公开(公告)号：US10021070B2

公开(公告)日：2018-07-10

申请号：US14979042

申请日：2015-12-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jin Teng ,  Subharthi Paul ,  Thilan Niroshaka Ganegedara ,  Xun Wang ,  Saman Taghavi Zargar ,  Jayaraman Iyer

IPC: G06F17/00 ,  H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0227 ,  G06F16/2379 ,  H04L63/0218 ,  H04L63/105

Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.

公开(公告)号：US09860209B2

公开(公告)日：2018-01-02

申请号：US14709777

申请日：2015-05-12

Applicant: Cisco Technology, Inc.

Inventor： Kevin A. Buchanan ,  Andrew E. Ossipov ,  Kent Leung ,  Xun Wang ,  Zhijun Liu ,  Weiwei Kang

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/801

CPC classification number: H04L63/0227 ,  H04L47/10 ,  H04L63/0254

Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

公开(公告)号：US20170180316A1

公开(公告)日：2017-06-22

申请号：US14979042

申请日：2015-12-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jin Teng ,  Subharthi Paul ,  Thilan Niroshaka Ganegedara ,  Xun Wang ,  Saman Taghavi Zargar ,  Jayaraman Iyer

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0227 ,  G06F17/30377 ,  H04L63/0218 ,  H04L63/105

Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.

公开(公告)号：US20160234168A1

公开(公告)日：2016-08-11

申请号：US14619759

申请日：2015-02-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/0254 ,  H04L61/2007 ,  H04L61/2061 ,  H04L63/0218

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Abstract translation: 提供了一种用于促进地理上分散的网络环境中的层次聚类的示例性方法，并且包括在网络环境的集群域中的多个ASA集群之一的多个自适应安全设备（ASA）单元之一中接收分组， 将数据包识别为匹配数据中心之间的实时流量简档，识别集群域中的多个ASA集群中的目标ASA集群，查询流所有者的目标ASA集群中的域控制器，以及流所有者是否为 由域主任识别，将分组转发到目标群集中的流所有者，并且如果域所有者没有被域主管识别，并且域主管包括该分组所属的流的流状态，则指定 ASA单位作为流动所有者。

公开(公告)号：US20150146724A1

公开(公告)日：2015-05-28

申请号：US14089006

申请日：2013-11-25

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Hy Quoc Pham ,  Jayaraman Iyer ,  Xun Wang ,  Andrew E. Ossipov

IPC: H04L12/741

CPC classification number: H04L45/745 ,  H04L45/54 ,  H04L67/327

Abstract: Techniques are presented herein for optimizing and load balancing network traffic exchanged between devices in a network environment. At a first device in a cluster of devices in a network, a packet is received from a second device in the cluster. The packet comprises identifier information that is assigned to the first device. The identifier information is reassigned to the second device in the cluster such that subsequent packets with the identifier information are sent directly to the second device. A mapping table is updated to indicate that the identifier information is reassigned to the second device.

Abstract translation: 本文介绍了技术来优化和负载平衡网络环境中设备之间交换的网络流量。 在网络中的设备集群中的第一设备处，从群集中的第二设备接收分组。 分组包括分配给第一设备的标识符信息。 标识符信息被重新分配给群集中的第二设备，使得具有标识符信息的后续分组被直接发送到第二设备。 映射表被更新以指示标识符信息被重新分配给第二设备。

公开(公告)号：US10721211B2

公开(公告)日：2020-07-21

申请号：US15783706

申请日：2017-10-13

Applicant: Cisco Technology, Inc.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US20180041474A1

公开(公告)日：2018-02-08

申请号：US15783706

申请日：2017-10-13

Applicant: Cisco Technology, Inc.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: H04L29/06 ,  H04L29/12

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US09800549B2

公开(公告)日：2017-10-24

申请号：US14619759

申请日：2015-02-11

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Kent K. Leung ,  Xun Wang ,  Andrew E. Ossipov ,  Zhijun Liu ,  Jonathan Augustine Kunder

IPC: G06F15/173 ,  H04L29/06 ,  H04L29/12

CPC classification number: H04L63/0254 ,  H04L61/2007 ,  H04L61/2061 ,  H04L63/0218

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

公开(公告)号：US20160337312A1

公开(公告)日：2016-11-17

申请号：US14709777

申请日：2015-05-12

Applicant: Cisco Technology, Inc.

Inventor： Kevin A. Buchanan ,  Andrew E. Ossipov ,  Kent Leung ,  Xun Wang ,  Zhijun Liu ,  Weiwei Kang

IPC: H04L29/06

CPC classification number: H04L63/0227 ,  H04L47/10 ,  H04L63/0254

Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

Abstract translation: 一种在具有多个安全设备的安全设备集群中可操作的方法，每个安全设备被配置为接收相应的数据流。 该方法包括在多个安全设备中的第一安全设备处接收流的第一段，将流的第一段发送到目的地节点，而不使多个安全设备中的第一安全设备声明对流的所有权， 从所述目的地节点接收在所述多个安全设备中的第二安全设备处的所述流的第二段，所述流的第二段响应于所述第一段，由所述第二安全设备断言所述多个安全性 设备，流量的所有权以及来自第一安全设备的转发，随后由第一安全设备接收的流的分组传送到第二安全设备。

公开(公告)号：US09203753B2

公开(公告)日：2015-12-01

申请号：US14089006

申请日：2013-11-25

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Hy Quoc Pham ,  Jayaraman Iyer ,  Xun Wang ,  Andrew E. Ossipov

IPC: H04L12/741 ,  H04L29/08

CPC classification number: H04L45/745 ,  H04L45/54 ,  H04L67/327

Abstract: Techniques are presented herein for optimizing and load balancing network traffic exchanged between devices in a network environment. At a first device in a cluster of devices in a network, a packet is received from a second device in the cluster. The packet comprises identifier information that is assigned to the first device. The identifier information is reassigned to the second device in the cluster such that subsequent packets with the identifier information are sent directly to the second device. A mapping table is updated to indicate that the identifier information is reassigned to the second device.

Abstract translation: 本文介绍了技术来优化和负载平衡网络环境中设备之间交换的网络流量。 在网络中的设备集群中的第一设备处，从群集中的第二设备接收分组。 分组包括分配给第一设备的标识符信息。 标识符信息被重新分配给群集中的第二设备，使得具有标识符信息的后续分组被直接发送到第二设备。 映射表被更新以指示标识符信息被重新分配给第二设备。