公开(公告)号：WO2021025881A1

公开(公告)日：2021-02-11

申请号：PCT/US2020/043590

申请日：2020-07-24

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  MULENDER, Sape, Jurrien ,  NAPPER, Jeffrey, Michael ,  DUMINUCO, Alessandro ,  RAGHAV, Shivani

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/52

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network- based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：WO2022081578A1

公开(公告)日：2022-04-21

申请号：PCT/US2021/054587

申请日：2021-10-12

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  DUMINUCO, Alessandro ,  BARBOT, Julien ,  NAPPER, Jeffrey, Michael ,  MULLENDER, Sape, Jurrien

IPC: H04L9/40

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a seemed connection.

公开(公告)号：WO2020072244A1

公开(公告)日：2020-04-09

申请号：PCT/US2019/052843

申请日：2019-09-25

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  MULLENDER, Sape, Jurrien ,  WIJNANDS, Ijsbrand ,  DUMINUCO, Alessandro ,  NAPPER, Jeffrey, Michael ,  DHESIKAN, Subhasri

IPC: H04L12/18

Abstract: In one example embodiment, a server generates a candidate instantiation of virtual applications among a plurality of hosts in a data center to support a multicast stream. The server provides, to a first set of agents corresponding to a first set of the plurality of hosts, a command to initiate a test multicast stream. The server provides, to a second set of agents corresponding to a second set of the plurality of hosts, a command to join the test multicast stream. The server obtains, from the second set of agents, a message indicating whether the second set of agents received the test multicast stream. If the message indicates that the second set of agents received the test multicast stream, the server causes the virtual applications to be instantiated in accordance with the candidate instantiation of the virtual applications.

公开(公告)号：WO2020247248A1

公开(公告)日：2020-12-10

申请号：PCT/US2020/035045

申请日：2020-05-29

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  OLOFSSON, Stefan ,  WIJNANDS, Ijsbrand ,  GUPTA, Anubhav ,  NAPPER, Jeffrey ,  MULLENDER, Sape, Jurrien

IPC: H04L12/723

Abstract: In one embodiment, a method includes detecting a request to route traffic to a service associated with an application. The method also includes identifying an application identifier associated with the application and selecting, using the application identifier, a label from a plurality of labels included in a routing table. The label includes one or more routes. The method further includes routing the traffic to the service associated with the application using the label.

公开(公告)号：WO2014189670A1

公开(公告)日：2014-11-27

申请号：PCT/US2014/036907

申请日：2014-05-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  GUICHARD, James ,  BARACH, Dave ,  DUMINUCO, Alessandro ,  FANG, Luyuan ,  QUINN, Paul ,  FERNANDO, Rex ,  WARD, David

IPC: H04L12/715

CPC classification number: H04L67/10 ,  H04L45/02 ,  H04L45/04

Abstract: Presented herein are techniques for use in a network environment that includes one or more service zones, each service zone including at least one instance of an in-line application service to be applied to network traffic and one or more routers to direct network traffic to the at least one service, and a route target being assigned to a unique service zone to serve as a community value for route import and export between routers of other service zones, destination networks or source networks via a control protocol. An edge router in each service zone or destination network advertises routes by its destination network prefix tagged with its route target. A service chain is created by importing and exporting of destination network prefixes by way of route targets at edge routers of the service zones or source networks.

Abstract translation: 这里提出的是在包括一个或多个服务区域的网络环境中使用的技术，每个服务区域包括要应用于网络业务的在线应用服务的至少一个实例以及一个或多个路由器以将网络流量引导到 至少一个服务，以及被分配给唯一服务区的路由目标，以用作通过控制协议在其他服务区域，目的地网络或源网络的路由器之间路由导入和导出的社区值。 每个服务区域或目标网络中的边缘路由器通过其路由目标标记的目标网络前缀来通告路由。 通过在服务区域或源网络的边缘路由器上的路由目标导入和导出目标网络前缀来创建服务链。

公开(公告)号：WO2023278955A1

公开(公告)日：2023-01-05

申请号：PCT/US2022/073072

申请日：2022-06-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  DUMINUCO, Alessandro ,  MULLENDER, Sape, Jurriën

IPC: G06F11/36 ,  H04L43/55 ,  H04L9/40 ,  G06F9/54 ,  G06F11/3668 ,  G06F21/577 ,  G06F2221/033 ,  G06F9/547 ,  H04L41/046 ,  H04L63/1433 ,  H04L67/133

Abstract: According to some embodiments, a method comprises: obtaining an application programming interface (API) specification for an API service; performing one or more tests on the API service to determine an amount of deviation between the API service and the API specification; and determining a deviation score based on the amount of deviation between the API service and the API specification. The method may include transmitting the deviation score to a scoring agent.

公开(公告)号：WO2023278954A1

公开(公告)日：2023-01-05

申请号：PCT/US2022/073069

申请日：2022-06-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  BIRDSALL, Randy ,  DUMINUCO, Alessandro ,  KAUFMAN, Zohar ,  MULLENDER, Sape, Jurriën

IPC: G06F21/56 ,  G06F21/57 ,  H04L9/40 ,  H04L67/10 ,  G06F11/30 ,  G06F21/55 ,  G06F11/3684 ,  G06F21/554 ,  G06F21/562 ,  G06F21/577 ,  G06F2221/033 ,  G06F9/505 ,  G06F9/5072 ,  G06F9/541 ,  G06F9/547 ,  H04L63/1433 ,  H04L67/306

Abstract: According to some embodiments, a method is performed by a distributed cloud-native application. The method comprises receiving a request from a user to perform an operation. The user is associated with a risk profile. The method further comprises determining a call path through the distributed cloud-native application to perform the operation and classifying a risk level associated with the determined call path based on a distributed call graph. The distributed call graph comprises a risk value for each call path through the distributed cloud-native application and each call path comprises one or more distributed cloud-native application components. The risk value is based on a weakness rating associated with each component in the call path. The method further comprises determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user and performing the operation.

公开(公告)号：WO2022155622A1

公开(公告)日：2022-07-21

申请号：PCT/US2022/070012

申请日：2022-01-04

Applicant: CISCO TECHNOLOGY, INC.

Inventor： BOSCH, Hendrikus, G.P. ,  DUMINUCO, Alessandro ,  MULLENDER, Sape, Jurriën ,  ALAOUI, Jaffar

IPC: G06F21/55 ,  G06F8/60 ,  G06F21/57

Abstract: The present disclosure is directed to assessing API service security and may include the steps of identifying an API service called by an application based on information provided by an agent embedded within the application; collecting telemetry associated with the API service, the telemetry collected from one or more telemetry sources and indicating any deficiencies in the API service; generating a reputation score for the API service based on analysis of the collected telemetry; and transmitting the reputation score to at least one of the following: the agent embedded within the application, wherein the reputation score is associated with at least one policy having at least one policy action, and wherein the reputation score is operable to be used by the agent to invoke the at least one policy action relating to use of the API service by the application; or a continuous integration/continuous delivery pipeline associated with the application.

公开(公告)号：WO2021108172A1

公开(公告)日：2021-06-03

申请号：PCT/US2020/060935

申请日：2020-11-18

Applicant: CISCO TECHNOLOGY, INC.

Inventor： GUPTA, Anubhav ,  BOSCH, Hendrikus, G.P. ,  VALLURI, Vamsidhar ,  OLOFSSON, Stefan

IPC: H04L12/24 ,  H04L12/715 ,  H04L12/713

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

公开(公告)号：WO2020247224A1

公开(公告)日：2020-12-10

申请号：PCT/US2020/034781

申请日：2020-05-28

Applicant: CISCO TECHNOLOGY, INC.

Inventor： OLOFSSON, Stefan ,  WIJNANDS, Ijsbrand ,  BOSCH, Hendrikus, G.P. ,  NAPPER, Jeffrey ,  GUPTA, Anubhav

IPC: H04L12/46 ,  H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a router includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors. The one or more computer-readable non-transitory storage media include instructions that, when executed by the one or more processors, cause the router to perform operations including receiving software-defined networking in a wide area network (SD-WAN) policies from a component of an SD-WAN network. The operations also include establishing a session with a mobile device and receiving information associated with the mobile device in response to establishing the session with the mobile device. The operations further include filtering the SD-WAN policies based on the information associated with the mobile device to generate SD-WAN device-specific policies and communicating the SD-WAN device-specific policies to the mobile device.