公开(公告)号：US10931571B2

公开(公告)日：2021-02-23

申请号：US16578517

申请日：2019-09-23

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L12/721 ,  H04L29/08 ,  H04L29/12 ,  H04L12/851 ,  H04L12/741 ,  H04L12/26

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US10708178B2

公开(公告)日：2020-07-07

申请号：US16170175

申请日：2018-10-25

Applicant: Cisco Technology, Inc.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/801 ,  H04L12/715 ,  H04L12/703 ,  H04L12/911 ,  H04L12/851

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US10171350B2

公开(公告)日：2019-01-01

申请号：US15160804

申请日：2016-05-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/703 ,  H04L12/911 ,  H04L12/801 ,  H04L12/715 ,  H04L12/851

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US20170339253A1

公开(公告)日：2017-11-23

申请号：US15157621

申请日：2016-05-18

Applicant: Cisco Technology, Inc.

Inventor： Manish Pathak ,  Venkatesh N. Gautam ,  Jianxin Wang

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L67/142 ,  H04L67/146 ,  H04L69/22

Abstract: A handshake procedure to establish a first connection between a client and a server is monitored at an intermediate network device. A request message sent to the server from the client is received at the intermediate network device. The request message includes parameters defining a manner of receiving information from the server. The parameters defining the manner of receiving information from the server are modified to produce modified parameters. A redirect message is sent from the intermediate network device to the client to induce or cause the client to establish a second connection with the server based upon the modified parameters, wherein the redirect message contains the modified parameters.

公开(公告)号：US20170005805A1

公开(公告)日：2017-01-05

申请号：US14788862

申请日：2015-07-01

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L9/32

CPC classification number: H04L9/3263 ,  G06F21/00 ,  G06F21/33 ,  G06F21/552 ,  G06F21/577 ,  G06F2221/2135 ,  H04L9/3268 ,  H04L63/0823 ,  H04L63/1416

Abstract: A computer-implemented method is provided to detect a compromised Certificate Authority (CA). Over time reports are received containing data describing certificate authority certificates captured from messages exchanged between clients and servers. These reports may be received by a central computing entity. Metadata and statistics for certificates contained in the reports are stored. It is determined whether a certificate authority has been compromised based on the metadata and statistics.

Abstract translation: 提供了一种计算机实现的方法来检测受损的证书颁发机构（CA）。 随着时间的推移，报告包含描述从客户机和服务器之间交换的消息中获取的证书颁发机构证书的数据。 这些报告可能由中央计算实体接收。 存储报告中包含的证书的元数据和统计信息。 确定证书颁发机构是否已经基于元数据和统计信息进行泄密。

公开(公告)号：US12047418B2

公开(公告)日：2024-07-23

申请号：US16697362

申请日：2019-11-27

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Jianxin Wang ,  Dieter Derek Weber ,  Saman Taghavi Zargar ,  Robert Frederick Albach

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/108 ,  H04L63/166

Abstract: Presented herein is a system, device and method that involve creating a policy model and policy rule structure for a policy enforcement point to support policies adapt to rapid changing external conditions in addition to traditional policies that are static. The system facilitates the use of attributes that are either or both dynamically (at run-time) created and/or defined as ephemeral. A new policy attribute may be created dynamically (at run-time). The policy attribute may be mapped as being static or ephemeral. The methodology further involves facilitating evaluation of an attribute as an atomic or programmed set of functions.

公开(公告)号：US11570213B2

公开(公告)日：2023-01-31

申请号：US16788999

申请日：2020-02-12

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Nancy Cam-Winget ,  Donovan O'Hara ,  Richard Lee Barnes, II

IPC: H04L9/40

Abstract: A non-transitory computer readable medium comprising instructions stored thereon, the instructions effective to cause at least one processor to: establish trustworthiness of an application installed on a endpoint, the established trustworthiness is sufficient for an enterprise security infrastructure to treat the application installed on the endpoint and the endpoint as a trusted application and a trusted endpoint; negotiate with the trusted endpoint to determine a traffic inspection method for traffic flows originating at the trusted application that is destined for a service, the traffic inspection method is determined based on at least the trusted application, and the service; and instruct the trusted application of the determined traffic inspection method.

公开(公告)号：US11356423B2

公开(公告)日：2022-06-07

申请号：US16742716

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L9/08 ,  H04L9/40

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

公开(公告)号：US11115385B1

公开(公告)日：2021-09-07

申请号：US15220697

申请日：2016-07-27

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: G06F15/16 ,  H04L29/06 ,  H04L12/851 ,  G06F16/901

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US10601961B2

公开(公告)日：2020-03-24

申请号：US15648014

申请日：2017-07-12

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jianxin Wang ,  Jonathan Augustine Kunder ,  Ashish Dey

IPC: H04L29/06 ,  H04L12/715 ,  H04L12/801 ,  H04L12/725 ,  H04L12/721 ,  H04L12/64

Abstract: In one example, a service function forwarder of a service function chain enabled domain receives, from a classifier of the service function chain enabled domain, network traffic assigned to a service function path that includes at least one service node configured to apply a service function to the network traffic. The service function forwarder forwards the network traffic along the service function path. The service function forwarder receives, from the at least one service node, instructions for dynamically assigning a particular service function path to predicted network traffic that the at least one service node predicts will be triggered by the network traffic. The service function forwarder forwards the instructions to the classifier.