公开(公告)号：US20230421610A1

公开(公告)日：2023-12-28

申请号：US18244048

申请日：2023-09-08

Applicant: Cisco Technology, Inc.

Inventor： Thomas Szigeti ,  David John Zacks ,  Walter Hulick ,  Shannon McFarland

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/101 ,  H04L63/0876

Abstract: Techniques for expressing, communicating, de-conflicting, and enforcing consistent access policies between an IBN architecture and a Cloud-Native architecture. Generally, network administrators and/or users of a Cloud-Native architecture and an IBN architecture express access policies independently for the two different domains or architectures. According to the techniques described herein, a Network Service Endpoint (NSE) of the Cloud-Native architecture may exchange access policies with a network device of the IBN architecture. After exchanging access policies, conflicts between the sets of access policies may be identified, such as differences between allowing or denying communications between microservices and/or applications. The conflicts may be de-conflicted using various types of heuristics or rules, such as always selecting an access policy of the IBN architecture when conflicts arise. After the access policies have been de-conflicted, the IBN architecture and Cloud-Native architecture may then apply consistent access policies for traffic and communications in their respective network architectures.

公开(公告)号：US20230081708A1

公开(公告)日：2023-03-16

申请号：US17473306

申请日：2021-09-13

Applicant: Cisco Technology, Inc.

Inventor： Thomas Szigeti ,  David J. Zacks ,  Walter Hulick ,  Shannon McFarland

IPC: H04L29/06

Abstract: Techniques for expressing, communicating, de-conflicting, and enforcing consistent access policies between an IBN architecture and a Cloud-Native architecture. Generally, network administrators and/or users of a Cloud-Native architecture and an IBN architecture express access policies independently for the two different domains or architectures. According to the techniques described herein, a Network Service Endpoint (NSE) of the Cloud-Native architecture may exchange access policies with a network device of the IBN architecture. After exchanging access policies, conflicts between the sets of access policies may be identified, such as differences between allowing or denying communications between microservices and/or applications. The conflicts may be de-conflicted using various types of heuristics or rules, such as always selecting an access policy of the IBN architecture when conflicts arise. After the access policies have been de-conflicted, the IBN architecture and Cloud-Native architecture may then apply consistent access policies for traffic and communications in their respective network architectures.

公开(公告)号：US20240291816A1

公开(公告)日：2024-08-29

申请号：US18174177

申请日：2023-02-24

Applicant: Cisco Technology, Inc.

Inventor： Walter Hulick ,  David John Zacks ,  Thomas Szigeti ,  Nagendra Kumar Nainar

IPC: H04L9/40

CPC classification number: H04L63/0876 ,  H04L63/0245 ,  H04L63/20

Abstract: Provided herein are techniques to facilitate enhanced cloud access security broker (CASB) functionality via in-band application observability in which a CASB can be implemented in-line between the client device and an embedded application security service. In one instance, a method may include, obtaining, by a CASB from a client device, a first message for an application transaction involving an application operating via the client device. The first message can be augmented to include first security metadata and can be forwarded to trigger one or more actions by an embedded application security service associated with the application. The CASB may obtain a second message from the embedded application security service that includes second security metadata, and one or more actions can be triggered at the CASB based, at least in part, on the second security metadata included in the second message.

公开(公告)号：US11792230B2

公开(公告)日：2023-10-17

申请号：US17473306

申请日：2021-09-13

Applicant: Cisco Technology, Inc.

Inventor： Thomas Szigeti ,  David J. Zacks ,  Walter Hulick ,  Shannon McFarland

IPC: G06F21/62 ,  H04L9/40 ,  G06F21/51 ,  G06F21/78

CPC classification number: H04L63/20 ,  H04L63/0876 ,  H04L63/101

Abstract: Techniques for expressing, communicating, de-conflicting, and enforcing consistent access policies between an IBN architecture and a Cloud-Native architecture. Generally, network administrators and/or users of a Cloud-Native architecture and an IBN architecture express access policies independently for the two different domains or architectures. According to the techniques described herein, a Network Service Endpoint (NSE) of the Cloud-Native architecture may exchange access policies with a network device of the IBN architecture. After exchanging access policies, conflicts between the sets of access policies may be identified, such as differences between allowing or denying communications between microservices and/or applications. The conflicts may be de-conflicted using various types of heuristics or rules, such as always selecting an access policy of the IBN architecture when conflicts arise. After the access policies have been de-conflicted, the IBN architecture and Cloud-Native architecture may then apply consistent access policies for traffic and communications in their respective network architectures.

公开(公告)号：US12225057B2

公开(公告)日：2025-02-11

申请号：US18244048

申请日：2023-09-08

Applicant: Cisco Technology, Inc.

Inventor： Thomas Szigeti ,  David John Zacks ,  Walter Hulick ,  Shannon McFarland

IPC: G06F21/62 ,  G06F21/71 ,  H04L9/40 ,  G06F21/78

Abstract: Techniques for expressing, communicating, de-conflicting, and enforcing consistent access policies between an IBN architecture and a Cloud-Native architecture. Generally, network administrators and/or users of a Cloud-Native architecture and an IBN architecture express access policies independently for the two different domains or architectures. According to the techniques described herein, a Network Service Endpoint (NSE) of the Cloud-Native architecture may exchange access policies with a network device of the IBN architecture. After exchanging access policies, conflicts between the sets of access policies may be identified, such as differences between allowing or denying communications between microservices and/or applications. The conflicts may be de-conflicted using various types of heuristics or rules, such as always selecting an access policy of the IBN architecture when conflicts arise. After the access policies have been de-conflicted, the IBN architecture and Cloud-Native architecture may then apply consistent access policies for traffic and communications in their respective network architectures.

公开(公告)号：US20240333822A1

公开(公告)日：2024-10-03

申请号：US18126735

申请日：2023-03-27

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Walter Hulick

IPC: H04L69/166 ,  H04L69/321

CPC classification number: H04L69/166 ,  H04L69/321

Abstract: Techniques for microsegmenting network communication transactions from end-to-end over an entire network communication path between a client device and a workload. The techniques may include determining that a first layer of a packet traversing the communication path includes a first metadata tag associated with a first segmentation ecosystem applying a microsegmentation policy along a first portion of the communication path. Based at least in part on the first metadata tag, a second metadata tag may be determined that is associated with a second segmentation ecosystem applying the microsegmentation policy along a second portion of the communication path. The second metadata tag may then be embedded within a second layer of the packet such that the second segmentation ecosystem is capable of applying the microsegmentation policy to the packet along the second portion of the communication path.