公开(公告)号：US20150156219A1

公开(公告)日：2015-06-04

申请号：US14620901

申请日：2015-02-12

Applicant: Juniper Networks, Inc.

Inventor： Krishna NARAYANASWAMY ,  Roger A. CHICKERING ,  Steven A. MALMSKOG

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F9/45558 ,  G06F9/5077 ,  G06F21/53 ,  G06F21/604 ,  G06F2009/45587 ,  G06F2221/2141 ,  G06F2221/2149 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/1433

Abstract: A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Abstract translation: 系统包括虚拟机（VM）服务器和策略引擎服务器。 VM服务器包括两个或多个客户机操作系统和代理。 代理被配置为从两个或多个客户操作系统收集信息。 策略引擎服务器被配置为：从代理接收信息; 基于所述信息生成所述两个或多个客户操作系统的第一客户操作系统的访问控制信息; 并根据访问控制信息配置执行者。

公开(公告)号：US20140351917A1

公开(公告)日：2014-11-27

申请号：US14454912

申请日：2014-08-08

Applicant: Juniper Networks, Inc.

Inventor： Roger A. CHICKERING

IPC: H04L29/06

CPC classification number: H04L63/02 ,  H04L63/0227 ,  H04L63/08 ,  H04L63/10

Abstract: A method may include determining one or more rules and communicating the one or more rules to a firewall, where the firewall receives a data unit and determines, based on the one or more rules, whether to forward the data unit to a destination address; receiving a redirection of a device from the firewall when the firewall determines not to forward the data unit to the destination address; receiving an indication that the firewall did not forward the data unit to the destination address; and determining a new rule to allow the firewall to forward the data unit to the destination address and communicating the new rule to the firewall; and redirecting the device to the destination address.

Abstract translation: 方法可以包括确定一个或多个规则并将一个或多个规则传送到防火墙，其中防火墙接收数据单元并且基于一个或多个规则确定是否将数据单元转发到目的地地址; 当防火墙确定不将数据单元转发到目的地址时，从防火墙接收设备的重定向; 接收到防火墙未将数据单元转发到目标地址的指示; 并确定新的规则以允许防火墙将数据单元转发到目的地地址并将新规则传送到防火墙; 并将设备重定向到目标地址。

公开(公告)号：US20140123217A1

公开(公告)日：2014-05-01

申请号：US14148094

申请日：2014-01-06

Applicant: JUNIPER NETWORKS, INC.

Inventor： Roger A. CHICKERING

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L63/0263 ,  H04L63/104 ,  H04L63/20

Abstract: A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address.

Abstract translation: 方法可以包括获得正在寻求对网络的访问的端点的第二层标识，所述端点省略代理将所述端点的第三层地址传送到策略节点，应用基于所述第二层的一个或多个认证规则 识别端点，将第三层地址分配给端点，由策略节点学习端点的第三层地址，以及基于学习层三地址的端点到网络的配置层三次接入。

公开(公告)号：US20140137225A1

公开(公告)日：2014-05-15

申请号：US14148051

申请日：2014-01-06

Applicant: Juniper Networks, Inc.

Inventor： Roger A. CHICKERING ,  Paul Funk

IPC: H04L29/06

CPC classification number: H04L63/0815 ,  G06F21/00 ,  G06F21/44 ,  H04L63/0807 ,  H04L63/0876

Abstract: A method may include authenticating a device to a first server, where the device includes an agent; receiving a request, in the first server from a second server, to verify the authenticity of the device, where the device is not authenticated to the second server; sending a browser plug-in to the device to communicate with the agent for verifying the authenticity of the device; receiving, in the first server, a message from the agent verifying the authenticity of the device; and sending a message from the first server to the second server to authenticate the device to the second server.

Abstract translation: 方法可以包括将设备认证到第一服务器，其中设备包括代理; 在第一服务器中从第二服务器接收请求以验证设备的真实性，其中设备未被认证到第二服务器; 发送浏览器插件到设备与代理进行通信以验证设备的真实性; 在所述第一服务器中接收来自所述代理的验证所述设备的真实性的消息; 以及将消息从所述第一服务器发送到所述第二服务器以将所述设备认证到所述第二服务器。