公开(公告)号：US11784808B2

公开(公告)日：2023-10-10

申请号：US17659530

申请日：2022-04-18

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/0866 ,  H04L9/0869 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/0869 ,  H04L63/10 ,  H04L63/108 ,  H04L2209/12

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US20230164214A1

公开(公告)日：2023-05-25

申请号：US18158961

申请日：2023-01-24

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L67/104 ,  H04L9/40 ,  H04W24/10 ,  H04L9/32 ,  H04L61/4511 ,  H04L67/1001

CPC classification number: H04L67/104 ,  H04L63/0823 ,  H04W24/10 ,  H04L9/3247 ,  H04L61/4511 ,  H04L67/1001

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US11652824B2

公开(公告)日：2023-05-16

申请号：US17669123

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Kumar Kathail ,  Eric Voit

IPC: H04L29/06 ,  H04L12/24 ,  H04L9/40 ,  H04L41/0803

CPC classification number: H04L63/108 ,  H04L41/0803 ,  H04L63/0876 ,  H04L63/20

Abstract: Systems, methods, and computer-readable media for evaluation of trustworthiness of network devices are proposed. In one aspect, a first network device can determine a first determine a first probability of a security compromise of a second network device based on visible indicators. The first network device can also determine a second probability of the security compromise of the second device based on invisible indicators. The first network device also determines a trust degradation score for the second network device and establishes, based on the trust degradation score, a specified type of communication session with the second network device.

公开(公告)号：US20220353322A1

公开(公告)日：2022-11-03

申请号：US17857729

申请日：2022-07-05

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L67/104 ,  H04L9/40 ,  H04W24/10 ,  H04L9/32 ,  H04L61/4511 ,  H04L67/1001

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US11451560B2

公开(公告)日：2022-09-20

申请号：US16808114

申请日：2020-03-03

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners ,  Selvaraj Mani ,  Eliot Lear

IPC: H04L12/00 ,  H04L9/40 ,  H04L61/5014 ,  H04L101/686

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.

公开(公告)号：US20220166779A1

公开(公告)日：2022-05-26

申请号：US17669123

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Kumar Kathail ,  Eric Voit

IPC: H04L9/40 ,  H04L41/0803

Abstract: Systems, methods, and computer-readable media for evaluation of trustworthiness of network devices are proposed. In one aspect, a first network device can determine a first determine a first probability of a security compromise of a second network device based on visible indicators. The first network device can also determine a second probability of the security compromise of the second device based on invisible indicators. The first network device also determines a trust degradation score for the second network device and establishes, based on the trust degradation score, a specified type of communication session with the second network device.

公开(公告)号：US11343091B2

公开(公告)日：2022-05-24

申请号：US16784025

申请日：2020-02-06

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US20220070251A1

公开(公告)日：2022-03-03

申请号：US17499731

申请日：2021-10-12

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/08 ,  H04W24/10 ,  H04L29/06 ,  H04L29/12 ,  H04L9/32

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US20220060384A1

公开(公告)日：2022-02-24

申请号：US17517622

申请日：2021-11-02

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L12/24 ,  H04W84/18 ,  H04L12/721 ,  H04L12/751 ,  H04W40/24

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

公开(公告)号：US11184280B2

公开(公告)日：2021-11-23

申请号：US16158066

申请日：2018-10-11

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit

IPC: H04L12/741 ,  H04L29/06 ,  H04W12/08 ,  H04L9/32

Abstract: In one illustrative example, a network node configured for packet flow verification may receive a packet from a host (e.g. a wireless mobile device operating in a wireless network) and obtain, from a header of the packet, data indicative of one or more traversed network node or service function identities. The identities may correspond to one or more traversed network nodes or service functions through which the packet has traversed in a non-steered communication having an unspecified path. Each received data indicative of a traversed network node or service function identity may be network node-added data, provided as part of in-situ Operations, Administration, and Maintenance (iOAM) data.