公开(公告)号：US20210044623A1

公开(公告)日：2021-02-11

申请号：US16867642

申请日：2020-05-06

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Shivani Raghav

IPC: H04L29/06 ,  G06F21/57 ,  G06F9/54

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：US20250097252A1

公开(公告)日：2025-03-20

申请号：US18470884

申请日：2023-09-20

Applicant: Cisco Technology, Inc.

Inventor： Arash Salarian ,  Marcelo Yannuzzi ,  Hendrikus G.P. Bosch ,  Jeffrey Michael Napper

IPC: H04L9/40

Abstract: Techniques for using real-time metrics and telemetry information to dynamically prioritize attack paths identified during a static analysis of a cloud native application, and using top priority attack paths identified during the static analysis to steer the dynamic analysis. The techniques may include identifying components of the cloud native application and connections between the components. The components and connections are analyzed to identify a set of attack paths. Network communications are monitored between the connections and metrics representing signals in the communications collected. A first subset of the attack paths based on a first portion of the metric indicating a real-time security vulnerability are identified. Finally, the first subset of the attack paths is prioritized over a second subset of the attack paths based at least in part on the first subset having the first portion of the metrics indicating real-time security vulnerabilities.

公开(公告)号：US20240146770A1

公开(公告)日：2024-05-02

申请号：US18395471

申请日：2023-12-22

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Sape Jurrien Mullender ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Shivani Raghav

IPC: H04L9/40 ,  G06F9/54 ,  G06F21/57

CPC classification number: H04L63/20 ,  G06F9/547 ,  G06F21/575 ,  H04L63/0272 ,  H04L63/0853 ,  H04L63/1425 ,  H04L63/1433

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：US11968201B2

公开(公告)日：2024-04-23

申请号：US17141007

申请日：2021-01-04

Applicant: Cisco Technology, Inc.

Inventor： Ahmed Bakry Helmy Ahmed ,  Sape Jurrien Mullender ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Jeffrey Michael Napper

IPC: H04L9/40

CPC classification number: H04L63/0815 ,  H04L63/0807 ,  H04L63/0884 ,  H04L63/164

Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

公开(公告)号：US11863588B2

公开(公告)日：2024-01-02

申请号：US16867642

申请日：2020-05-06

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Shivani Raghav

IPC: H04L9/00 ,  H04L9/40 ,  G06F21/57 ,  G06F9/54

CPC classification number: H04L63/20 ,  G06F9/547 ,  G06F21/575 ,  H04L63/0272 ,  H04L63/0853 ,  H04L63/1425 ,  H04L63/1433

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：US11683309B2

公开(公告)日：2023-06-20

申请号：US17169086

申请日：2021-02-05

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

CPC classification number: H04L63/10 ,  H04L61/4511 ,  H04L63/0876 ,  H04L63/20 ,  H04L63/0272

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US11425098B2

公开(公告)日：2022-08-23

申请号：US16855809

申请日：2020-04-22

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper

IPC: H04L9/40 ,  H04L12/46

Abstract: An identity provider (IdP) service interoperates with a Virtual Private Network (VPN) client. The IdP service receives a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client. The IdP service provides a response to the login request. The response includes at least both first information including an indication that the user of the VPN client is an authorized user and second information including an indication of a VPN policy for the VPN tunnel, the VPN policy including a VPN client policy to be utilized during the VPN tunnel by the VPN client and a VPN host policy to be utilized during the VPN tunnel by the VPN host.