公开(公告)号：US20160294803A1

公开(公告)日：2016-10-06

申请号：US14674596

申请日：2015-03-31

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Daniel Wing ,  Prashanth Patil

IPC: H04L29/06

CPC classification number: H04L67/42 ,  H04L63/0807 ,  H04L67/06 ,  H04L67/20 ,  H04L67/289

Abstract: In one embodiment, first content is served by an application server to a client computer through an Internet service provider network. The first content includes a link to second content on a third-party server. A token request is sent from the third-party server to the application server in response to selection of the link by the client computer. A token is provided to the third-party server by the application server in response to the token request. The token is configured to authorize data flow at a bandwidth for the second content by the Internet service provider network to the client computer. The data flow is authorized based on an agreement for the bandwidth between an operator of the application server and an operator of the Internet service provider network.

Abstract translation: 在一个实施例中，第一内容由应用服务器通过因特网服务提供商网络服务于客户端计算机。 第一内容包括指向第三方服务器上的第二内容的链接。 响应于客户端计算机的链接的选择，令牌请求从第三方服务器发送到应用服务器。 响应于令牌请求，应用服务器向第三方服务器提供令牌。 令牌被配置为授权由因特网服务提供商网络向客户端计算机的第二内容的带宽的数据流。 基于对应用服务器的运营商和因特网服务提供商网络的运营商之间的带宽的协议来授权数据流。

公开(公告)号：US20160080395A1

公开(公告)日：2016-03-17

申请号：US14488973

申请日：2014-09-17

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel Wing

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1425 ,  H04L61/1511 ,  H04L61/2007 ,  H04L61/2514 ,  H04L63/0236 ,  H04L63/1408 ,  H04L63/145 ,  H04L67/02 ,  H04L67/10 ,  H04L69/16 ,  H04L69/22 ,  H04L2463/144

Abstract: In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is modified to trigger increased security.

Abstract translation: 在一个实现中，网络设备被配置为监视与端点相关联的通信并且识别通信中的域名服务消息。 随后，网络设备接收超文本传输​​协议（HTTP）请求，并确定HTTP请求的目标网际协议（IP）地址是否存在于或不存在于域名服务消息中。 当域名服务消息中不存在IP地址时，会修改HTTP请求以触发增加的安全性。

公开(公告)号：US20150026757A1

公开(公告)日：2015-01-22

申请号：US13947498

申请日：2013-07-22

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Prashanth Patil ,  Ramesh Nethi ,  Daniel Wing ,  Christopher Wild

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0281 ,  H04L63/10

Abstract: In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.

Abstract translation: 在一个实现中，部署在企业场所和基于云的SecaaS中的Web-Cache组合起来，从而在SecaaS和从Web-Cache传递的内容上实施类似的基于身份的策略。 网络外的基于身份的策略实施使用SecaaS并在网络缓存的内容中提供了一致的基于身份的安全性，同时仍向最终用户提供高性能的内容。 SecaaS检查和/或修改的内容可能会缓存在企业场所，以便来自原始服务器的内容请求减少，释放Internet带宽并减少访问时间。 流内容的本地缓存可能会降低延迟，而本地实施基于身份的策略会继续适当地限制流内容。 基于身份的策略的本地实施可能会降低对SecaaS的负担。 不使用服务提供商提供的内容传递网络进行Web内容，而是使用企业内的缓存服务器。

公开(公告)号：US09729565B2

公开(公告)日：2017-08-08

申请号：US14488973

申请日：2014-09-17

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel Wing

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/1425 ,  H04L61/1511 ,  H04L61/2007 ,  H04L61/2514 ,  H04L63/0236 ,  H04L63/1408 ,  H04L63/145 ,  H04L67/02 ,  H04L67/10 ,  H04L69/16 ,  H04L69/22 ,  H04L2463/144

Abstract: In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is modified to trigger increased security.

公开(公告)号：US20170223054A1

公开(公告)日：2017-08-03

申请号：US15013413

申请日：2016-02-02

Applicant: Cisco Technology, Inc.

Inventor： Daniel Wing ,  Jianxin Wang ,  Venkatesh Narsipur Gautam

IPC: H04L29/06

CPC classification number: H04L63/166 ,  H04L63/0281 ,  H04L63/0823

Abstract: A proxy device intercepts a client transport layer security message including a server name indicator from a client device. The first client transport layer security message is addressed to a server. The proxy device generates a second client transport layer security message including the server name indicator from the first client transport layer security message and sends the second client transport layer security message to the server. The proxy device receives a certificate from the server, validates its identity, and performs policy functions based on that identity.

公开(公告)号：US09288231B2

公开(公告)日：2016-03-15

申请号：US13947498

申请日：2013-07-22

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Prashanth Patil ,  Ramesh Nethi ,  Daniel Wing ,  Christopher Wild

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0281 ,  H04L63/10

Abstract: In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.

Abstract translation: 在一个实现中，部署在企业场所和基于云的SecaaS中的Web-Cache组合起来，从而在SecaaS和从Web-Cache传递的内容上实施类似的基于身份的策略。 网络外的基于身份的策略实施使用SecaaS并在网络缓存的内容中提供了一致的基于身份的安全性，同时仍向最终用户提供高性能的内容。 SecaaS检查和/或修改的内容可能会缓存在企业场所，以便来自原始服务器的内容请求减少，释放Internet带宽并减少访问时间。 流内容的本地缓存可能会降低延迟，而本地实施基于身份的策略会继续适当地限制流内容。 基于身份的策略的本地实施可能会降低对SecaaS的负担。 不使用服务提供商提供的内容传递网络进行Web内容，而是使用企业内的缓存服务器。

公开(公告)号：US10749897B2

公开(公告)日：2020-08-18

申请号：US16110102

申请日：2018-08-23

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Daniel Wing ,  Prashanth Patil

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/30 ,  H04L9/32 ,  H04L29/08

Abstract: In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.

公开(公告)号：US20190014146A1

公开(公告)日：2019-01-10

申请号：US16110102

申请日：2018-08-23

Applicant: Cisco Technology, Inc.

Inventor： Tirumaleswar Reddy ,  Daniel Wing ,  Prashanth Patil

IPC: H04L29/06 ,  H04L29/08 ,  H04L9/08 ,  H04L9/32 ,  H04L9/30 ,  H04L9/14

Abstract: In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.

公开(公告)号：US20170070506A1

公开(公告)日：2017-03-09

申请号：US14845505

申请日：2015-09-04

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel Wing

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/10 ,  G06F21/56 ,  H04L63/0428 ,  H04L63/06 ,  H04L63/062 ,  H04L63/102 ,  H04L63/20 ,  H04L67/06 ,  H04L67/10

Abstract: A method of leveraging security-as-a-service for cloud-based file sharing includes receiving, at a cloud-based file sharing server external to an enterprise network and having connectivity to the enterprise network, instructions from an enterprise network to validate a file uploaded by a first user associated with the enterprise network before allowing the file to be downloaded. The file sharing server may then receive the file from the first user and forward the file to a cloud-based security-as-a-service (SECaaS) server that is also external to the enterprise network and has connectivity to the enterprise network. The file sharing server receives a determination of validation from the cloud-based SECaaS server and allows a second user to download the file based on the determination. To make the determination, the SECaaS server retrieves cryptographic keying material from a cloud-based key management server, and decrypts the file.

Abstract translation: 利用基于云的文件共享的安全即服务的方法包括在企业网络外部的基于云的文件共享服务器上接收与企业网络的连接，来自企业网络的指令以验证文件 在允许文件下载之前由与企业网络相关联的第一用户上传。 然后，文件共享服务器可以从第一用户接收文件，并将文件转发到也在企业网络外部并且具有到企业网络的连接的基于云的安全即服务（SECaaS）服务器。 文件共享服务器接收来自基于云的SECaaS服务器的确认确定，并允许第二用户基于确定来下载文件。 为了做出决定，SECaaS服务器从基于云的密钥管理服务器检索密码密钥资料，并解密该文件。

公开(公告)号：US09413560B2

公开(公告)日：2016-08-09

申请号：US14278598

申请日：2014-05-15

Applicant: Cisco Technology, Inc.

Inventor： Prashanth Patil ,  Tirumaleswar Reddy ,  Daniel Wing ,  William Ver Steeg

IPC: H04L12/851 ,  H04L12/24 ,  H04L29/06 ,  H04L12/64 ,  H04L29/08

CPC classification number: H04L12/6418 ,  H04L29/06 ,  H04L41/5019 ,  H04L41/5038 ,  H04L47/2441 ,  H04L63/145 ,  H04L67/02 ,  H04L67/06

Abstract: Various embodiments are disclosed for prioritizing network flows and providing differentiated quality of service in a telecommunications network. In some embodiments, a SecaaS can be utilized to signal flow characteristics of one or more network flows to a connector in a network so that the network can install differentiated quality of service against the one or more network flows based upon the received flow characteristics. Some embodiments enable a connector in a network to act as a PCP client to signal received flow characteristics to an upstream PCP server hosted by an adjacent access network.

Abstract translation: 公开了各种实施例用于优先化网络流并在电信网络中提供差异化​​的服务质量。 在一些实施例中，可以使用SecaaS来向网络中的连接器发送一个或多个网络流的流特性，使得网络可以基于所接收的流特性来针对所述一个或多个网络流安装差异化服务质量。 一些实施例使得网络中的连接器能够充当PCP客户端，以将接收到的流量特性信号发送到由相邻接入网络托管的上游PCP服务器。