-
公开(公告)号:US10015208B2
公开(公告)日:2018-07-03
申请号:US14734164
申请日:2015-06-09
CPC分类号: H04L65/1069 , H04L63/0281 , H04L63/0471 , H04L63/166 , H04L67/141 , H04L67/28
摘要: A first service node receives a message configured to set up a secure communication session between a client and a server, in which the first service node acts as a proxy. Data packets in the secure communication session are subject to multiple service functions that require decryption of the data packets. A service function chain assigns a service node to each of the service functions. A service header is generated including metadata instructing the service nodes other than the first service node not to act as proxies in the secure communication session. The message and the service header are transmitted to a second service node in the service function chain.
-
公开(公告)号:US09729565B2
公开(公告)日:2017-08-08
申请号:US14488973
申请日:2014-09-17
发明人: Tirumaleswar Reddy , Prashanth Patil , Daniel Wing
CPC分类号: H04L63/1425 , H04L61/1511 , H04L61/2007 , H04L61/2514 , H04L63/0236 , H04L63/1408 , H04L63/145 , H04L67/02 , H04L67/10 , H04L69/16 , H04L69/22 , H04L2463/144
摘要: In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is modified to trigger increased security.
-
公开(公告)号:US09450913B2
公开(公告)日:2016-09-20
申请号:US14169526
申请日:2014-01-31
IPC分类号: G06F15/173 , H04L29/12
CPC分类号: H04L61/2528 , H04L61/2514 , H04L61/2517 , H04L61/2582
摘要: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium for Content Delivery Networks Interconnection (CDNI) request routing using the PCP FLOWDATA option. In one aspect, a method includes receiving a request for content, and receiving, from a PCP server, flow characteristics for providing the content, where the PCP server receives the flow characteristics for providing the content from a PCP proxy that receives the flow characteristics from the client device. The method includes transmitting first data for querying the downstream content delivery network (CDN) to determine whether the downstream CDN can provide the content and satisfy the flow characteristics. The method includes receiving a response indicating the ability of the downstream CDN to provide the content and satisfy the flow characteristics, and transmitting second data based on the response, where the client device transmits flow metadata based on the second data to the PCP proxy.
摘要翻译: 方法,系统和装置,包括在用于内容传送网络互连(CDNI)的计算机存储介质上编码的计算机程序使用PCP FLOWDATA选项请求路由。 一方面,一种方法包括接收对内容的请求,以及从PCP服务器接收用于提供内容的流特性,其中PCP服务器从PCP代理接收到从PCP代理提供内容的流特性, 客户端设备。 该方法包括发送用于查询下游内容传送网络(CDN)的第一数据,以确定下游CDN是否可以提供内容并满足流量特性。 该方法包括接收指示下游CDN提供内容并满足流量特性的能力的响应,以及基于响应发送第二数据,其中客户端设备基于第二数据向PCP代理发送流量元数据。
-
公开(公告)号:US09288231B2
公开(公告)日:2016-03-15
申请号:US13947498
申请日:2013-07-22
IPC分类号: H04L29/06
CPC分类号: H04L63/20 , H04L63/0281 , H04L63/10
摘要: In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.
摘要翻译: 在一个实现中,部署在企业场所和基于云的SecaaS中的Web-Cache组合起来,从而在SecaaS和从Web-Cache传递的内容上实施类似的基于身份的策略。 网络外的基于身份的策略实施使用SecaaS并在网络缓存的内容中提供了一致的基于身份的安全性,同时仍向最终用户提供高性能的内容。 SecaaS检查和/或修改的内容可能会缓存在企业场所,以便来自原始服务器的内容请求减少,释放Internet带宽并减少访问时间。 流内容的本地缓存可能会降低延迟,而本地实施基于身份的策略会继续适当地限制流内容。 基于身份的策略的本地实施可能会降低对SecaaS的负担。 不使用服务提供商提供的内容传递网络进行Web内容,而是使用企业内的缓存服务器。
-
5.发明申请Domain Name Service Redirection for a Content Delivery Network with Security as a Service 审中-公开具有安全即服务的内容传送网络的域名服务重定向公开(公告)号:US20160380975A1
公开(公告)日:2016-12-29
申请号:US14748499
申请日:2015-06-24
CPC分类号: H04L63/0281 , H04L61/1511 , H04L61/6068 , H04L63/107 , H04L67/02 , H04L67/10 , H04L67/28
摘要: In one implementation, a cloud connector obtains location information for a proxy server of a security as a service (SecaaS) function. The cloud connector receives a content request from a user device for content hosted in a content delivery network (CDN). A domain name service (DNS) request, with location information, is forwarded to a DNS authoritative server. An identification of a downstream CDN server is received from the DNS authoritative server. The identification of the downstream CDN is based on the location information for the proxy server of the SecaaS function. The content is obtained from the downstream CDN server through the proxy server of the SecaaS function.
摘要翻译: 在一个实现中,云连接器获得作为服务(SecaaS)功能的安全服务器的代理服务器的位置信息。 云连接器从用户设备接收内容传送网络(CDN)中托管的内容的内容请求。 具有位置信息的域名服务(DNS)请求被转发到DNS权威服务器。 从DNS权威服务器接收到下游CDN服务器的标识。 下游CDN的识别基于SecaaS功能的代理服务器的位置信息。 内容通过SecaaS功能的代理服务器从下游CDN服务器获取。
-
6.发明申请公开(公告)号:US20160294803A1
公开(公告)日:2016-10-06
申请号:US14674596
申请日:2015-03-31
发明人: Tirumaleswar Reddy , Daniel Wing , Prashanth Patil
IPC分类号: H04L29/06
CPC分类号: H04L67/42 , H04L63/0807 , H04L67/06 , H04L67/20 , H04L67/289
摘要: In one embodiment, first content is served by an application server to a client computer through an Internet service provider network. The first content includes a link to second content on a third-party server. A token request is sent from the third-party server to the application server in response to selection of the link by the client computer. A token is provided to the third-party server by the application server in response to the token request. The token is configured to authorize data flow at a bandwidth for the second content by the Internet service provider network to the client computer. The data flow is authorized based on an agreement for the bandwidth between an operator of the application server and an operator of the Internet service provider network.
摘要翻译: 在一个实施例中,第一内容由应用服务器通过因特网服务提供商网络服务于客户端计算机。 第一内容包括指向第三方服务器上的第二内容的链接。 响应于客户端计算机的链接的选择,令牌请求从第三方服务器发送到应用服务器。 响应于令牌请求,应用服务器向第三方服务器提供令牌。 令牌被配置为授权由因特网服务提供商网络向客户端计算机的第二内容的带宽的数据流。 基于对应用服务器的运营商和因特网服务提供商网络的运营商之间的带宽的协议来授权数据流。
-
公开(公告)号:US20160080395A1
公开(公告)日:2016-03-17
申请号:US14488973
申请日:2014-09-17
发明人: Tirumaleswar Reddy , Prashanth Patil , Daniel Wing
CPC分类号: H04L63/1425 , H04L61/1511 , H04L61/2007 , H04L61/2514 , H04L63/0236 , H04L63/1408 , H04L63/145 , H04L67/02 , H04L67/10 , H04L69/16 , H04L69/22 , H04L2463/144
摘要: In one implementation, a network device is configured to monitor communications associated with an endpoint and identify domain name service messages in the communications. Subsequently, the network device receives a hypertext transfer protocol (HTTP) request and determines whether a destination internet protocol (IP) address of the HTTP request is present in or absent from the domain name service messages. When the IP address is absent from the domain name service messages, the HTTP request is modified to trigger increased security.
摘要翻译: 在一个实现中,网络设备被配置为监视与端点相关联的通信并且识别通信中的域名服务消息。 随后,网络设备接收超文本传输协议(HTTP)请求,并确定HTTP请求的目标网际协议(IP)地址是否存在于或不存在于域名服务消息中。 当域名服务消息中不存在IP地址时,会修改HTTP请求以触发增加的安全性。
-
公开(公告)号:US20150026757A1
公开(公告)日:2015-01-22
申请号:US13947498
申请日:2013-07-22
IPC分类号: H04L29/06
CPC分类号: H04L63/20 , H04L63/0281 , H04L63/10
摘要: In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.
摘要翻译: 在一个实现中,部署在企业场所和基于云的SecaaS中的Web-Cache组合起来,从而在SecaaS和从Web-Cache传递的内容上实施类似的基于身份的策略。 网络外的基于身份的策略实施使用SecaaS并在网络缓存的内容中提供了一致的基于身份的安全性,同时仍向最终用户提供高性能的内容。 SecaaS检查和/或修改的内容可能会缓存在企业场所,以便来自原始服务器的内容请求减少,释放Internet带宽并减少访问时间。 流内容的本地缓存可能会降低延迟,而本地实施基于身份的策略会继续适当地限制流内容。 基于身份的策略的本地实施可能会降低对SecaaS的负担。 不使用服务提供商提供的内容传递网络进行Web内容,而是使用企业内的缓存服务器。
-
公开(公告)号:US20140237539A1
公开(公告)日:2014-08-21
申请号:US13773157
申请日:2013-02-21
IPC分类号: H04L29/06
CPC分类号: H04L63/08 , H04L61/2514 , H04L63/20 , H04L67/02 , H04L67/146 , H04L69/161 , H04L69/22
摘要: In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.
摘要翻译: 在一个实现中,基于身份的安全特征和策略被应用于中间设备(例如网络地址转换设备)之后的端点设备。 接入网络交换机根据用户身份和证书认证端点。 生成或修改超文本传输协议(HTTP)包以将用户身份包括在内联头部中。 包括用户身份的HTTP分组被发送到策略执行设备以查找端点的一个或多个策略。 接入交换机从根据用户身份过滤的策略执行设备接收流量。 后续TCP连接还可以包括同步分组中的TCP USER_HINT选项内的身份信息,从而允许其他应用和协议的身份传播。
-
公开(公告)号:US10749897B2
公开(公告)日:2020-08-18
申请号:US16110102
申请日:2018-08-23
发明人: Tirumaleswar Reddy , Daniel Wing , Prashanth Patil
摘要: In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.
-
-
-
-
-
-
-
-
-
搜索结果
34 条记录 (耗时 0.02 秒)
