公开(公告)号：US20210288962A1

公开(公告)日：2021-09-16

申请号：US17235284

申请日：2021-04-20

Applicant: Cisco Technology, Inc.

Inventor： Eliot Lear ,  Christopher S. Steck ,  Brian Weis

IPC: H04L29/06 ,  H04L9/32

Abstract: Techniques for providing secure modification of manufacturer usage description (MUD) files based on device applications are provided. In one embodiment, a method for secure modification of MUD files may include obtaining a request for one or more applications from a device. The method also includes providing to the device the one or more applications and a certification that includes an updated MUD identifier determined based on the one or more applications requested. The updated MUD identifier is associated with a concatenated MUD file that comprises individual MUD file portions for each of the one or more applications requested. The device is configured to request an updated device identifier using the certification. The updated device identifier includes the updated MUD identifier that is associated with the concatenated MUD file.

公开(公告)号：US11025628B2

公开(公告)日：2021-06-01

申请号：US15954875

申请日：2018-04-17

Applicant: Cisco Technology, Inc.

Inventor： Eliot Lear ,  Christopher S. Steck ,  Brian Weis

IPC: H04L29/06 ,  H04L9/32

Abstract: Techniques for providing secure modification of manufacturer usage description (MUD) files based on device applications are provided. In one embodiment, a method for secure modification of MUD files may include obtaining a request for one or more applications from a device. The method also includes providing to the device the one or more applications and a certification that includes an updated MUD identifier determined based on the one or more applications requested. The updated MUD identifier is associated with a concatenated MUD file that comprises individual MUD file portions for each of the one or more applications requested. The device is configured to request an updated device identifier using the certification. The updated device identifier includes the updated MUD identifier that is associated with the concatenated MUD file.

公开(公告)号：US10547503B2

公开(公告)日：2020-01-28

申请号：US15007859

申请日：2016-01-27

Applicant: Cisco Technology, Inc.

Inventor： Eliot Lear ,  Nancy Cam-Winget ,  Brian Weis

IPC: H04L12/24 ,  H04L29/08

Abstract: Presented herein are techniques in which one or more network devices can use information provided by a special purpose network connected device to retrieve a usage profile (i.e., configuration file) associated with the special purpose network connected device. The retrieved usage profile, which includes/describes preselected (predetermined) usage descriptions associated with the special purpose network connected device, can then be used to configure one or more network devices. For example, the predetermined usage descriptions associated with the special purpose network connected device can be instantiated and enforced at a network device or the predetermined usage descriptions can be used for auditing the special purpose network connected device (e.g., monitoring of traffic within the network).

公开(公告)号：US20190281085A1

公开(公告)日：2019-09-12

申请号：US16421858

申请日：2019-05-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US10356124B2

公开(公告)日：2019-07-16

申请号：US15446707

申请日：2017-03-01

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US20170033984A1

公开(公告)日：2017-02-02

申请号：US15007859

申请日：2016-01-27

Applicant: Cisco Technology, Inc.

Inventor： Eliot Lear ,  Nancy Cam-Winget ,  Brian Weis

IPC: H04L12/24 ,  H04L29/08

Abstract: Presented herein are techniques in which one or more network devices can use information provided by a special purpose network connected device to retrieve a usage profile (i.e., configuration file) associated with the special purpose network connected device. The retrieved usage profile, which includes/describes preselected (predetermined) usage descriptions associated with the special purpose network connected device, can then be used to configure one or more network devices. For example, the predetermined usage descriptions associated with the special purpose network connected device can be instantiated and enforced at a network device or the predetermined usage descriptions can be used for auditing the special purpose network connected device (e.g., monitoring of traffic within the network).

Abstract translation: 这里提出的技术是其中一个或多个网络设备可以使用由专用网络连接设备提供的信息来检索与专用网络连接设备相关联的使用简档（即配置文件）。 检索到的使用简档，其包括/描述与专用网络连接设备相关联的预选（预定）使用说明，然后可以用于配置一个或多个网络设备。 例如，与专用网络连接设备相关联的预定使用说明可以在网络设备上被实例化和实施，或者可以使用预定的使用说明来审核专用网络连接设备（例如，监视网络内的业务） 。

公开(公告)号：US11601808B2

公开(公告)日：2023-03-07

申请号：US17008330

申请日：2020-08-31

Applicant: Cisco Technology, Inc.

Inventor： Eliot Lear ,  Owen Friel ,  Max Pritikin

IPC: H04W12/06 ,  H04W60/00 ,  H04W12/04 ,  H04W48/18 ,  H04W76/11 ,  H04W12/084

Abstract: This technology uses a bootstrap key (“BSK”) to securely onboard a computing device to a network. A unique BSK associated with an onboarding computing device is used to verify for various deployment models (1) that the computing device has proof the computing device is connecting to the correct wired or wireless network and (2) that the network has proof the computing device is trusted. The BSK may be an associated BSK or an embedded BSK. A computing device receives a signed voucher from the manufacturer authorized signing authority (“MASA”) before the computing device may onboard to a network. The MASA will issue a voucher to a Bootstrapping Remote Secure Key Infrastructure (“BRSKI”) registrar if the registrar proves knowledge of the computing device's BSK to the MASA or the registrar has an established trust relationship with the MASA.

公开(公告)号：US11451560B2

公开(公告)日：2022-09-20

申请号：US16808114

申请日：2020-03-03

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners ,  Selvaraj Mani ,  Eliot Lear

IPC: H04L12/00 ,  H04L9/40 ,  H04L61/5014 ,  H04L101/686

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.

公开(公告)号：US11283831B2

公开(公告)日：2022-03-22

申请号：US16421858

申请日：2019-05-24

Applicant: Cisco Technology, Inc.

Inventor： Pascal Thubert ,  Eric Levy-Abegnoli ,  Eliot Lear ,  Brian E. Weis

IPC: H04L29/06 ,  H04L29/12 ,  H04L61/4511 ,  H04L61/5014 ,  H04L61/103

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

公开(公告)号：US20200322356A1

公开(公告)日：2020-10-08

申请号：US16808114

申请日：2020-03-03

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners ,  Selvaraj Mani ,  Eliot Lear

IPC: H04L29/06 ,  H04L29/12

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.