公开(公告)号：US20240214424A1

公开(公告)日：2024-06-27

申请号：US18089212

申请日：2022-12-27

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Robert Tappenden ,  Janardhanan Radhakrishnan ,  Chandrodaya Prasad

IPC: H04L9/40

CPC classification number: H04L63/20

Abstract: Techniques for using an end-to-end policy controller to utilize an inventory of enforcement points to generate a chain of enforcement points having capabilities to enforcement individual operations of an intent-based security policy associated with an entity accessing a resource. A network controller may intelligently split an intent-based security policy and send portions thereof to enforcement points along a path configured for an entity to access a resource. For example, a portion of a security policy corresponding to an operation may be mapped to and implemented by an enforcement point having a capability to perform the operation. Once each operation of a security policy has been mapped to an enforcement point, a chain of enforcement points may be generated.

公开(公告)号：US09426262B2

公开(公告)日：2016-08-23

申请号：US14246365

申请日：2014-04-07

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung

IPC: H04L1/16 ,  H04L29/14 ,  H04L29/06

CPC classification number: H04L69/40 ,  H04L63/02 ,  H04L69/163

Abstract: Techniques are presented herein for optimizing network traffic exchanged between devices in a network. A firewall device in a network detects a firewall failure event. In response to detecting the firewall failure event, the firewall device changes from a standby state to an active state in managing a network connection between a source device and a destination device in the network. The firewall device generates a synchronization message and sends the synchronization message to the destination device. The firewall device receives from the destination device a response message that includes synchronization information.

Abstract translation: 本文介绍了用于优化网络中设备之间交换的网络流量的技术。 网络中的防火墙设备检测到防火墙故障事件。 响应于检测到防火墙故障事件，防火墙设备在管理网络中的源设备和目的设备之间的网络连接时，从备用状态更改为活动状态。 防火墙设备生成同步消息，并将同步消息发送到目标设备。 防火墙设备从目的地设备接收包括同步信息的响应消息。

公开(公告)号：US09306854B2

公开(公告)日：2016-04-05

申请号：US13778339

申请日：2013-02-27

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  David Cherkus

IPC: H04L12/26 ,  H04L12/801

CPC classification number: H04L47/12

Abstract: A methodology is described for providing a dedicated interface-level oversubscription diagnostics queue that would store header data and timestamps for ingress frames which would otherwise be dropped due to the input FIFO queue being full. When the microburst is over, the data may be transmitted to the main CPU to analyze the cause of oversubscription as well as affected traffic.

Abstract translation: 描述了一种用于提供专用的界面级过度订阅诊断队列的方法，其将存储由于输入FIFO队列已满而否则将被丢弃的入口帧的头部数据和时间戳。 当微突然结束时，可以将数据传输到主CPU，以分析超额认购的原因以及受影响的流量。

公开(公告)号：US20140241151A1

公开(公告)日：2014-08-28

申请号：US13778339

申请日：2013-02-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Andrew E. Ossipov ,  David Cherkus

IPC: H04L12/56

CPC classification number: H04L47/12

Abstract: A methodology is described for providing a dedicated interface-level oversubscription diagnostics queue that would store header data and timestamps for ingress frames which would otherwise be dropped due to the input FIFO queue being full. When the microburst is over, the data may be transmitted to the main CPU to analyze the cause of oversubscription as well as affected traffic.

Abstract translation: 描述了一种用于提供专用的界面级过度订阅诊断队列的方法，其将存储由于输入FIFO队列已满而否则将被丢弃的入口帧的头部数据和时间戳。 当微突然结束时，可以将数据传输到主CPU，以分析超额认购的原因以及受影响的流量。

公开(公告)号：US20240406147A1

公开(公告)日：2024-12-05

申请号：US18526253

申请日：2023-12-01

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  James W. Kasper

IPC: H04L9/40

Abstract: Techniques for augmenting deep packet inspection capabilities of a network security device provisioned in a networked computing environment with inference-based flow selection to focus processing resources on network traffic that is likely to be malicious. The network device(s) may receive decryption policies comprising one or more decrypt and/or do not decrypt rules for applying the decryption policy to the network traffic. The network device may receive network traffic associated with a given connection flow through the network between a client device and a workload application, and the network device may determine whether to decrypt or refrain from decrypting the network traffic associated with the network flow based on a risk score that is generated by the network device using connection fingerprints associated with the client device and the workload application, respectively, based on behavioral characteristics of the client device and the workload, respectively.

公开(公告)号：US11115385B1

公开(公告)日：2021-09-07

申请号：US15220697

申请日：2016-07-27

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: G06F15/16 ,  H04L29/06 ,  H04L12/851 ,  G06F16/901

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US20200296075A1

公开(公告)日：2020-09-17

申请号：US16885620

申请日：2020-05-28

Applicant: Cisco Technology, Inc.

Inventor： Andrew E. Ossipov ,  Kent Leung ,  Zhijun Liu

IPC: H04L29/12

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across the network devices for port address translation. The master network device divides the port blocks in the pool into multiple buckets. The master network device allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

公开(公告)号：US09860209B2

公开(公告)日：2018-01-02

申请号：US14709777

申请日：2015-05-12

Applicant: Cisco Technology, Inc.

Inventor： Kevin A. Buchanan ,  Andrew E. Ossipov ,  Kent Leung ,  Xun Wang ,  Zhijun Liu ,  Weiwei Kang

IPC: H04L29/00 ,  H04L29/06 ,  H04L12/801

CPC classification number: H04L63/0227 ,  H04L47/10 ,  H04L63/0254

Abstract: A method operable in a security device cluster having a plurality of security devices each configured to receive respective data flows. The method includes receiving a first segment of a flow at a first security device of the plurality of security devices, sending the first segment of the flow toward a destination node without the first security device of the plurality of security devices asserting ownership over the flow, receiving, from the destination node, a second segment of the flow at a second security device of the plurality of security devices, the second segment of the flow being responsive to the first segment, asserting, by the second security device of the plurality of security devices, ownership over the flow, and forwarding, from the first security device, packets of the flow subsequently received by the first security device to the second security device.

公开(公告)号：US20140082204A1

公开(公告)日：2014-03-20

申请号：US13623127

申请日：2012-09-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hari Shankar ,  Jianxin Wang ,  Daryl Odnert ,  Manju Radhakrishnan ,  Andrew E. Ossipov

IPC: G06F15/16

CPC classification number: H04L63/166

Abstract: Techniques are presented for seamless engagement and disengagement of Transport Layer Security proxy services. A first initial message of a handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message of the handshaking procedure is saved at the proxy device. A second initial message of a second handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. It is determined from the second handshaking procedure that inspection of the first secure communication session is not to be performed by the proxy device. The first secure communication session is established without examination of the communication traffic by the proxy device.

Abstract translation: 介绍了传输层安全代理服务的无缝接合和脱离接口的技术。 在代理设备处拦截用于第一设备和第二设备之间的第一安全通信会话的握手过程的第一初始消息。 握手过程的第一个初始消息保存在代理设备中。 用于代理设备和第二设备之间的第二安全通信会话的第二握手过程的第二初始消息被从代理设备发送到第二设备。 从第二握手程序确定第一安全通信会话的检查不被代理设备执行。 建立第一安全通信会话而不检查代理设备的通信流量。

公开(公告)号：US20250016136A1

公开(公告)日：2025-01-09

申请号：US18621596

申请日：2024-03-29

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: H04L9/40 ,  G06F16/901 ,  H04L47/2441

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.