-
11.发明公开公开(公告)号:US20240146770A1
公开(公告)日:2024-05-02
申请号:US18395471
申请日:2023-12-22
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus G.P. Bosch , Sape Jurrien Mullender , Jeffrey Michael Napper , Alessandro Duminuco , Shivani Raghav
CPC classification number: H04L63/20 , G06F9/547 , G06F21/575 , H04L63/0272 , H04L63/0853 , H04L63/1425 , H04L63/1433
Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.
-
公开(公告)号:US11968201B2
公开(公告)日:2024-04-23
申请号:US17141007
申请日:2021-01-04
Applicant: Cisco Technology, Inc.
Inventor: Ahmed Bakry Helmy Ahmed , Sape Jurrien Mullender , Hendrikus G. P. Bosch , Alessandro Duminuco , Jeffrey Michael Napper
IPC: H04L9/40
CPC classification number: H04L63/0815 , H04L63/0807 , H04L63/0884 , H04L63/164
Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.
-
13.发明公开公开(公告)号:US20240015140A1
公开(公告)日:2024-01-11
申请号:US17857678
申请日:2022-07-05
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus G. P. Bosch , Alessandro Duminuco , Zohar Kaufman
CPC classification number: H04L63/0281 , G06F9/45558 , G06F9/547 , H04L63/0236 , G06F2009/4557 , G06F2009/45595
Abstract: A system of one embodiment allows for redirecting service and API calls for containerized applications in a computer network. The system includes a memory and a processor. The system processes a plurality of application workflows of a containerized application workload. The system then identifies at least one application workflow of the plurality of application workflows and at least one workflow-specific routing rule associated with the at least one application workflow. The system then determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. Then the system determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. The system then may communicate the at least one identified application workflow to the at least one proxy server using the at least one determined proxy server addresses.
-
公开(公告)号:US11863588B2
公开(公告)日:2024-01-02
申请号:US16867642
申请日:2020-05-06
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus G. P. Bosch , Sape Jurriën Mullender , Jeffrey Michael Napper , Alessandro Duminuco , Shivani Raghav
CPC classification number: H04L63/20 , G06F9/547 , G06F21/575 , H04L63/0272 , H04L63/0853 , H04L63/1425 , H04L63/1433
Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.
-
公开(公告)号:US11809571B2
公开(公告)日:2023-11-07
申请号:US17346898
申请日:2021-06-14
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus G. P. Bosch , Alessandro Duminuco , Sape Jurriën Mullender
IPC: G06F21/57
CPC classification number: G06F21/577 , G06F2221/033
Abstract: The present disclosure is directed to systems and methods for vulnerability analysis using continuous application attestation, a method including receiving a load map associated with an application, the load map indicating loaded modules of the application; determining whether at least one notification is received indicating at least one update to the loaded modules of the application, wherein, if the at least one notification is received, the load map is updated based on the indicated at least one update, and wherein, if the at least one notification is not received, the load map is retained in an existing state; periodically retrieving call traces associated with the application, the call traces indicating executed modules of the application; and generating a continuous application attestation comprising at least a combination of the updated load map or the retained load map, and the retrieved call traces associated with the application at a given time.
-
Patent Agency Ranking
公开(公告)号:US11695769B2
公开(公告)日:2023-07-04
申请号:US16989234
申请日:2020-08-10
Applicant: Cisco Technology, Inc.
Inventor: Sape Jurrien Mullender , Hendrikus G. P. Bosch , Alessandro Duminuco , Ahmed Bakry Helmy Ahmed , Aaron T. Woland
CPC classification number: H04L63/0892
Abstract: This disclosure describes techniques for dynamically changing a user authorization with a service provider during an ongoing user session. The changing user authorization may be used to address changing confidence in an identity of a user consuming a service provided by the service provider. The changing user authorization may also be used to adjust a scope of a service to which a user has access. The present techniques may allow single-sign-on type protocols to accomplish the flexible and dynamic change-of-authorization functionality of some traditional protocols to handle ongoing client-server sessions, rather than simply revoking authorization for access to the service. For this reason, the present techniques are able to integrate advantages of traditional protocols with newer, single-sign-on-type protocols.
-
公开(公告)号:US11683309B2
公开(公告)日:2023-06-20
申请号:US17169086
申请日:2021-02-05
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus GP Bosch , Jeffrey Michael Napper , Alessandro Duminuco , Sape Jurrien Mullender , Julien Barbot , Vinny Parla
IPC: H04L9/40 , H04L61/4511
CPC classification number: H04L63/10 , H04L61/4511 , H04L63/0876 , H04L63/20 , H04L63/0272
Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.
-
公开(公告)号:US11617076B2
公开(公告)日:2023-03-28
申请号:US16901248
申请日:2020-06-15
Applicant: Cisco Technology Inc.
Inventor: Jeffrey Napper , Alessandro Duminuco , Hendrikus G. P. (Peter) Bosch
Abstract: The present disclosure is directed to systems and methods for clientless virtual private network (VPN) roaming with 802.1x authentication and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including, receiving, at a local proxy, an 802.1x communication including authentication information from a remote device wirelessly connected to a visited network, wherein the remote device requests access to an enterprise network; authenticating the remote device with the enterprise network using the authentication information; establishing an encrypted tunnel between the visited network and the enterprise network; and transmitting data between the remote device and the enterprise network through the encrypted tunnel.
-
公开(公告)号:US20230004445A1
公开(公告)日:2023-01-05
申请号:US17662459
申请日:2022-05-09
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus G.P. Bosch , Randy Birdsall , Alessandro Duminuco , Zohar Kaufman , Sape Jurriën Mullender
Abstract: According to some embodiments, a method is performed by a distributed cloud-native application. The method comprises receiving a request from a user to perform an operation. The user is associated with a risk profile. The method further comprises determining a call path through the distributed cloud-native application to perform the operation and classifying a risk level associated with the determined call path based on a distributed call graph. The distributed call graph comprises a risk value for each call path through the distributed cloud-native application and each call path comprises one or more distributed cloud-native application components. The risk value is based on a weakness rating associated with each component in the call path. The method further comprises determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user and performing the operation.
-
20.发明授权公开(公告)号:US11425098B2
公开(公告)日:2022-08-23
申请号:US16855809
申请日:2020-04-22
Applicant: Cisco Technology, Inc.
Inventor: Hendrikus G. P. Bosch , Alessandro Duminuco , Sape Jurriën Mullender , Jeffrey Michael Napper
Abstract: An identity provider (IdP) service interoperates with a Virtual Private Network (VPN) client. The IdP service receives a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client. The IdP service provides a response to the login request. The response includes at least both first information including an indication that the user of the VPN client is an authorized user and second information including an indication of a VPN policy for the VPN tunnel, the VPN policy including a VPN client policy to be utilized during the VPN tunnel by the VPN client and a VPN host policy to be utilized during the VPN tunnel by the VPN host.
-
-
-
-
-
-
-
-
-
Search Results
85
records
(took 0.01 seconds)
