公开(公告)号：US11093605B2

公开(公告)日：2021-08-17

申请号：US16150679

申请日：2018-10-03

Applicant: Cisco Technology, Inc.

Inventor： Andrew Zawadowskiy ,  Vincent E. Parla ,  Alok Mittal

IPC: G06F11/00 ,  G06F21/54 ,  G06F21/56 ,  G06F9/30 ,  G06F9/38 ,  G06F21/64

Abstract: In one example embodiment, a computing device has a processor that executes a processor instruction stream that causes the processor to perform one or more operations for the computing device. The computing device generates one or more trace data packets including a first instruction pointer of the processor instruction stream, a second instruction pointer of the processor instruction stream subsequent to the first instruction pointer, and a string of characters derived from instructions associated with a control flow transfer between the first instruction pointer of the processor instruction stream and the second instruction pointer of the processor instruction stream. The computing device determines whether the one or more trace data packets are consistent with a secure processor instruction stream known or determined to be secure from malicious processor instructions and, if not, generates an indication that the processor instruction stream is not secure.

公开(公告)号：US10027626B2

公开(公告)日：2018-07-17

申请号：US15156646

申请日：2016-05-17

Applicant: Cisco Technology, Inc.

Inventor： Todd Short ,  Andrew Zawadowskiy ,  Antonio Martin ,  Vincent E. Parla

IPC: H04L29/06 ,  H04L12/721 ,  H04L12/725 ,  H04L29/08

Abstract: A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.

公开(公告)号：US09894055B2

公开(公告)日：2018-02-13

申请号：US15010003

申请日：2016-01-29

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  David McGrew ,  Andrzej Kielbasinski

IPC: G06F7/04 ,  H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/04 ,  H04L63/08 ,  H04L63/0884

Abstract: An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.

公开(公告)号：US20160149898A1

公开(公告)日：2016-05-26

申请号：US15010003

申请日：2016-01-29

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  David McGrew ,  Andrzej Kielbasinski

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/04 ,  H04L63/08 ,  H04L63/0884

Abstract: An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.

Abstract translation: 当客户机设备的用户尝试发起与由服务提供商管理的应用的用户会话时，生成认证请求。 基于从用户接收的凭证生成认证响应。 认证响应包括代表用户的断言。 用于断言的传送资源定位符被重写到代理的资源定位符，以便将断言重定向到代理。 认证响应与代理的资源定位器一起被发送到客户机设备，以便使客户端设备将该断言发送到对重写的资源定位符进行解码的代理，并将该断言发送给服务提供商。

公开(公告)号：US09137211B2

公开(公告)日：2015-09-15

申请号：US13895744

申请日：2013-05-16

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Vlad Santau ,  Timothy Steven Champagne, Jr. ,  Kerry Hannigan Munz

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L45/74 ,  H04L61/1511 ,  H04L61/2007 ,  H04L63/0272

Abstract: In an example embodiment, a method of dynamically tunneling specific, or per application, services on demand without having to build complex split tunneling policies on Virtual Private Network (VPN) terminators. In particular embodiments, the method can allow for tunneling to multiple data centers on devices with limited, e.g., single, concentrator capabilities.

Abstract translation: 在示例实施例中，一种根据需要动态地隧道化特定的或每个应用的服务的方法，而不必在虚拟专用网（VPN）终端上构建复杂的分割隧道策略。 在特定实施例中，该方法可以允许在具有有限的例如单个集中器能力的设备上隧道传送到多个数据中心。

公开(公告)号：US12261901B2

公开(公告)日：2025-03-25

申请号：US18428321

申请日：2024-01-31

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: G06F15/16 ,  H04L67/02 ,  H04L67/2871

Abstract: Techniques for determining a preferred HTTP protocol for communication between a client device and a server over a network are described. A first type of HTTP probe is transmitted over a network from a client device to a server. A second type of HTTP probe is transmitted over a network from the client device to the server. If either the first type of HTTP probe response or the second type of HTTP probe response, the type of the HTTP probe response received is the preferred communication protocol. If the first type of HTTP probe response and the second type of HTTP probe response is received, a type of HTTP probe response received first is the preferred communication protocol. The client device communicates with the server over the network using the preferred communication protocol.

公开(公告)号：US20250047759A1

公开(公告)日：2025-02-06

申请号：US18924470

申请日：2024-10-23

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/561 ,  H04L9/40 ,  H04L12/46 ,  H04L45/00 ,  H04L45/42 ,  H04L61/103 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/101 ,  H04L67/1012 ,  H04L67/141 ,  H04L67/562

Abstract: Techniques for leveraging the MASQUE protocol to provide remote clients with full application access to private enterprise resources are described herein. One or more network nodes may be configured to execute a MASQUE proxy service to provide a remote client device with full access to an enterprise/private application resource executing on an application node and hosted in an enterprise/application network, behind the MASQUE proxy service. In some examples, the MASQUE proxy service may execute on a single proxy node hosted at an edge of a cloud network or at an edge of an enterprise network. Additionally, or alternatively, a first instance of the MASQUE proxy service may execute on a first proxy node hosted at an edge of a cloud network (e.g., an ingress proxy node) and a second instance of the MASQUE proxy service may execute on a second proxy node hosted at an edge of the enterprise network.

公开(公告)号：US12166825B2

公开(公告)日：2024-12-10

申请号：US17895368

申请日：2022-08-25

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: H04L67/133 ,  H04L67/02 ,  H04L67/56

Abstract: In one embodiment, an illustrative method herein may comprise: obtaining, by a device, one or more independent telemetry streams, wherein each of the one or more independent telemetry streams is uniquely identifiable by a span identifier; translating, by the device, each of the one or more independent telemetry streams into a corresponding QUIC protocol stream; mapping, by the device, the span identifier of each of the one or more independent telemetry streams to a respective stream identifier that uniquely identifies a QUIC channel of a multiplexed QUIC protocol stream; and communicating, by the device, the multiplexed QUIC protocol stream containing each of the one or more independent telemetry streams on its corresponding QUIC channel to cause a retrieving device to determine the span identifier of each of the one or more independent telemetry streams based on their respective stream identifier.

公开(公告)号：US20240388533A1

公开(公告)日：2024-11-21

申请号：US18786114

申请日：2024-07-26

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  Kyle Andrew Donald Mestery ,  Doron Levari

IPC: H04L47/12 ,  H04L67/141 ,  H04L67/148

Abstract: Techniques for scaling additional capacity for secure access solutions and other workloads of enterprise edge networks in and out of a cloud-computing network based on demand. The techniques may include determining that a capacity associated with a secure access node of an enterprise edge network meets or exceeds a threshold capacity. Based at least in part on the capacity meeting or exceeding the threshold capacity, the techniques may include causing a facsimile of the secure access node to be spun up on a cloud-computing network that is remote from the enterprise edge network. In this way, new connection requests received from client devices can be redirected to the facsimile of the secure access node. Additionally, or alternatively, one or more existing connections between client devices and the secure access node may be migrated to the facsimile of the secure access node in the cloud.

公开(公告)号：US20240314192A1

公开(公告)日：2024-09-19

申请号：US18122052

申请日：2023-03-15

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla

IPC: H04L67/02 ,  H04L9/40 ,  H04L12/66

CPC classification number: H04L67/02 ,  H04L12/66 ,  H04L63/08

Abstract: Techniques for using a secure access gateway to signal compute and/or network prioritization to individual streams within multiplexed sessions for zero-trust network access (ZTNA). A secure access gateway may be configured to identify weighting data and/or prioritization data associated with individual streams within the multiplexed session comprising various protocols (e.g., HTTP/2 and/or HTTP/3) and determine a gateway priority value. That is, the secure access gateway may be configured to prioritize certain types of traffic (user roles, resource types, etc.) over others, regardless of the protocol employed by the individual stream. The secure access gateway may then prioritize the processing (e.g., networking and/or computational resources) of a first stream having a more favorable gateway priority value than a second stream. Additionally, the secure access gateway may be configured to transmit indications of the gateway priority value to a target resource, such that the streams may be prioritized in the reverse direction.