公开(公告)号：US20230283608A1

公开(公告)日：2023-09-07

申请号：US18197895

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

CPC classification number: H04L63/10 ,  H04L61/4511 ,  H04L63/0876 ,  H04L63/20 ,  H04L63/0272

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US20220217132A1

公开(公告)日：2022-07-07

申请号：US17141007

申请日：2021-01-04

Applicant: Cisco Technology, Inc.

Inventor： Ahmed Bakry Helmy Ahmed ,  Sape Jurrien Mullender ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Jeffrey Michael Napper

IPC: H04L29/06

Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

公开(公告)号：US11457008B2

公开(公告)日：2022-09-27

申请号：US17069540

申请日：2020-10-13

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Julien Barbot ,  Jeffrey Michael Napper ,  Sape Jurrien Mullender

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  H04L9/40

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.

公开(公告)号：US20200252374A1

公开(公告)日：2020-08-06

申请号：US16373055

申请日：2019-04-02

Applicant: Cisco Technology, Inc.

Inventor： Peter Bosch ,  Alessandro Duminuco ,  Jeffrey Napper ,  Sape Jurrien Mullender ,  David Delano Ward

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/46

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

公开(公告)号：US20220255937A1

公开(公告)日：2022-08-11

申请号：US17169086

申请日：2021-02-05

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L29/06 ,  H04L29/12

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US20220116381A1

公开(公告)日：2022-04-14

申请号：US17069540

申请日：2020-10-13

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Julien Barbot ,  Jeffrey Michael Napper ,  Sape Jurrien Mullender

IPC: H04L29/06

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.

公开(公告)号：US10511590B1

公开(公告)日：2019-12-17

申请号：US16413411

申请日：2019-05-15

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Jeffrey Napper ,  David Delano Ward ,  Syed Khalid Raza ,  Sape Jurrien Mullender

IPC: H04L29/06 ,  H04L12/725 ,  H04L12/721

Abstract: Disclosed are concepts for provided for managing application traffic. A method includes receiving a request to access a service from an application, confirming an entity of a user of the application and, based on the confirmation, generating, via an authentication service, a routing policy for data flows between the application and the service. The routing policy defines a mandated path between the application and the service. The method also can include storing proof-of-transit data in the traffic flow for tracking an actual path from the application to the service and determining whether the data path complies with the mandated path defined in the policy. When the determination indicates that the actual path followed the mandated path defined in the routing policy, the method includes granting access to the user for the service. When the actual path differs from the mandated path, the method includes denying access to the user.

公开(公告)号：US12261847B2

公开(公告)日：2025-03-25

申请号：US18197895

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G P Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US11516260B2

公开(公告)日：2022-11-29

申请号：US17166921

申请日：2021-02-03

Applicant: Cisco Technology, Inc.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Jeffrey Michael Napper ,  Vinny Parla ,  Julien Barbot ,  Sape Jurrien Mullender

IPC: G06F17/00 ,  H04L9/40 ,  H04L67/141 ,  H04L67/146 ,  H04L61/4511 ,  H04L67/01

Abstract: Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.

公开(公告)号：US20220247791A1

公开(公告)日：2022-08-04

申请号：US17166921

申请日：2021-02-03

Applicant: Cisco Technology, Inc.

Inventor： Alessandro Duminuco ,  Hendrikus G.P. Bosch ,  Jeffrey Michael Napper ,  Vinny Parla ,  Julien Barbot ,  Sape Jurrien Mullender

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

Abstract: Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.