公开(公告)号：US09948679B2

公开(公告)日：2018-04-17

申请号：US14976338

申请日：2015-12-21

Applicant: Cisco Technology, Inc.

Inventor： Zachary D Siswick ,  Umesh Kumar Miglani ,  Daniel Hollingshead ,  Karyll Catubig ,  Yedidya Dotan ,  Denis Knjazihhin

IPC: H04L29/06 ,  G06F3/0481 ,  G06F3/0484

CPC classification number: H04L63/20 ,  G06F3/04817 ,  G06F3/04842 ,  H04L63/02 ,  H04L63/102

Abstract: In a computer implemented method, selectable device icons that represent respective network security devices are generated for display. Responsive to a selection of one of the device icons, selectable interface icons that represent respective network interfaces used by the network security device represented by the selected device icon are generated for display. Responsive to a selection of one of the interface icons, selectable policy icons that represent respective security polices applied to the network interface represented by the selected interface icon are generated for display. Responsive to a selection of one of the policy icons, selectable object group icons that represent respective groups of security rule objects used in the network security policy represented by the selected policy icon are generated for display.

公开(公告)号：US20170317999A1

公开(公告)日：2017-11-02

申请号：US15139750

申请日：2016-04-27

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Christopher Duane ,  Jason M. Perry

IPC: H04L29/06 ,  G06F9/44 ,  H04L29/08

CPC classification number: H04L63/08 ,  G06F9/4416 ,  G06F21/575 ,  H04L63/0884 ,  H04L67/28

Abstract: Presented herein are techniques for remotely releasing bootstrap credentials to a cloud management proxy device. In particular, a cloud management proxy device that is associated with a cloud system commences a boot operation. The cloud management proxy device then initiates a remote credential release process to obtain the bootstrap credentials, which are useable by the cloud management proxy device to complete the boot operation. Upon completion of the remote credential release process, the bootstrap credentials are received from a remote credential manager system.

公开(公告)号：US20170230425A1

公开(公告)日：2017-08-10

申请号：US15498927

申请日：2017-04-27

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Burak Say ,  Robin Martherus ,  Sachin Vasant

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F21/604 ,  H04L41/28 ,  H04L63/10 ,  H04L63/102

Abstract: A management entity generates for display multiple icons, each icon representing an actor or a resource in a networking environment, and defines a generic security policy by receiving user input in the form of a line drawn between a first icon representing an actor and a second icon representing a resource to control abilities between the actor and the resource. The management entity translates the generic security policy to multiple native security policies each of which is based on a corresponding one of multiple native policy models associated with corresponding ones of multiple security devices, and supply data descriptive of the multiple native security policies to the corresponding ones of the security devices to configure the corresponding ones of the security devices to implement the native security policies.

公开(公告)号：US20170155562A1

公开(公告)日：2017-06-01

申请号：US15237142

申请日：2016-08-15

Applicant: Cisco Technology, Inc.

Inventor： Sachin Vasant ,  Umesh Kumar Miglani ,  Zachary D. Siswick ,  Doron Levari ,  Yedidya Dotan

IPC: H04L12/26 ,  H04L29/12

CPC classification number: H04L63/0227 ,  H04L63/1408 ,  H04L63/20

Abstract: A network management entity is configured to communicate with one or more network security devices. Each network security device is configured to store in a respective event queue an event for each attempt to access a network accessible destination through the security device. Each event indicates the destination of the attempted access. The management entity periodically collects from the event queues the stored events so that less that all of the events stored in the event queues over a given time period are collected. The management entity determines, based on the collected events, top destinations as the destinations that occur most frequently in the collected events. The management entity determines, based on the collected events, bottom destinations as the destinations that occur least frequently in the collected events. The management entity generates for display indications of the top destinations and generates for display indications of the bottom destinations.

公开(公告)号：US20160212169A1

公开(公告)日：2016-07-21

申请号：US14600495

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Burak Say ,  Robin Martherus ,  Sachin Vasant

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F21/604 ,  H04L41/0843 ,  H04L41/0893 ,  H04L63/10

Abstract: A management entity receives from multiple security devices corresponding native security policies each based on a native policy model associated with the corresponding security device. Each security device controls access to resources by devices associated with the security device according to the corresponding native security policy. The management entity normalizes the received native security policies across the security devices based on a generic policy model, to produce a normalized security policy that is based on the generic policy model and representative of the native security polices.

Abstract translation: 管理实体从多个安全设备接收对应的本地安全策略，每个基于与相应的安全设备相关联的本地策略模型。 每个安全设备根据相应的本地安全策略控制与安全设备相关联的设备对资源的访问。 管理实体基于通用策略模型，在安全设备之间规范化接收到的本地安全策略，以生成基于通用策略模型并代表本机安全策略的规范化安全策略。

公开(公告)号：US20160212168A1

公开(公告)日：2016-07-21

申请号：US14600473

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Christopher Duane ,  Denis Knjazihhin

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F21/10 ,  H04L63/0227 ,  H04L63/0254 ,  H04L63/102

Abstract: A management entity generates selectable security policy classifications each identifying security policies that share common security rules. Each of the security policies is applied by a corresponding one of different security devices to control access to a resource. The management entity creates a new policy template that includes all of the security policies identified by selected ones of the policy classification selections and then creates a new security policy based on the new policy template. The management entity applies the new security policy to a security device over a network.

Abstract translation: 管理实体生成可选择的安全策略分类，每个分类标识共享公共安全规则的安全策略。 每个安全策略由相应的一个不同的安全设备应用来控制对资源的访问。 管理实体创建一个新的策略模板，其中包括由选定的策略分类选择标识的所有安全策略，然后基于新的策略模板创建新的安全策略。 管理实体通过网络将新的安全策略应用于安全设备。

公开(公告)号：US10182055B2

公开(公告)日：2019-01-15

申请号：US15426702

申请日：2017-02-07

Applicant: Cisco Technology, Inc.

Inventor： Joe Lawrence ,  Jason M. Perry ,  Yedidya Dotan ,  Denis Knjazihhin ,  Umesh Kumar Miglani

IPC: G06F17/00 ,  H04L29/06

Abstract: A management entity communicates over a network with devices on which security rules are configured to control network access. Data that indicates a hit count for each security rule across the devices is repeatedly collected from the devices. The indicated hit counts for each security rule are aggregated over different repeating time intervals to produce repeatedly aggregated hit counts for respective ones of the different repeating time intervals. The security rules are generated for display on a user interface screen as selectable options. Responsive to a selection of one of the security rules, a selected security rule and most recently aggregated hit counts for the different repeating time intervals for the selected security rule are generated for concurrent display on the user interface screen. The display of the most recently aggregated hit counts for the selected security rule is updated as time progresses.

公开(公告)号：US20160344743A1

公开(公告)日：2016-11-24

申请号：US14725489

申请日：2015-05-29

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Jason M. Perry ,  Denis Knjazihhin ,  Zachary D. Siswick ,  Sachin Vasant

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/108 ,  G06F17/30554 ,  G06F17/30867 ,  H04L63/0227 ,  H04L63/0263

Abstract: A method is performed at a management device to manage multiple network security devices over a network. The security devices are configured to control access to network accessible resources. A query is received. In response to the received query, a respective native security rule that references the specific resource is collected from each security device, where each native security rule is based on a respective native rule model associated with the security device from which the native security rule is collected. Each native security rule is translated into a respective normalized rule that is based on a generic rule model. The respective normalized rules are compared to each other to generate compare results. Based on the compare results, an indication of whether each security device allows or blocks access to the specific resource is generated.

Abstract translation: 在管理设备上执行一种方法来通过网络来管理多个网络安全设备。 安全设备被配置为控制对网络可访问资源的访问。 接收到查询。 响应于所接收的查询，从每个安全设备收集引用特定资源的相应本地安全规则，其中每个本地安全规则基于与从其收集本机安全规则的安全设备相关联的相应原生规则模型 。 每个本地安全规则被转换为基于通用规则模型的相应的归一化规则。 将相应的归一化规则相互比较以产生比较结果。 基于比较结果，生成每个安全设备是否允许或阻止对特定资源的访问的指示。

公开(公告)号：US20160301717A1

公开(公告)日：2016-10-13

申请号：US15189755

申请日：2016-06-22

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Sanjay Agarwal ,  Robin Martherus

IPC: H04L29/06 ,  G06F3/0482 ,  G06F17/24 ,  G06F3/0484

CPC classification number: H04L63/20 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/248 ,  H04L63/10 ,  H04L63/102

Abstract: A management entity imports information included in security policies from security devices configured to operate in accordance with respective ones of the security policies. The information is classified into security policy classifications based on commonality in the information across the security policies. The security policy classifications are displayed as selectable security policy classifications. An entry of a policy template name and selections of multiple security policy classifications are received. The security policies in the multiple selected security policy classifications are assigned to a security policy template identified by the entered policy template name.

Abstract translation: 管理实体从配置为根据相应的安全策略进行操作的安全设备中导入安全策略中包含的信息。 该信息根据安全策略中的信息的共同性分为安全策略分类。 安全策略分类显示为可选择的安全策略分类。 收到策略模板名称的条目和多个安全策略分类的选择。 多个选定的安全策略分类中的安全策略被分配给由输入的策略模板名称标识的安全策略模板。

公开(公告)号：US09401933B1

公开(公告)日：2016-07-26

申请号：US14600436

申请日：2015-01-20

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Sanjay Agarwal ,  Robin Martherus

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F3/0482 ,  G06F3/04842 ,  G06F3/04847 ,  G06F17/248 ,  H04L63/10 ,  H04L63/102

Abstract: A management entity connects with multiple security devices across a network. Each security device operates in accordance with one or more security policies. The management entity imports, over the network, data describing the security policies from the multiple security devices. The management entity classifies the imported security policies into security policy classifications based on commonality in information included in the security policies across the multiple security devices.

Abstract translation: 管理实体通过网络与多个安全设备连接。 每个安全设备根据一个或多个安全策略进行操作。 管理实体通过网络从多个安全设备中导入描述安全策略的数据。 管理实体根据多个安全设备中安全策略中包含的信息的通用性，将导入的安全策略分为安全策略分类。