公开(公告)号：US20190020372A1

公开(公告)日：2019-01-17

申请号：US15650359

申请日：2017-07-14

Applicant: Cisco Technology, Inc.

Inventor： Robert Barton ,  Maik Guenter Seewald ,  Michael Alan Kowal

IPC: H04B3/54 ,  G06F11/20

Abstract: A methodology includes determining a first delay between a first relay and a first label edge router, a second delay between a second relay and a second label edge router, and a third delay of a label-switched path between the first label edge router and the second label edge router. Based on the first, second, and third delays, it is determined whether an end-to-end latency between the first relay and the second relay exceeds an end-to-end latency threshold.

公开(公告)号：US20170359323A1

公开(公告)日：2017-12-14

申请号：US13945369

申请日：2013-07-18

Applicant: Cisco Technology, Inc.

Inventor： Brian Eliot Weis ,  Maik Guenter Seewald ,  Ruben Gerald Lobo

IPC: H04L29/06 ,  H04W12/04 ,  G06F1/32

CPC classification number: H04L9/08 ,  H04L9/083 ,  H04L63/06 ,  H04L63/062 ,  H04L67/12 ,  H04L67/16

Abstract: A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.

公开(公告)号：US12218912B2

公开(公告)日：2025-02-04

申请号：US16854616

申请日：2020-04-21

Applicant: Cisco Technology, Inc.

Inventor： Robert Edgar Barton ,  Thomas Szigeti ,  Jerome Henry ,  Ruben Gerald Lobo ,  Laurent Jean Charles Hausermann ,  Maik Guenter Seewald ,  Daniel R. Behrens

IPC: H04L43/026 ,  G05B19/05 ,  G06Q10/0875 ,  H04L9/40 ,  H04L12/46 ,  H04L41/0803 ,  H04L41/0893 ,  H04L47/20 ,  H04L47/2441 ,  H04L47/32

Abstract: According to one or more embodiments of the disclosure, a networking device receives a policy for an endpoint in a network. The policy specifies one or more component tags and one or more activity tags that were assigned to the endpoint based on deep packet inspection of traffic associated with the endpoint. The networking device identifies a set of tags for a particular traffic flow in the network associated with the endpoint. The set of tags comprises one or more component tags or activity tags associated with the particular traffic flow. The networking device makes a determination that the particular traffic flow violates the policy based on the set of tags comprising a tag that is not in the policy. The networking device initiates, based on the determination that the particular traffic flow violates the policy, a corrective measure with respect to the particular traffic flow.

公开(公告)号：US20240348651A1

公开(公告)日：2024-10-17

申请号：US18134729

申请日：2023-04-14

Applicant: Cisco Technology, Inc.

Inventor： Maik Guenter Seewald

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/0263 ,  H04L63/0435

Abstract: Techniques and architecture are described for dynamic security policy and key management for converged networks. More particularly, the techniques and architecture provide for configuring and managing converged industrial networks and configuring the converged industrial networks with respect to security policy and key management when also configuring and managing the converged industrial networks for operation. In configurations, the techniques and architecture described herein provide a method to establish dynamic access control as well as continuous trusted access and control based on well-defined streams and pre-calculated schedules. Additionally, in configurations, the techniques and architecture described herein provide a method to establish automated and integrated key management for controller-based time-sensitive networking (TSN) networks. This enables highly adaptable network security for operational technology (OT)/industrial Internet of Things (IIoT) networks used for critical processes such as automation and control.

公开(公告)号：US12108243B2

公开(公告)日：2024-10-01

申请号：US17244114

申请日：2021-04-29

Applicant: Cisco Technology, Inc.

Inventor： William Sterling Alexander ,  Joshua Austin Knestaut ,  Jerome Henry ,  Maik Guenter Seewald ,  Robert Edgar Barton

IPC: H04W12/02 ,  G06T5/70 ,  G06T11/20 ,  G06V40/16

CPC classification number: H04W12/02 ,  G06T5/70 ,  G06T11/20 ,  G06V40/166

Abstract: Methods are provided in which a user device connects a participant to a collaboration session in which the participant communicates with at least one other participant using audio and/or video, which is distributed in a media stream to the at least one other participant via a respective user device. In these methods, the user device detects at least one of an object within a space that is included in the video and an audio signal and selectively filters the media stream to exclude the object or a portion of the audio signal based on at least one of participant list information, learned background information, or learned voices of participants of the collaboration session.

公开(公告)号：US11962469B2

公开(公告)日：2024-04-16

申请号：US17172820

申请日：2021-02-10

Applicant: Cisco Technology, Inc.

Inventor： Laurent Jean Charles Hausermann ,  Maik Guenter Seewald ,  André Guérard ,  Ruben Gerald Lobo ,  Daniel R. Behrens ,  Gulian Lorini ,  Laetitia Pot

IPC: H04L41/12 ,  G06N20/00 ,  G16Y20/10 ,  G16Y20/20 ,  G16Y40/10 ,  H04L41/0853 ,  H04L61/2567

CPC classification number: H04L41/12 ,  G06N20/00 ,  G16Y20/10 ,  G16Y20/20 ,  G16Y40/10 ,  H04L41/0853 ,  H04L61/2567

Abstract: According to one or more embodiments of the disclosure, an asset inventory service executed by one or more devices receives telemetry data collected passively by a sensor application regarding a node in a network. The asset inventory service requests, after receiving the telemetry data, that the sensor application perform active discovery of nodes in the network. The asset inventory service receives active discovery data collected by the sensor application via active discovery of nodes in the network. The asset inventory service generates, based on the telemetry data and the active discovery data, an identity profile for the node.

公开(公告)号：US11799948B2

公开(公告)日：2023-10-24

申请号：US16950132

申请日：2020-11-17

Applicant: Cisco Technology, Inc.

Inventor： Robert Edgar Barton ,  Jerome Henry ,  Maik Guenter Seewald

IPC: H04L67/1004

CPC classification number: H04L67/1004

Abstract: Cloud services are provided by a distributed network including a number of geographically distributed datacenters, to client devices in accordance with data sovereignty requirements. A server within the distributed network may receive a service request and determine whether it complies with the data sovereignty requirements of the client. When the geographic location of the server does not comply with the client's data sovereignty requirements, the server may determine and transmit back to the client device a set of alternative datacenters within the distributed network that comply with the client's data sovereignty requirements. The client device may use network probes to select an alternative datacenter, and the cloud service request of the client device may be migrated from the server to the selected datacenter.

公开(公告)号：US20210400021A1

公开(公告)日：2021-12-23

申请号：US17464847

申请日：2021-09-02

Applicant: Cisco Technology, Inc.

Inventor： Robert Edgar Barton ,  Jerome Henry ,  Matthias Falkner ,  Maik Guenter Seewald

IPC: H04L29/06 ,  H04L12/24

Abstract: A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice.

公开(公告)号：US11005822B2

公开(公告)日：2021-05-11

申请号：US16402568

申请日：2019-05-03

Applicant: Cisco Technology, inc.

Inventor： Robert Edgar Barton ,  Maik Guenter Seewald ,  Jerome Henry

IPC: H04L29/06

Abstract: In one embodiment, a network policy engine obtains a substation configuration description for a substation, indicative of intelligent electronic devices (IEDs), associated network communication devices, and related communication configuration information. The network policy engine then creates a mapping of the IEDs and the associated network communication devices based on the substation configuration description, associating each of the IEDs to a corresponding network port of the associated network communication devices. The network policy engine may then further create network control parameters based on the substation configuration description, which comprise defined communication flows for the IEDs and associated security group tags (SGTs) for the defined communication flows. The techniques herein may then cause the SGTs to be imposed at mapped network ports of the network communication devices for the IEDs according to security group access (SGA)-based network control to thereby establish secure network communication for the IEDs within the particular substation.

公开(公告)号：US10897516B2

公开(公告)日：2021-01-19

申请号：US15813289

申请日：2017-11-15

Applicant: Cisco Technology, Inc.

Inventor： Patrick Wetterwald ,  Pascal Thubert ,  Maik Guenter Seewald ,  Eric Michel Levy-Abegnoli

IPC: H04L29/08 ,  H04L12/18

Abstract: In one embodiment, a method comprises: storing, by a computing device in a non-deterministic data network, a plurality of data packets originated by a source device into a mass storage medium associated with the computing device; receiving, by the computing device, a data request originated by an access point device providing deterministic reachability to a deterministic device in a deterministic data network providing reachability to multiple deterministic devices, the request specifying one or more deterministic constraints associated with reaching the deterministic device; and supplying, by the computing device, a selected one of the data packets to the access point device for delivery of data stored therein to the deterministic device according to the one or more deterministic constraints.