公开(公告)号：US20220398324A1

公开(公告)日：2022-12-15

申请号：US17346898

申请日：2021-06-14

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender

IPC: G06F21/57

Abstract: The present disclosure is directed to systems and methods for vulnerability analysis using continuous application attestation, a method including receiving a load map associated with an application , the load map indicating loaded modules of the application; determining whether at least one notification is received indicating at least one update to the loaded modules of the application, wherein, if the at least one notification is received, the load map is updated based on the indicated at least one update, and wherein, if the at least one notification is not received, the load map is retained in an existing state; periodically retrieving call traces associated with the application, the call traces indicating executed modules of the application; and generating a continuous application attestation comprising at least a combination of the updated load map or the retained load map, and the retrieved call traces associated with the application at a given time.

公开(公告)号：US20220116381A1

公开(公告)日：2022-04-14

申请号：US17069540

申请日：2020-10-13

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Julien Barbot ,  Jeffrey Michael Napper ,  Sape Jurrien Mullender

IPC: H04L29/06

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.

公开(公告)号：US20160182458A1

公开(公告)日：2016-06-23

申请号：US14573564

申请日：2014-12-17

Applicant: Cisco Technology, Inc.

Inventor： Kevin D. Shatzkamer ,  Hendrikus G.P. Bosch ,  Warren Scott Wainner ,  James N. Guichard ,  Surendra M. Kumar

IPC: H04L29/06 ,  G06F9/455

CPC classification number: H04L63/0428 ,  G06F9/45558 ,  G06F21/606 ,  G06F2009/45587 ,  G06F2009/45595

Abstract: A first virtual machine is established in a virtual private service chain to provide a first network service to virtual private service chain traffic. A second virtual machine is also established the virtual private service chain to provide a second network service to the virtual private service chain traffic. The virtual private service chain traffic is encrypted for transmission within the virtual private service chain from the first virtual machine to the second virtual machine, wherein the encryption uses a key shared by the first and second virtual machines.

Abstract translation: 在虚拟专用服务链中建立第一虚拟机以向虚拟专用服务链流量提供第一网络服务。 第二个虚拟机也建立了虚拟专用服务链，为虚拟私人服务链流量提供第二个网络服务。 虚拟专用服务链流量被加密以在虚拟专用服务链中从第一虚拟机到第二虚拟机的传输，其中加密使用由第一和第二虚拟机共享的密钥。

公开(公告)号：US20150358850A1

公开(公告)日：2015-12-10

申请号：US14300865

申请日：2014-06-10

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Humberto J. La Roche, JR. ,  Hendrikus G.P. Bosch ,  James N. Guichard ,  Paul Quinn ,  Surendra M. Kumar ,  Kevin D. Shatzkamer

IPC: H04W28/02 ,  H04L12/721 ,  H04L12/851 ,  H04L12/46

CPC classification number: H04W28/0215 ,  H04L12/4633 ,  H04L45/306 ,  H04L45/38

Abstract: A method provided in one embodiment includes receiving, at a first network element, a first data packet of a data flow, wherein the data flow is associated with a subscriber. The method further includes receiving subscriber information associated with the subscriber, and encapsulating the subscriber information with the first data packet to form an encapsulated data packet. The method still further includes determining a service chain including one or more services to which the encapsulated data packet is to be forwarded, and forwarding the encapsulated data packet to the service chain.

Abstract translation: 在一个实施例中提供的方法包括在第一网络元件处接收数据流的第一数据分组，其中所述数据流与订户相关联。 该方法还包括接收与用户相关联的用户信息，以及用第一数据分组封装用户信息以形成封装的数据分组。 该方法还包括确定包括一个或多个服务的服务链，封装的数据分组将被转发到该服务链上，并将封装的数据分组转发到服务链。

公开(公告)号：US20230004651A1

公开(公告)日：2023-01-05

申请号：US17662477

申请日：2022-05-09

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender

IPC: G06F21/57 ,  G06F9/54

Abstract: According to some embodiments, a method comprises: obtaining an application programming interface (API) specification for an API service; performing one or more tests on the API service to determine an amount of deviation between the API service and the API specification; and determining a deviation score based on the amount of deviation between the API service and the API specification. The method may include transmitting the deviation score to a scoring agent.

公开(公告)号：US20220247791A1

公开(公告)日：2022-08-04

申请号：US17166921

申请日：2021-02-03

Applicant: Cisco Technology, Inc.

Inventor： Alessandro Duminuco ,  Hendrikus G.P. Bosch ,  Jeffrey Michael Napper ,  Vinny Parla ,  Julien Barbot ,  Sape Jurrien Mullender

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

Abstract: Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.

公开(公告)号：US20210369309A1

公开(公告)日：2021-12-02

申请号：US17403676

申请日：2021-08-16

Applicant: Cisco Technology Inc.

Inventor： Stefan Olofsson ,  Ijsbrand Wijnands ,  Hendrikus G.P. Bosch ,  Jeffrey Napper ,  Anubhav Gupta

IPC: A61B17/72 ,  A61B17/86 ,  A61B17/92

Abstract: In one embodiment, a router includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the router to perform operations including receiving software-defined networking in a wide area network (SD-WAN) policies from a component of an SD-WAN network. The operations also include establishing a session with a mobile device and receiving information associated with the mobile device in response to establishing the session with the mobile device. The operations further include filtering the SD-WAN policies based on the information associated with the mobile device to generate SD-WAN device-specific policies and communicating the SD-WAN device-specific policies to the mobile device.

公开(公告)号：US20210273913A1

公开(公告)日：2021-09-02

申请号：US16855809

申请日：2020-04-22

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper

IPC: H04L29/06 ,  H04L12/46

Abstract: An identity provider (IdP) service interoperates with a Virtual Private Network (VPN) client. The IdP service receives a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client. The IdP service provides a response to the login request. The response includes at least both first information including an indication that the user of the VPN client is an authorized user and second information including an indication of a VPN policy for the VPN tunnel, the VPN policy including a VPN client policy to be utilized during the VPN tunnel by the VPN client and a VPN host policy to be utilized during the VPN tunnel by the VPN host.

公开(公告)号：US20210044623A1

公开(公告)日：2021-02-11

申请号：US16867642

申请日：2020-05-06

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Shivani Raghav

IPC: H04L29/06 ,  G06F21/57 ,  G06F9/54

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：US20180013821A1

公开(公告)日：2018-01-11

申请号：US15711235

申请日：2017-09-21

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  James Guichard ,  Dave Barach ,  Alessandro Duminuco ,  Luyuan Fang ,  Paul Quinn ,  Rex Fernando ,  David Ward

IPC: H04L29/08 ,  H04L12/715 ,  H04L12/751

CPC classification number: H04L67/10 ,  H04L45/02 ,  H04L45/04

Abstract: Presented herein are techniques for use in a network environment that includes one or more service zones, each service zone including at least one instance of an in-line application service to be applied to network traffic and one or more routers to direct network traffic to the at least one service, and a route target being assigned to a unique service zone to serve as a community value for route import and export between routers of other service zones, destination networks or source networks via a control protocol. An edge router in each service zone or destination network advertises routes by its destination network prefix tagged with its route target. A service chain is created by importing and exporting of destination network prefixes by way of route targets at edge routers of the service zones or source networks.