公开(公告)号：US10666683B2

公开(公告)日：2020-05-26

申请号：US15663757

申请日：2017-07-30

Applicant: Cisco Technology, Inc.

Inventor： David Sward ,  Denis Knjazihhin ,  Keying Bi ,  David Sounthiraraj ,  Ashok Javvaji ,  Jared Smith ,  Yedidya Dotan

IPC: H04L29/06 ,  G06F3/0484 ,  H04L29/08 ,  G06F3/0482

Abstract: In one embodiment, a system includes a processor, and a memory to store data used by the processor, the processor being operative to prepare a first user interface including a security policy selection section, interpret user input data to include performing at least one security policy selection action in the security policy selection section yielding selection of a first security policy for a first device, and update the first user interface yielding an updated first user interface including the first security policy, and a first security policy activation key for inputting into a second user interface to be generated when the first device is installed, the first security policy activation key being associated with providing authentication for downloading the first security policy to the first device.

公开(公告)号：US10075439B1

公开(公告)日：2018-09-11

申请号：US15158998

申请日：2016-05-19

Applicant: Cisco Technology, Inc.

Inventor： Ryan J. Mullens ,  Sachin Vasant ,  Raphael Luckom ,  Denis Knjazihhin ,  Yedidya Dotan

IPC: H04L9/32 ,  H04L29/06 ,  H04L12/24 ,  H04L12/931 ,  H04L29/08 ,  G06F8/65

CPC classification number: H04L63/0884 ,  G06F8/65 ,  H04L9/3247 ,  H04L41/082 ,  H04L63/0281 ,  H04L63/0442 ,  H04L63/126 ,  H04L67/327 ,  H04L67/34 ,  H04L2209/72

Abstract: A method is provided in which a development environment sends commands to an on-premises device that are signed by both (a) development environment and by (b) an execution environment (trusted source), and account for versioning. In so doing, the on-premises device that receives the command is able to authenticate both the sending entity, i.e., a production server, and the source of the command files to determine that the command is a valid configuration/upgrade package that may be safely installed and executed.

公开(公告)号：US10038697B2

公开(公告)日：2018-07-31

申请号：US14807120

申请日：2015-07-23

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Christopher Duane ,  Daniel Hollingshead ,  Denis Knjazihhin

IPC: H04L29/06

CPC classification number: H04L63/101 ,  H04L63/0263 ,  H04L63/20

Abstract: First and second security rules are accessed in a configuration file. Comparison points for comparing the first and second security rules are determined. Each comparison point identifies respective rule parameters of the first and second security rules. Respective weights are assigned to the comparison points. For each comparison point, the respective rule parameters are compared against each other to produce a corresponding comparison score indicative of a level similarity. Each comparison score is weighted by the weight assigned to the comparison point corresponding to the comparison score. The weighted comparison scores are combined into a total score indicative of an overall level of similarity between the first and second security rules.

公开(公告)号：US20170353459A1

公开(公告)日：2017-12-07

申请号：US15426702

申请日：2017-02-07

Applicant: Cisco Technology, Inc.

Inventor： Joe Lawrence ,  Jason M. Perry ,  Yedidya Dotan ,  Denis Knjazihhin ,  Umesh Kumar Miglani

IPC: H04L29/06

CPC classification number: H04L63/10 ,  H04L63/0263 ,  H04L63/20

Abstract: A management entity communicates over a network with devices on which security rules are configured to control network access. Data that indicates a hit count for each security rule across the devices is repeatedly collected from the devices. The indicated hit counts for each security rule are aggregated over different repeating time intervals to produce repeatedly aggregated hit counts for respective ones of the different repeating time intervals. The security rules are generated for display on a user interface screen as selectable options. Responsive to a selection of one of the security rules, a selected security rule and most recently aggregated hit counts for the different repeating time intervals for the selected security rule are generated for concurrent display on the user interface screen. The display of the most recently aggregated hit counts for the selected security rule is updated as time progresses.

公开(公告)号：US09787722B2

公开(公告)日：2017-10-10

申请号：US14755228

申请日：2015-06-30

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Zachary D. Siswick ,  Christopher Duane ,  Daniel Hollingshead

IPC: H04L29/00 ,  H04L29/06 ,  G06F17/30 ,  G06F21/60 ,  G06F21/57

CPC classification number: H04L63/20 ,  G06F17/30106 ,  G06F17/30598 ,  G06F21/57 ,  G06F21/604

Abstract: An integrated development environment (IDE) preprocesses a configuration file including security rules. The preprocessing maps object names in the security rules to associated object values based on object definitions for the object names. Responsive to the configuration file being opened in an editor, the IDE provides the editor with access to preprocessing results. Each security rule in the opened configuration file is searched for object names. The IDE links each object name found in the search to an associated object value mapped thereto by the mapping performed during the preprocessing. The IDE receives a selection of an object name in a security rule of the opened configuration file and generates for display the associated object value linked to the selected object name.

公开(公告)号：US20170208094A1

公开(公告)日：2017-07-20

申请号：US15131604

申请日：2016-04-18

Applicant: Cisco Technology, Inc.

Inventor： Daniel Hollingshead ,  Sachin Vasant ,  Yedidya Dotan ,  Umesh Kumar Miglani ,  Denis Knjazihhin

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/20 ,  H04L41/0893 ,  H04L63/0263

Abstract: Presented herein are techniques for creating a policy block comprised of a group of lines of rules/statements across configuration files for network devices. An algorithm is provided that determines when multiple policies are to be merged together into one policy. In one embodiment, data is uploaded from a network that includes a plurality of network devices. The data represents policy rules configured on the plurality of network devices. The data representing the policy rules is compared for similarities in order to group together policy rules based on their similarities. Data is stored representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together. One or more configuration policies are generated to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing.

公开(公告)号：US09641540B2

公开(公告)日：2017-05-02

申请号：US14725489

申请日：2015-05-29

Applicant: Cisco Technology, Inc.

Inventor： Yedidya Dotan ,  Jason M. Perry ,  Denis Knjazihhin ,  Zachary D. Siswick ,  Sachin Vasant

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/108 ,  G06F17/30554 ,  G06F17/30867 ,  H04L63/0227 ,  H04L63/0263

Abstract: A method is performed at a management device to manage multiple network security devices over a network. The security devices are configured to control access to network accessible resources. A query is received. In response to the received query, a respective native security rule that references the specific resource is collected from each security device, where each native security rule is based on a respective native rule model associated with the security device from which the native security rule is collected. Each native security rule is translated into a respective normalized rule that is based on a generic rule model. The respective normalized rules are compared to each other to generate compare results. Based on the compare results, an indication of whether each security device allows or blocks access to the specific resource is generated.

公开(公告)号：US20160344773A1

公开(公告)日：2016-11-24

申请号：US14755228

申请日：2015-06-30

Applicant: Cisco Technology, Inc.

Inventor： Denis Knjazihhin ,  Yedidya Dotan ,  Zachary D. Siswick ,  Christopher Duane ,  Daniel Hollingshead

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/20 ,  G06F17/30106 ,  G06F17/30598 ,  G06F21/57 ,  G06F21/604

Abstract: An integrated development environment (IDE) preprocesses a configuration file including security rules. The preprocessing maps object names in the security rules to associated object values based on object definitions for the object names. Responsive to the configuration file being opened in an editor, the IDE provides the editor with access to preprocessing results. Each security rule in the opened configuration file is searched for object names. The IDE links each object name found in the search to an associated object value mapped thereto by the mapping performed during the preprocessing. The IDE receives a selection of an object name in a security rule of the opened configuration file and generates for display the associated object value linked to the selected object name.

Abstract translation: 集成开发环境（IDE）预处理包括安全规则在内的配置文件。 预处理根据对象名称的对象定义将安全规则中的对象名称映射到关联对象值。 响应于在编辑器中打开的配置文件，IDE为编辑器提供对预处理结果的访问。 搜索打开的配置文件中的每个安全规则的对象名称。 IDE通过在预处理期间执行的映射将搜索中找到的每个对象名称链接到映射到其上的关联对象值。 IDE在打开的配置文件的安全规则中接收对象名称的选择，并生成用于显示链接到所选对象名称的关联对象值。