Patents by Inventor Fabio R. Maino
Fabio R. Maino has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10298595Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fiber channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fiber channel network entities into a fiber channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fiber channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.Type: GrantFiled: December 15, 2014Date of Patent: May 21, 2019Assignee: Cisco Technology, Inc.Inventors: Fabio R. Maino, Marco Di Benedetto, Claudio Desanti
-
Patent number: 10187321Abstract: High-level network policies that represent a virtual private network (VPN) as a high-level policy model are received. The VPN is to provide secure connectivity between connection sites of the VPN based on the high-level network policies. The high-level network policies are translated into low-level device configuration information represented in a network overlay and used for configuring a network underlay that provides the connections sites to the VPN. The network underlay is configured with the device configuration information so that the network underlay implements the VPN in accordance with the high-level policies. It is determined whether the network underlay is operating to direct traffic flows between the connection sites in compliance with the high-level network policies. If it is determined that the network underlay is not operating in compliance, the network underlay is reconfigured with new low-level device configuration information so that the network underlay operates in compliance.Type: GrantFiled: March 2, 2016Date of Patent: January 22, 2019Assignee: Cisco Technology, Inc.Inventors: Fabio R. Maino, Horia Miclea, John Evans, Brian Eliot Weis, Vina Ermagan
-
Publication number: 20190020985Abstract: A method in one embodiment includes intercepting a message in an on-board unit (OBU) of a vehicular network environment between a source and a receiver in the vehicular network environment, verifying the message is sent from the source, verifying the message is not altered, evaluating a set of source flow control policies associated with the source, and blocking the message if the set of source flow control policies indicate the message is not permitted. In specific embodiments, the message is not permitted if a level of access assigned to the source in the set of source flow control policies does not match a level of access tagged on the message. In further embodiments, the method includes evaluating a set of receiver flow control policies associated with the receiver, and blocking the message if the set of receiver flow control policies indicates the message is not permitted.Type: ApplicationFiled: September 11, 2018Publication date: January 17, 2019Inventors: Lillian Lei Dai, Sateesh K. Addepalli, Xiaoqing Zhu, Preethi Natarajan, Rong Pan, Fabio R. Maino, Flavio Bonomi, Alexander Loukissas, Vina Ermagan, Pere Monclus
-
Patent number: 10117066Abstract: A method in one embodiment includes intercepting a message in an on-board unit (OBU) of a vehicular network environment between a source and a receiver in the vehicular network environment, verifying the message is sent from the source, verifying the message is not altered, evaluating a set of source flow control policies associated with the source, and blocking the message if the set of source flow control policies indicate the message is not permitted. In specific embodiments, the message is not permitted if a level of access assigned to the source in the set of source flow control policies does not match a level of access tagged on the message. In further embodiments, the method includes evaluating a set of receiver flow control policies associated with the receiver, and blocking the message if the set of receiver flow control policies indicates the message is not permitted.Type: GrantFiled: September 12, 2014Date of Patent: October 30, 2018Assignee: Cisco Technology, Inc.Inventors: Sateesh K. Addepalli, Lillian Lei Dai, Flavio Bonomi, Xiaoqing Zhu, Fabio R. Maino, Pere Monclus, Rong Pan, Preethi Natarajan, Vina Ermagan, Alexander Loukissas
-
Patent number: 9888363Abstract: A method in one example embodiment includes identifying a power state and a battery level of a vehicle. The method also includes allocating power to critical applications (for example) in response to determining that the battery level is above a reserve threshold while the power state of the vehicle is engine-off. The method also includes allocating remaining power in excess of the reserve threshold to non-critical applications according to a power management policy. The power management policy may comprise at least one of a user power preference index and an application power preference index.Type: GrantFiled: February 11, 2015Date of Patent: February 6, 2018Assignee: Cisco Technology, Inc.Inventors: Sateesh K. Addepalli, Fabio R. Maino, Lillian Lei Dai, Raghuram S. Sudhaakar, Chin-Ju Chen, Erick D. Lee
-
Publication number: 20170054758Abstract: High-level network policies that represent a virtual private network (VPN) as a high-level policy model are received. The VPN is to provide secure connectivity between connection sites of the VPN based on the high-level network policies. The high-level network policies are translated into low-level device configuration information represented in a network overlay and used for configuring a network underlay that provides the connections sites to the VPN. The network underlay is configured with the device configuration information so that the network underlay implements the VPN in accordance with the high-level policies. It is determined whether the network underlay is operating to direct traffic flows between the connection sites in compliance with the high-level network policies. If it is determined that the network underlay is not operating in compliance, the network underlay is reconfigured with new low-level device configuration information so that the network underlay operates in compliance.Type: ApplicationFiled: March 2, 2016Publication date: February 23, 2017Inventors: Fabio R. Maino, Horia Miclea, John Evans, Brian Eliot Weis, Vina Ermagan
-
Publication number: 20170026417Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.Type: ApplicationFiled: July 22, 2016Publication date: January 26, 2017Applicant: CISCO TECHNOLOGY, INC.Inventors: Vina Ermagan, Fabio R. Maino, Florin T. Coras, Marius Horia Miclea, John William Evans, Paul Quinn, Darrel Jay Lewis, Brian E. Weis
-
Patent number: 9178828Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.Type: GrantFiled: April 26, 2013Date of Patent: November 3, 2015Assignee: CISCO TECHNOLOGY, INC.Inventors: Surendra M. Kumar, Dileep K. Devireddy, Nagaraj A. Bagepalli, Abhijit Patra, Vina Ermagan, Fabio R. Maino, Victor Manuel Moreno, Paul Quinn
-
Publication number: 20150222708Abstract: A method in one example embodiment includes identifying a power state and a battery level of a vehicle. The method also includes allocating power to critical applications (for example) in response to determining that the battery level is above a reserve threshold while the power state of the vehicle is engine-off. The method also includes allocating remaining power in excess of the reserve threshold to non-critical applications according to a power management policy. The power management policy may comprise at least one of a user power preference index and an application power preference index.Type: ApplicationFiled: February 11, 2015Publication date: August 6, 2015Applicant: CISCO TECHNOLOGY, INC.Inventors: Sateesh K. Addepalli, Fabio R. Maino, Lillian Lei Dai, Raghuram S. Sudhaakar, Chin-Ju Chen, Erick D. Lee
-
Publication number: 20150101029Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.Type: ApplicationFiled: December 15, 2014Publication date: April 9, 2015Inventors: Fabio R. Maino, Marco Di Benedetto, Claudio Desanti
-
Patent number: 8990582Abstract: Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines.Type: GrantFiled: May 27, 2010Date of Patent: March 24, 2015Assignee: Cisco Technology, Inc.Inventors: Fabio R. Maino, Pere Monclus, David A. McGrew
-
Patent number: 8949931Abstract: A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port.Type: GrantFiled: May 2, 2012Date of Patent: February 3, 2015Assignee: Cisco Technology, Inc.Inventors: Vina Ermagan, Suraj Nellikar, Sudarshana Kandachar Sridhara Rao, Fabio R. Maino, Massimiliano Menarini
-
Publication number: 20150029987Abstract: A method in one embodiment includes intercepting a message in an on-board unit (OBU) of a vehicular network environment between a source and a receiver in the vehicular network environment, verifying the message is sent from the source, verifying the message is not altered, evaluating a set of source flow control policies associated with the source, and blocking the message if the set of source flow control policies indicate the message is not permitted. In specific embodiments, the message is not permitted if a level of access assigned to the source in the set of source flow control policies does not match a level of access tagged on the message. In further embodiments, the method includes evaluating a set of receiver flow control policies associated with the receiver, and blocking the message if the set of receiver flow control policies indicates the message is not permitted.Type: ApplicationFiled: September 12, 2014Publication date: January 29, 2015Applicant: CISCO TECHNOLOGY, INC.Inventors: Sateesh K. Addepalli, Lillian Lei Dai, Flavio Bonomi, Xiaoqing Zhu, Fabio R. Maino, Pere Monclus, Rong Pan, Preethi Natarajan, Vina Ermagan, Alexander Loukissas
-
Publication number: 20140380442Abstract: A method in one embodiment includes authenticating a first agent to an on board unit (OBU) of a vehicle if the first agent validates a first set of one or more authentication requirements and identifying a first identity profile corresponding to the first agent. The method also includes determining a role of the first agent in the vehicle and configuring the vehicle with the first identity profile, where the vehicle is configured based, at least in part, on the role of the first agent. In this embodiment, the first identity profile is one of a plurality of identity profiles provisioned on the OBU. In specific embodiments, each one of a plurality of agents corresponds to a respective one of the plurality of identity profiles, and includes one or more of a human agent, a machine device, a software agent, an authorized entity, and a mobile device.Type: ApplicationFiled: September 12, 2014Publication date: December 25, 2014Applicant: CISCO TECHNOLOGY, INC.Inventors: Sateesh K. Addepalli, Fabio R. Maino, Flavio Bonomi, Lillian Lei Dai, Vina Ermagan, Alexander Loukissas, Erick D. Lee, Landon Curt Noll
-
Patent number: 8914858Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fiber channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fiber channel network entities into a fiber channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fiber channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.Type: GrantFiled: May 13, 2011Date of Patent: December 16, 2014Assignee: Cisco Technology, Inc.Inventors: Fabio R. Maino, Marco Di Benedetto, Claudio Desanti
-
Patent number: 8903593Abstract: A method in one example embodiment includes receiving a set of data in real time from a plurality of machine devices associated with at least one vehicle, providing a set of reference data corresponding to a machine device of the plurality of machine devices, comparing the set of data with the set of reference data, and detecting a deviation within the set of data from the set of reference data. The method further includes initiating an operation associated with the deviation. The set of reference data could be a trend of previous data received from the machine device or a common trend based on a previous set of data of the machine device. More specific embodiments include receiving a plurality of data containing the set of data from the plurality of machine devices and identifying a state of the machine device using the set of data.Type: GrantFiled: May 27, 2011Date of Patent: December 2, 2014Assignee: Cisco Technology, Inc.Inventors: Sateesh K. Addepalli, Lillian Lei Dai, Ashok K. Moghe, Flavio Bonomi, Rodolfo A. Milito, Vina Ermagan, Fabio R. Maino, Pere Monclus
-
Publication number: 20140321459Abstract: An example method for service insertion in a network environment is provided in one example and includes configuring a service node by tagging one or more interface ports of a virtual switch function to which the service node is connected with one or more policy identifiers. When data traffic associated with a policy identifier is received on a virtual overlay path the virtual switch function may then terminate the virtual overlay path and direct raw data traffic to the interface port of the service node that is tagged to the policy identifier associated with the data traffic.Type: ApplicationFiled: April 26, 2013Publication date: October 30, 2014Applicant: CISCO TECHNOLOGY, INC.Inventors: Surendra M. Kumar, Dileep K. Devireddy, Nagaraj A. Bagepalli, Abhijit Patra, Vina Ermagan, Fabio R. Maino, Victor Manuel Moreno, Paul Quinn
-
Patent number: 8863256Abstract: A method in one embodiment includes detecting an event for a transaction on an on-board unit (OBU) of a vehicle, where the event has a trigger associated with an agent. The method also includes determining whether the transaction is authorized, identifying network credentials in an identity profile that corresponds to the agent, providing network credentials to a transaction application corresponding to the transaction, and accessing a remote network using the network credentials. Certain embodiments include selecting the network credentials from a plurality of available network credentials corresponding to the agent. In more specific embodiments, the network credentials include one or more virtual subscriber identity modules (VSIMs) of a plurality of VSIMs provisioned on the OBU. In specific embodiments, the network credentials are mapped to a combination of two or more of the agent, the transaction application, and a predefined current location of the vehicle.Type: GrantFiled: January 26, 2011Date of Patent: October 14, 2014Assignee: Cisco Technology, Inc.Inventors: Sateesh K. Addepalli, Fabio R. Maino, Flavio Bonomi, Lillian Lei Dai, Vina Ermagan, Alexander Loukissas, Erick D. Lee, Landon Curt Noll
-
Patent number: 8856504Abstract: Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure.Type: GrantFiled: June 7, 2010Date of Patent: October 7, 2014Assignee: Cisco Technology, Inc.Inventors: Fabio R. Maino, Pere Monclus, David A. McGrew, Robert T. Bell, Steven Joseph Rich
-
Patent number: 8812871Abstract: The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor).Type: GrantFiled: May 27, 2010Date of Patent: August 19, 2014Assignee: Cisco Technology, Inc.Inventors: Pere Monclus, Fabio R. Maino