L63/0263 ,  H04L63/0428

Abstract: This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for optimizing firewall enforcement. The techniques may implement a dynamic detection of Layer 7 processing at one end of the network, alleviating the need to enforce another layer 7 firewall inspection at the other end, thereby saving processing and network resources. The techniques enable firewalls and policies to be statically defined and located in one place.

公开(公告)号：US12289232B2

公开(公告)日：2025-04-29

申请号：US18504576

申请日：2023-11-08

Applicant: Cisco Technology, Inc.

Inventor： Laxmikantha Reddy Ponnuru ,  Arul Murugan Manickam ,  Michael David Tracy ,  Kannan Kumar ,  Hamzah Kardame

IPC: H04L45/00 ,  H04L45/028 ,  H04L45/44

Abstract: In one embodiment, a method includes receiving, by a first node of a node cluster in a software-defined wide area network (SD-WAN), traffic from a wide area network (WAN), assigning, by the first node of the node cluster, flow ownership of the traffic to the first node, and communicating, by the first node of the node cluster, the traffic to a local area network (LAN). The method also includes receiving, by the first node of the node cluster, return traffic from a second node of the node cluster and detecting, by the first node of the node cluster, a diversion of the return traffic. The method further includes relinquishing, by the first node of the node cluster, the flow ownership and assigning, by the first node of the node cluster, the flow ownership to the second node of the node cluster.

公开(公告)号：US12225051B2

公开(公告)日：2025-02-11

申请号：US17876190

申请日：2022-07-28

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Vishnuprasad Raghavan ,  Kannan Kumar ,  Ramana Babu Polamarasetti ,  Mahalakshmi Rajaram

IPC: H04L9/40

Abstract: Techniques for user identity-based security policy enforcement. The techniques may include sending, to an edge device associated with a network, a networking policy associated with a user. The techniques may also include receiving, from an identity provider, an IP address associated with the user. Additionally, the techniques may include sending, to the edge device, an indication to associate the IP address with the user such that the edge device applies the networking policy to packets that include the IP address.

公开(公告)号：US20240106855A1

公开(公告)日：2024-03-28

申请号：US18106891

申请日：2023-02-07

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Vivek Agarwal ,  Vishnuprasad Raghavan ,  Kannan Kumar ,  Chandra Balaji Rajaram

IPC: H04L9/40

CPC classification number: H04L63/1466 ,  H04L63/0227

Abstract: This disclosure describes techniques and mechanisms for improving security within SDWAN fabric and utilizing telemetry data from non-enterprise providers to remediate compromised SDWAN site(s) and/or user(s). The techniques may implement an integration of non-enterprise application(s) and API(s) with an enterprise network, thereby enabling the enterprise network to identify compromised endpoint(s), identify user(s), group(s), site(s) that are impacted, and take a corrective action (by the enterprise network and/or the non-enterprise application(s) or API(s)) on the enterprise fabric.

公开(公告)号：US10298581B2

公开(公告)日：2019-05-21

申请号：US15582113

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： Rashmikant B. Shah ,  Brian E. Weis ,  Kannan Kumar ,  Manoj Kumar Nayak

IPC: H04L29/06

Abstract: In one embodiment, an authorized signing authority server receives an authenticity request from a security registrar to vouch for authenticity of a particular device. Based on receiving the authenticity request, the authorized signing authority server may then determine an authenticity state of the particular device, and may also request a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device. Upon receiving the device provisioning file from the device provisioning server, the authorized signing authority server may then return the authenticity state and the device provisioning file for the particular device to the security registrar, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file.

公开(公告)号：US20250030743A1

公开(公告)日：2025-01-23

申请号：US18356937

申请日：2023-07-21

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Kannan Kumar ,  Madhu Somu ,  Ramakumara Kariyappa ,  Kushal A Patel ,  Vishnuprasad Raghavan ,  Deepthi Tammireddy

IPC: H04L9/40 ,  H04L43/062

Abstract: Methods and systems are described herein for dynamically applying a security policy based on one or more tag attributes. The method comprises receiving, at a network controller, information about an instance of a cloud workload instantiated at a cloud provider. The cloud workload is associated with a tag attribute. The method further comprises querying the cloud provider for at least one IP address associated with the tag attribute and learning the at least one IP address associated with the tag attribute, including the IP address for the instance of the cloud workload. The method further comprises associating a security policy with the at least one IP address associated with the tag attribute and propagating the security policy to at least one edge router for implementation.

公开(公告)号：US20240080267A1

公开(公告)日：2024-03-07

申请号：US18504576

申请日：2023-11-08

Applicant: Cisco Technology, Inc.

Inventor： Laxmikantha Reddy Ponnuru ,  Arul Murugan Manickam ,  Michael David Tracy ,  Kannan Kumar ,  Hamzah Kardame

IPC: H04L45/00 ,  H04L45/028 ,  H04L45/44

CPC classification number: H04L45/38 ,  H04L45/028 ,  H04L45/44

Abstract: In one embodiment, a method includes receiving, by a first node of a node cluster in a software-defined wide area network (SD-WAN), traffic from a wide area network (WAN), assigning, by the first node of the node cluster, flow ownership of the traffic to the first node, and communicating, by the first node of the node cluster, the traffic to a local area network (LAN). The method also includes receiving, by the first node of the node cluster, return traffic from a second node of the node cluster and detecting, by the first node of the node cluster, a diversion of the return traffic. The method further includes relinquishing, by the first node of the node cluster, the flow ownership and assigning, by the first node of the node cluster, the flow ownership to the second node of the node cluster.

公开(公告)号：US20240039956A1

公开(公告)日：2024-02-01

申请号：US17876190

申请日：2022-07-28

Applicant: Cisco Technology, Inc.

Inventor： Balaji Sundararajan ,  Vishnuprasad Raghavan ,  Kannan Kumar ,  Ramana Babu Polamarasetti ,  Mahalakshmi Rajaram

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/102 ,  H04L63/0236

Abstract: Techniques for user identity-based security policy enforcement. The techniques may include sending, to an edge device associated with a network, a networking policy associated with a user. The techniques may also include receiving, from an identity provider, an IP address associated with the user. Additionally, the techniques may include sending, to the edge device, an indication to associate the IP address with the user such that the edge device applies the networking policy to packets that include the IP address.

公开(公告)号：US10601664B2

公开(公告)日：2020-03-24

申请号：US15582294

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： Kannan Kumar ,  Brian E. Weis ,  Rashmikant B. Shah ,  Manoj Kumar Nayak

IPC: H04L12/24 ,  H04L29/06 ,  H04W12/10 ,  H04L29/08 ,  H04W4/50 ,  H04W12/08 ,  H04W12/00 ,  H04W4/70

Abstract: In one embodiment, a network controller for a computer network receives details of a provisioned device and policy requirements for the provisioned device. The network controller may then determine, based on the details and policy requirements for the provisioned device, a plurality of network devices that the provisioned device is configured to communicate through, and may then translate the details and policy requirements for the provisioned device into a plurality of network-device-specific policies, each respective network-device-specific policy corresponding to one of the plurality of network devices that the provisioned device is configured to communicate through. As such, the network controller may then transmit a respective network-device-specific policy of the plurality of network-device-specific policies to the plurality of network devices that the provisioned device is configured to communicate through.

公开(公告)号：US20250039141A1

公开(公告)日：2025-01-30

申请号：US18357934

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Faizan Amjad Mohammed ,  Venkatesh Nataraj ,  Gowri Mahendran Lingam Chandramohan ,  Saravanan Radhakrishnan ,  Kannan Kumar

IPC: H04L9/40

Abstract: This disclosure describes techniques for orchestrating implementation of a security solution among network devices. The techniques include determining capabilities of routers of the network and capabilities of a cloud security service to perform security features of a security solution. Based at least in part on the capabilities, the techniques include configuring a router of the network to execute a first subset of the security features on data traffic of the network, and configuring the cloud security service to execute a second subset of the security features on the data traffic. The techniques may also include causing the security solution to be presented to a security administrator via a display, the display providing representations of the first subset and the second subset of the security features.