公开(公告)号：US20170208011A1

公开(公告)日：2017-07-20

申请号：US15171892

申请日：2016-06-02

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hendrikus G.P. Bosch ,  Jeffrey Napper ,  Alessandro Duminuco ,  Humberto J. La Roche ,  Sape Jurriën Mullender ,  Surendra M. Kumar ,  Louis Gwyn Samuel ,  Bart A. Brinckman ,  Aeneas Sean Dodd-Noble ,  Luca Martini

IPC: H04L12/825 ,  H04L12/26 ,  H04L12/801

CPC classification number: H04L47/25 ,  H04L41/0896 ,  H04L45/64 ,  H04L47/29

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (Gi-LAN), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more Gi-LAN services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more Gi-LAN services.

公开(公告)号：US09398486B2

公开(公告)日：2016-07-19

申请号：US14300865

申请日：2014-06-10

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Humberto J. La Roche, Jr. ,  Hendrikus G.P. Bosch ,  James N. Guichard ,  Paul Quinn ,  Surendra M. Kumar ,  Kevin D. Shatzkamer

IPC: H04L12/28 ,  H04W28/02 ,  H04L12/46 ,  H04L12/721 ,  H04L12/725

CPC classification number: H04W28/0215 ,  H04L12/4633 ,  H04L45/306 ,  H04L45/38

Abstract: A method provided in one embodiment includes receiving, at a first network element, a first data packet of a data flow, wherein the data flow is associated with a subscriber. The method further includes receiving subscriber information associated with the subscriber, and encapsulating the subscriber information with the first data packet to form an encapsulated data packet. The method still further includes determining a service chain including one or more services to which the encapsulated data packet is to be forwarded, and forwarding the encapsulated data packet to the service chain.

Abstract translation: 在一个实施例中提供的方法包括在第一网络元件处接收数据流的第一数据分组，其中所述数据流与订户相关联。 该方法还包括接收与用户相关联的用户信息，以及用第一数据分组封装用户信息以形成封装的数据分组。 该方法还包括确定包括一个或多个服务的服务链，封装的数据分组将被转发到该服务链上，并将封装的数据分组转发到服务链。

公开(公告)号：US20150215819A1

公开(公告)日：2015-07-30

申请号：US14162954

申请日：2014-01-24

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Peter Weinberger ,  Praveen Bhagwatula ,  Michael E. Lipman ,  Alessandro Duminuco ,  Louis Gwyn Samuel

IPC: H04W28/08 ,  H04L12/721 ,  H04L12/743 ,  H04W24/04 ,  H04L12/707

CPC classification number: H04L45/38 ,  H04W24/02

Abstract: Presented herein are techniques to reduce the number of redirected subscriber packet flows while performing sticky hierarchical load balancing. An Nth head end network element may be activated such that a plurality of N head end network elements are active and capable of receiving and processing one or more packet flows. A primary load balancer may then be directed to overwrite a portion of pointers of a hash table in an evenly distributed manner with pointers to the Nth head end network element such that packet flows are forwarded to the Nth head end network element, wherein the hash table retains a static number of entries as the number of head end network elements is modified.

Abstract translation: 这里提出的是在执行粘性分层负载平衡的同时减少重定向用户分组流的数量的技术。 可以激活第N个头端网元，使得多个N个头端网元是活动的并且能够接收和处理一个或多个分组流。 然后可以引导主要负载平衡器以均匀分布的方式用指针覆盖散列表的指针的一部分，使得分组流被转发到第N个头端网元，其中散列表 随着头端网元数量的修改，保留了静态数量的条目。

公开(公告)号：US20250097252A1

公开(公告)日：2025-03-20

申请号：US18470884

申请日：2023-09-20

Applicant: Cisco Technology, Inc.

Inventor： Arash Salarian ,  Marcelo Yannuzzi ,  Hendrikus G.P. Bosch ,  Jeffrey Michael Napper

IPC: H04L9/40

Abstract: Techniques for using real-time metrics and telemetry information to dynamically prioritize attack paths identified during a static analysis of a cloud native application, and using top priority attack paths identified during the static analysis to steer the dynamic analysis. The techniques may include identifying components of the cloud native application and connections between the components. The components and connections are analyzed to identify a set of attack paths. Network communications are monitored between the connections and metrics representing signals in the communications collected. A first subset of the attack paths based on a first portion of the metric indicating a real-time security vulnerability are identified. Finally, the first subset of the attack paths is prioritized over a second subset of the attack paths based at least in part on the first subset having the first portion of the metrics indicating real-time security vulnerabilities.

公开(公告)号：US20240146770A1

公开(公告)日：2024-05-02

申请号：US18395471

申请日：2023-12-22

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Sape Jurrien Mullender ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Shivani Raghav

IPC: H04L9/40 ,  G06F9/54 ,  G06F21/57

CPC classification number: H04L63/20 ,  G06F9/547 ,  G06F21/575 ,  H04L63/0272 ,  H04L63/0853 ,  H04L63/1425 ,  H04L63/1433

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：US20230004445A1

公开(公告)日：2023-01-05

申请号：US17662459

申请日：2022-05-09

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Randy Birdsall ,  Alessandro Duminuco ,  Zohar Kaufman ,  Sape Jurriën Mullender

IPC: G06F9/50 ,  G06F9/54

Abstract: According to some embodiments, a method is performed by a distributed cloud-native application. The method comprises receiving a request from a user to perform an operation. The user is associated with a risk profile. The method further comprises determining a call path through the distributed cloud-native application to perform the operation and classifying a risk level associated with the determined call path based on a distributed call graph. The distributed call graph comprises a risk value for each call path through the distributed cloud-native application and each call path comprises one or more distributed cloud-native application components. The risk value is based on a weakness rating associated with each component in the call path. The method further comprises determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user and performing the operation.

公开(公告)号：US20220222335A1

公开(公告)日：2022-07-14

申请号：US17226304

申请日：2021-04-09

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender ,  Jaffar Alaoui

IPC: G06F21/52 ,  G06F9/54

Abstract: The present disclosure is directed to assessing API service security and may include the steps of identifying an API service called by an application based on information provided by an agent embedded within the application; collecting telemetry associated with the API service, the telemetry collected from one or more telemetry sources and indicating any deficiencies in the API service; generating a reputation score for the API service based on analysis of the collected telemetry; and transmitting the reputation score to at least one of the following: the agent embedded within the application, wherein the reputation score is associated with at least one policy having at least one policy action, and wherein the reputation score is operable to be used by the agent to invoke the at least one policy action relating to use of the API service by the application; or a continuous integration/continuous delivery pipeline associated with the application.

公开(公告)号：US20210160813A1

公开(公告)日：2021-05-27

申请号：US16694509

申请日：2019-11-25

Applicant: Cisco Technology, Inc.

Inventor： Anubhav Gupta ,  Hendrikus G.P. Bosch ,  Vamsidhar Valluri ,  Stefan Olofsson

IPC: H04W64/00 ,  H04W48/16 ,  H04W24/08 ,  H04L29/12

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

公开(公告)号：US20200322230A1

公开(公告)日：2020-10-08

申请号：US16782769

申请日：2020-02-05

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G.P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L12/24 ,  H04L12/801

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US20160218956A1

公开(公告)日：2016-07-28

申请号：US15092117

申请日：2016-04-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Surendra M. Kumar ,  Nagaraj A. Bagepalli ,  Abhijit Patra ,  Paul Quinn ,  James N. Guichard ,  Hendrikus G.P. Bosch

IPC: H04L12/751 ,  H04L12/721

CPC classification number: H04L45/02 ,  H04L41/08 ,  H04L41/0813 ,  H04L41/0893 ,  H04L41/0896 ,  H04L41/12 ,  H04L45/308 ,  H04L45/38

Abstract: An example method for service node originated service chains in a network environment is provided and includes receiving a packet at a service node in a network environment that includes a plurality of service nodes and a central classifier, analyzing the packet for a service chain modification or a service chain initiation, classifying the packet at the service node to a new service chain based on the analysis, initiating the new service chain at the service node if the analysis indicates service chain initiation, and modifying an existing service chain for the packet to the new service chain if the analysis indicates service chain modification. In specific embodiments, the analysis includes applying classification logic specific to the service node. Some embodiments, service node attributes and order of service nodes in substantially all service chains configured in the network may be received from a central controller.