公开(公告)号：US11683309B2

公开(公告)日：2023-06-20

申请号：US17169086

申请日：2021-02-05

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

CPC classification number: H04L63/10 ,  H04L61/4511 ,  H04L63/0876 ,  H04L63/20 ,  H04L63/0272

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US20230283608A1

公开(公告)日：2023-09-07

申请号：US18197895

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

CPC classification number: H04L63/10 ,  H04L61/4511 ,  H04L63/0876 ,  H04L63/20 ,  H04L63/0272

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US20220255937A1

公开(公告)日：2022-08-11

申请号：US17169086

申请日：2021-02-05

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus GP Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L29/06 ,  H04L29/12

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US20220116381A1

公开(公告)日：2022-04-14

申请号：US17069540

申请日：2020-10-13

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Julien Barbot ,  Jeffrey Michael Napper ,  Sape Jurrien Mullender

IPC: H04L29/06

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.

公开(公告)号：US20230229811A1

公开(公告)日：2023-07-20

申请号：US17843355

申请日：2022-06-17

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G.P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender ,  Julien Barbot ,  Ariel Shuper

IPC: G06F21/62 ,  G06F9/54

CPC classification number: G06F21/629 ,  G06F9/547

Abstract: In one embodiment, an illustrative method may comprise: monitoring, by a process, a behavior of an application between one or more client devices and an application programming interface service; establishing, by the process, an application model of objects and functions within the application based on the behavior; and determining, by the process, an authorization logic of the application for the objects and functions based on the application model. In one embodiment, the illustrative method further comprises: testing one or more authorization approaches against the application to determine one or more discrepancies within the authorization logic indicative of faulty authorizations; and mitigating the one or more discrepancies.

公开(公告)号：US11457008B2

公开(公告)日：2022-09-27

申请号：US17069540

申请日：2020-10-13

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Julien Barbot ,  Jeffrey Michael Napper ,  Sape Jurrien Mullender

IPC: G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06 ,  H04L9/40

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.

公开(公告)号：US12261847B2

公开(公告)日：2025-03-25

申请号：US18197895

申请日：2023-05-16

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G P Bosch ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Sape Jurrien Mullender ,  Julien Barbot ,  Vinny Parla

IPC: H04L9/40 ,  H04L61/4511

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

公开(公告)号：US11516260B2

公开(公告)日：2022-11-29

申请号：US17166921

申请日：2021-02-03

Applicant: Cisco Technology, Inc.

Inventor： Alessandro Duminuco ,  Hendrikus G. P. Bosch ,  Jeffrey Michael Napper ,  Vinny Parla ,  Julien Barbot ,  Sape Jurrien Mullender

IPC: G06F17/00 ,  H04L9/40 ,  H04L67/141 ,  H04L67/146 ,  H04L61/4511 ,  H04L67/01

Abstract: Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.

公开(公告)号：US20220247791A1

公开(公告)日：2022-08-04

申请号：US17166921

申请日：2021-02-03

Applicant: Cisco Technology, Inc.

Inventor： Alessandro Duminuco ,  Hendrikus G.P. Bosch ,  Jeffrey Michael Napper ,  Vinny Parla ,  Julien Barbot ,  Sape Jurrien Mullender

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

Abstract: Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.