公开(公告)号：US20250097237A1

公开(公告)日：2025-03-20

申请号：US18470021

申请日：2023-09-19

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla

IPC: H04L9/40 ,  H04L41/16

Abstract: In one aspect, a method for penetration testing for optimization of network security policies is disclosed. The method includes determining, by a security management service, that one or more cybersecurity threats successfully penetrated a security service protecting a pseudo-target in a penetration testing environment, analyzing, by the security management service, the one or more cybersecurity threats that successfully penetrated the security service to characterize the one or more cybersecurity threats, and generating, by the security management service, an update of a policy used by the security service that would prevent the one or more cybersecurity threats from penetrating the security service based on the analysis of the one or cybersecurity threats.

公开(公告)号：US20250039220A1

公开(公告)日：2025-01-30

申请号：US18537516

申请日：2023-12-12

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Stephen Craig Connors, JR.

IPC: H04L9/40

Abstract: A system and method are provided for dynamically placing security controls in a network infrastructure. Input values representing the workload are ingested. A network component is placed in front of the workload to process/filter ingress traffic into the workload. The input values are analyzed to determine the asset criticality of the workload and to determine which vulnerabilities to which the workload is susceptible. Based on this analysis of the input values, compensating controls are selected to protect the workload from the determined vulnerabilities, and the network component is dynamically programed to perform these compensating controls on the ingress traffic. The network component is located directly in front of the workload, and it can be a data processing unit (DPU), a Berkley packet filter (BPF), and/or an extended BPF (eBPF) capability.

公开(公告)号：US20230017382A1

公开(公告)日：2023-01-19

申请号：US17377294

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Danxiang Li ,  Vincent Parla ,  Andrzej Kielbasinski ,  Dany Jacques Rochefort

IPC: H04L29/06 ,  H04L9/30 ,  G06F21/60

Abstract: Systems and methods are provided for receiving information associated with a final single sign-on page from a native browser, extracting a public key from the information associated with the final single sign-on page, generating a single sign-on token to bind a browser session and a native application session, associating the single sign-on token with the public key extracted from the information associated with the final single sign-on page, and encrypting the single sign-on token with the public key to bind the browser session and the native application session.

公开(公告)号：US20230015687A1

公开(公告)日：2023-01-19

申请号：US17376646

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery

IPC: H04L29/08 ,  H04L12/741 ,  H04L12/859

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

公开(公告)号：US20250039143A1

公开(公告)日：2025-01-30

申请号：US18625739

申请日：2024-04-03

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery ,  Andrew Zawadowskiy

IPC: H04L9/40 ,  H04L9/32

Abstract: A system and method are provided for communicating security service context within a network. Intermediary nodes located along the path of a data flow apply various security services to the data flow, and keep a record of the security services by generating in-band and out-of-band information. The in-band information is limited, e.g., by the maximum transmission unit (MTU) to short attestations that fit within optional IPv6 extension headers. The out-of-bound information, which is recorded, e.g., in a ledger using an overlay network, provides additional information fully describing the security services. Based on the in-band and out-of-band information (e.g., using the attestations to retrieve the additional information from the ledger), the data flow is either allowed or denied entrance to a particular workload. Applying the security services and generating the in-band and out-of-band information can be performed using data processing units (DPUs) and/or an extended Berkley packet filters (eBPFs).

公开(公告)号：US20250039133A1

公开(公告)日：2025-01-30

申请号：US18623550

申请日：2024-04-01

Applicant: Cisco Technology, Inc.

Inventor： Kyle Andrew Donald Mestery ,  Vincent Parla

IPC: H04L9/40

Abstract: A system and method are provided for adding in-band metadata with a data flow. The in-band metadata can be based on observations by an extended Berkley packet filter (eBPF) of an application running in a datacenter, for example. A processor executes the application to generate data that is encoded in the payloads of packets in a data flow to be transmitted via a network to a destination. The eBPF is also executed on the processor and generates observations of the application (e.g., OSI layer 7 observations). Metadata is generated based on the observations and encoded into headers of the packets of the data flow. The metadata can then be used at the destination to determine the next processing steps for the data flow (e.g., is the data flow trusted and allowed into another workload).

公开(公告)号：US20240314219A1

公开(公告)日：2024-09-19

申请号：US18670513

申请日：2024-05-21

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery

IPC: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

CPC classification number: H04L67/63 ,  H04L45/74 ,  H04L47/2475 ,  H04L67/1001

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

公开(公告)号：US20220417158A1

公开(公告)日：2022-12-29

申请号：US17357461

申请日：2021-06-24

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Andrew Zawadowskiy ,  Oleg Bessonov ,  Hendrikus G. P. Bosch

IPC: H04L12/851

Abstract: A method of defining priority of a number of data packets within a queue includes generating a policy. The policy defines a first multiplexed channel of a plurality of multiplexed channels. The first multiplexed channel having a first priority. The policy also defines a second multiplexed channel of the plurality of multiplexed channels. The second multiplexed channel having a second priority. The first priority is defined as being of a higher priority relative to the second priority. The method further includes receiving the number of data packets over the plurality of multiplexed channels associated with a session based at least in part on the policy.

公开(公告)号：US20250039239A1

公开(公告)日：2025-01-30

申请号：US18752049

申请日：2024-06-24

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Eric Maximilian Roquemore ,  John Michael Lake ,  Andrew Zawadowakiy

IPC: H04L9/40

Abstract: A system and method are provided for placing security operations at selected enforcement points in a distributed security fabric. The enforcement points at which the security operations are placed can be endpoints, nodes, and/or network devices within the network. The security operations can be updated by monitoring data flows through the network to generate network data, and then determining, based on the network data, one or more changes to the security operations, based on the generated network data. Recommended changes can be obtained by applying the network data to a machine-learning model that indicates suspicious data packets (e.g., disseminates packets suspected of being malicious from normal traffic) and crafts new policies to deny the suspicious data packets. Performance of the network can also be improved by analyzing the security operations for redundancies and/or inefficiencies and modifying the security operations to mitigate them.

公开(公告)号：US20250039135A1

公开(公告)日：2025-01-30

申请号：US18779939

申请日：2024-07-22

Applicant: Cisco Technology, Inc.

Inventor： Vincent Parla ,  Kyle Andrew Donald Mestery ,  Stephen Craig Connors, JR.

IPC: H04L9/40

Abstract: A system and method are provided that use metadata encoded in a data flow to determine security actions to perform at a policy-enforcement point based on the security-chain context for the data flow that is provided by metadata (e.g., the security-chain context can include which security operations have been performed upstream on which data packets). The policy-enforcement point receives the data flow and the metadata, including attestations of the security operations that have previously (e.g., upstream) been applied to the data flow. Based on the attested to security operations, the policy-enforcement point selects what security actions to apply next to the data flow, e.g., additional security operations to apply, allow the data flow into a workload or trust zone, drop the workload, perform dynamic load balancing.