Abstract: A network device may receive network traffic associated with a session, wherein the session is associated with a network. The network device may determine, from the network traffic, an application path that is associated with the session, wherein the application path is associated with a communication protocol and an application protocol. The network device may determine, based on policy information that is associated with the application path, whether the network traffic associated with the session is capable of being communicated via the network using the communication protocol and the application protocol. The network device may perform, based on whether the network traffic is determined to be capable of being communicated, an action associated with enabling or preventing communication of the network traffic.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: A network device may identify an application signature associated with a web application, and may determine, based on an application-based policy associated with the web application, an access method to be used to transmit traffic associated with the web application. The network device may generate a proxy auto configuration (PAC) file using the application signature associated with the web application, and the access method to be used to transmit the traffic associated with the web application. The network device may provide the PAC file to a client device to permit the client device to transmit the traffic associated with the web application based on the PAC file.

Abstract: A network device decrypts a record, received from a client device, that is associated with an encrypted session between the client device and an application platform. The network device incorporates decrypted record data, from the decrypted record, into a payload field of a transmission control protocol (TCP) packet to be transmitted to another device, identifies a record header in the record, and determines, based on the record header, a record type associated with the decrypted record. Based on the record type, the network device marks the one or more TCP packets as including urgent data by setting a TCP urgent control bit in a header of the one or more TCP packets, and sets a second field, in the header of the TCP packet, to a second value that identifies an end of the urgent data, which corresponds to an end of the decrypted record data in the payload field.

Abstract: A device may receive encrypted traffic associated with a secure session. The device may determine, based on the encrypted traffic, information associated with an offload service to be applied to the encrypted traffic associated with the secure session. The information associated with the offload service may indicate whether the encrypted traffic is permitted to bypass inspection by one or more security services. The device may selectively permit the encrypted traffic, associated with the secure session, to bypass inspection by the one or more security services based on the information associated with the offload service.

Abstract: A device may classify an application, associated with an endpoint, based on traffic associated with the endpoint. The device may determine a reputation score associated with the endpoint. The reputation score may be indicative of a level of trustworthiness of the endpoint. The device may selectively store a classification result, associated with classifying the application, in an application cache based on the reputation score associated with the endpoint. The classification result may be selectively used to process further traffic associated with the endpoint.

Abstract: A device may receive encrypted traffic associated with a secure session. The device may determine, based on the encrypted traffic, information associated with an offload service to be applied to the encrypted traffic associated with the secure session. The information associated with the offload service may indicate whether the encrypted traffic is permitted to bypass inspection by one or more security services. The device may selectively permit the encrypted traffic, associated with the secure session, to bypass inspection by the one or more security services based on the information associated with the offload service.

Abstract: A network device may receive network traffic for an application. The network device may identify an application layer protocol being used for the network traffic. The network device may obtain contextual information, from the network traffic, to obtain an item of contextual information, and the item of contextual information may be selected based on the application layer protocol. The network device may determine that the item of contextual information matches a stored item of contextual information. The network device may determine that a threshold has been met with regard to the stored item of contextual information. The network device may generate an application signature for the application based on the item of contextual information. The network device may send the application signature to another device to permit the other device to identify the application based on the application signature.

Abstract: A network device decrypts a record, received from a client device, that is associated with an encrypted session between the client device and an application platform. The network device incorporates decrypted record data, from the decrypted record, into a payload field of a transmission control protocol (TCP) packet to be transmitted to another device, identifies a record header in the record, and determines, based on the record header, a record type associated with the decrypted record. Based on the record type, the network device marks the one or more TCP packets as including urgent data by setting a TCP urgent control bit in a header of the one or more TCP packets, and sets a second field, in the header of the TCP packet, to a second value that identifies an end of the urgent data, which corresponds to an end of the decrypted record data in the payload field.

Abstract: A device may receive a message associated with initiating a secure socket layer session or a transport layer security session (SSL/TLS session). The device may identify a decryption profile associated with managing encrypted traffic associated with the SSL/TLS session. The device may determine a server indicator included in the message. The device may determine whether the decryption profile includes information associated with the server indicator. The device may selectively manage the encrypted traffic associated with the SSL/TLS session using a first decryption technique or a second decryption technique based on determining whether the decryption profile includes information associated with the server indicator, where the first decryption technique may be different from the second decryption technique.

Abstract: A network device may receive network traffic for an application. The network device may identify an application layer protocol being used for the network traffic. The network device may obtain contextual information, from the network traffic, to obtain an item of contextual information, and the item of contextual information may be selected based on the application layer protocol. The network device may determine that the item of contextual information matches a stored item of contextual information. The network device may determine that a threshold has been met with regard to the stored item of contextual information. The network device may generate an application signature for the application based on the item of contextual information. The network device may send the application signature to another device to permit the other device to identify the application based on the application signature.

Abstract: A device may receive a message, associated with establishing a secure session, including a first certificate chain associated with a server device. The device may generate a first certificate fingerprint associated with the first certificate chain and determine a policy identifier associated with a security policy on which the first certificate chain is to be validated. The device may identify a second certificate fingerprint associated with a second certificate chain that has been validated based on the security policy. The device may determine whether the first certificate fingerprint matches the second certificate fingerprint.

Abstract: In general, techniques for are described for providing application metadata using an Internet Protocol Flow Information eXport (IPFIX) protocol in computer networks. In one example, a first network device including a processor and a memory may perform the techniques. The processor may be configured to determine types of the application metadata that the first network device has a capability to detect through analysis of network packets. The application metadata may comprise data representative of network protocols used by networking processes that exchange packets. The memory may be configured to store the application metadata. The processor may further be configured to execute the IPFIX protocol to advertise the types of the application metadata to a second network device configured to collect a subset of the application metadata.

Abstract: A device may receive encrypted traffic associated with a secure session. The device may determine, based on the encrypted traffic, information associated with an offload service to be applied to the encrypted traffic associated with the secure session. The information associated with the offload service may indicate whether the encrypted traffic is permitted to bypass inspection by one or more security services. The device may selectively permit the encrypted traffic, associated with the secure session, to bypass inspection by the one or more security services based on the information associated with the offload service.

Abstract: A device may classify an application, associated with an endpoint, based on traffic associated with the endpoint. The device may determine a reputation score associated with the endpoint. The reputation score may be indicative of a level of trustworthiness of the endpoint. The device may selectively store a classification result, associated with classifying the application, in an application cache based on the reputation score associated with the endpoint. The classification result may be selectively used to process further traffic associated with the endpoint.

Abstract: A device may receive client cipher information, associated with initiating a secure session, identifying at least one key exchange cipher supported by a client device associated with the secure session. The device may determine, based on the client cipher information, that a Diffie-Hellman key exchange is to be used to establish the secure session. The device may determine whether a server device, associated with the secure session, supports use of the Diffie-Hellman key exchange. The device may manage establishment of the secure session using a first decryption technique based on determining that the server device does not support the use of the Diffie-Hellman key exchange, or manage establishment of the secure session using a second decryption technique based on determining that the server device supports the use of the Diffie-Hellman key exchange or being unable to determine whether the server device supports the use of the Diffie-Hellman key exchange.

Abstract: A device may receive client cipher information, associated with initiating a secure session, identifying at least one key exchange cipher supported by a client device associated with the secure session. The device may determine, based on the client cipher information, that a Diffie-Hellman key exchange is to be used to establish the secure session. The device may determine whether a server device, associated with the secure session, supports use of the Diffie-Hellman key exchange. The device may manage establishment of the secure session using a first decryption technique based on determining that the server device does not support the use of the Diffie-Hellman key exchange, or manage establishment of the secure session using a second decryption technique based on determining that the server device supports the use of the Diffie-Hellman key exchange or being unable to determine whether the server device supports the use of the Diffie-Hellman key exchange.

Abstract: A network device may receive network traffic for an application. The network device may identify an application layer protocol being used for the network traffic. The network device may obtain contextual information, from the network traffic, to obtain an item of contextual information, and the item of contextual information may be selected based on the application layer protocol. The network device may determine that the item of contextual information matches a stored item of contextual information. The network device may determine that a threshold has been met with regard to the stored item of contextual information. The network device may generate an application signature for the application based on the item of contextual information. The network device may send the application signature to another device to permit the other device to identify the application based on the application signature.

Abstract: In general, techniques for are described for providing application metadata using an Internet Protocol Flow Information eXport (IPFIX) protocol in computer networks. In one example, a first network device including a processor and a memory may perform the techniques. The processor may be configured to determine types of the application metadata that the first network device has a capability to detect through analysis of network packets. The application metadata may comprise data representative of network protocols used by networking processes that exchange packets. The memory may be configured to store the application metadata. The processor may further be configured to execute the IPFIX protocol to advertise the types of the application metadata to a second network device configured to collect a subset of the application metadata.