公开(公告)号：US12081430B2

公开(公告)日：2024-09-03

申请号：US17860957

申请日：2022-07-08

Applicant: Cisco Technology, Inc.

Inventor： Hari Shankar ,  Eui Sun Ahn ,  Jeffery Rodd Daviss ,  Rashmi Garg ,  Jon Langemak ,  William Mark Townsley

IPC: H04L45/12 ,  H04L9/40 ,  H04L12/46 ,  H04L45/02

CPC classification number: H04L45/123 ,  H04L12/4633 ,  H04L45/02 ,  H04L63/0236

Abstract: Techniques for a hub node to, provisioned in a network site of a hub and spoke overlay network, to receive a network advertisement from the spoke, decode network routing requirements from a border gateway protocol (BGP) large community associated with the network advertisement, and store the network routing requirements in association with a route associated with the spoke. The routing requirements may indicate one or more service(s) to be applied to the packet, a trust level associated with the spoke, and/or a trust zone associated with the spoke. The hub node may receive a packet from the spoke to be transmitted to destination spoke. The hub node may then route the packet to the destination spoke, drop the packet, or send the packet to a service node configured to apply the one or more services to the packet based on the routing requirements.

公开(公告)号：US10659484B2

公开(公告)日：2020-05-19

申请号：US15898915

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Saman Taghavi Zargar ,  Subharthi Paul ,  Prashanth Patil ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24 ,  G06N20/00

Abstract: In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.

公开(公告)号：US09124628B2

公开(公告)日：2015-09-01

申请号：US13623127

申请日：2012-09-20

Applicant: Cisco Technology, Inc.

Inventor： Hari Shankar ,  Jianxin Wang ,  Daryl Odnert ,  Manju Radhakrishnan ,  Andrew E. Ossipov

IPC: G06F15/16 ,  H04L29/06

CPC classification number: H04L63/166

Abstract: Techniques are presented for seamless engagement and disengagement of Transport Layer Security proxy services. A first initial message of a handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message of the handshaking procedure is saved at the proxy device. A second initial message of a second handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. It is determined from the second handshaking procedure that inspection of the first secure communication session is not to be performed by the proxy device. The first secure communication session is established without examination of the communication traffic by the proxy device.

Abstract translation: 介绍了传输层安全代理服务的无缝接合和脱离接口的技术。 在代理设备处拦截用于第一设备和第二设备之间的第一安全通信会话的握手过程的第一初始消息。 握手过程的第一个初始消息保存在代理设备中。 用于代理设备和第二设备之间的第二安全通信会话的第二握手过程的第二初始消息被从代理设备发送到第二设备。 从第二握手程序确定第一安全通信会话的检查不被代理设备执行。 建立第一安全通信会话而不检查代理设备的通信流量。

公开(公告)号：US20240015091A1

公开(公告)日：2024-01-11

申请号：US17860957

申请日：2022-07-08

Applicant: Cisco Technology, Inc.

Inventor： Hari Shankar ,  Eui Sun Ahn ,  Jeffery Rodd Daviss ,  Rashmi Garg ,  Jon Langemak ,  William Mark Townsley

IPC: H04L45/12 ,  H04L45/02 ,  H04L9/40 ,  H04L12/46

CPC classification number: H04L45/123 ,  H04L45/02 ,  H04L63/0236 ,  H04L12/4633

Abstract: Techniques for a hub node to, provisioned in a network site of a hub and spoke overlay network, to receive a network advertisement from the spoke, decode network routing requirements from a border gateway protocol (BGP) large community associated with the network advertisement, and store the network routing requirements in association with a route associated with the spoke. The routing requirements may indicate one or more service(s) to be applied to the packet, a trust level associated with the spoke, and/or a trust zone associated with the spoke. The hub node may receive a packet from the spoke to be transmitted to destination spoke. The hub node may then route the packet to the destination spoke, drop the packet, or send the packet to a service node configured to apply the one or more services to the packet based on the routing requirements.

公开(公告)号：US11356423B2

公开(公告)日：2022-06-07

申请号：US16742716

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L9/08 ,  H04L9/40

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

公开(公告)号：US10091170B2

公开(公告)日：2018-10-02

申请号：US15086961

申请日：2016-03-31

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hari Shankar ,  Jin Teng ,  Venkatesh Narsipur Gautam

IPC: H04L29/06

Abstract: In one embodiment, a method includes establishing at a security device, a secure session for transmitting data between a client device and an end host, receiving decrypted data at the security device from the client device, inspecting the decrypted data at the security device, encrypting the decrypted data at the security device, and transmitting encrypted data to the end host. Decryption at the client device is offloaded from the security device to distribute decryption and encryption processes between the client device and the security device. An apparatus and logic are also disclosed herein.

公开(公告)号：US20150304340A1

公开(公告)日：2015-10-22

申请号：US14753743

申请日：2015-06-29

Applicant: Cisco Technology, Inc.

Inventor： Haiyan Luo ,  Hari Shankar ,  Daryl Odnert ,  Niranjan Koduri

IPC: H04L29/06

CPC classification number: H04L63/105 ,  G06F21/552 ,  G06F21/6218 ,  H04L63/0227 ,  H04L63/0281

Abstract: A policy is established comprising a condition having a multiphase attribute of a multiphase transaction. Phase specific policies are established for each phase in which the multiphase attribute may become known. The multiphase transaction is evaluated according to the phase specific policies at each phase of the multiphase transaction in which the multiphase attribute may become known until a policy decision of the policy is determined.

Abstract translation: 建立包括具有多相交易的多相属性的条件的策略。 针对可以将多相属性知道的每个阶段建立相位特定策略。 根据多阶段事务的每个阶段的阶段特定策略来评估多阶段事务，其中多阶段属性可以在其中被确定，直到策略的策略决定被确定为止。

公开(公告)号：US20140082204A1

公开(公告)日：2014-03-20

申请号：US13623127

申请日：2012-09-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hari Shankar ,  Jianxin Wang ,  Daryl Odnert ,  Manju Radhakrishnan ,  Andrew E. Ossipov

IPC: G06F15/16

CPC classification number: H04L63/166

Abstract: Techniques are presented for seamless engagement and disengagement of Transport Layer Security proxy services. A first initial message of a handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message of the handshaking procedure is saved at the proxy device. A second initial message of a second handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. It is determined from the second handshaking procedure that inspection of the first secure communication session is not to be performed by the proxy device. The first secure communication session is established without examination of the communication traffic by the proxy device.

Abstract translation: 介绍了传输层安全代理服务的无缝接合和脱离接口的技术。 在代理设备处拦截用于第一设备和第二设备之间的第一安全通信会话的握手过程的第一初始消息。 握手过程的第一个初始消息保存在代理设备中。 用于代理设备和第二设备之间的第二安全通信会话的第二握手过程的第二初始消息被从代理设备发送到第二设备。 从第二握手程序确定第一安全通信会话的检查不被代理设备执行。 建立第一安全通信会话而不检查代理设备的通信流量。

公开(公告)号：US20240015050A1

公开(公告)日：2024-01-11

申请号：US17860926

申请日：2022-07-08

Applicant: Cisco Technology, Inc.

Inventor： Hari Shankar ,  Rashmi Garg ,  Benoit Ganne ,  Jerome Tollet ,  Nathan Skrzypczak

IPC: H04L12/46 ,  H04L12/44 ,  H04L45/02 ,  H04L45/44 ,  H04L45/741

CPC classification number: H04L12/4683 ,  H04L12/44 ,  H04L45/04 ,  H04L45/44 ,  H04L45/741 ,  H04L2012/445

Abstract: Techniques for a hub node, provisioned in a site of a hub and spoke overlay network, to receive, store, and/or forward network routing information associated with a spoke, and send packets directly to spoke(s) that are remote from the hub node. A first hub node may receive a network advertisement including a border gateway protocol (BGP) large community string from a first spoke local to the first hub node. The first hub node may send the BGP large community string to a second hub node remote from the first hub node. The second hub node may decode network routing information from the BGP large community string and store the network routing information locally. The second hub node may send a packet from a second spoke local to the second hub node directly to the first spoke without the data packet being routed via the first hub node.

公开(公告)号：US11722463B2

公开(公告)日：2023-08-08

申请号：US17833458

申请日：2022-06-06

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L9/40 ,  H04L9/08

CPC classification number: H04L63/0428 ,  H04L9/0891 ,  H04L63/0281 ,  H04L63/0464

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.