Abstract: According to one or more embodiments of the disclosure, an asset inventory service executed by one or more devices receives telemetry data collected passively by a sensor application regarding a node in a network. The asset inventory service requests, after receiving the telemetry data, that the sensor application perform active discovery of nodes in the network. The asset inventory service receives active discovery data collected by the sensor application via active discovery of nodes in the network. The asset inventory service generates, based on the telemetry data and the active discovery data, an identity profile for the node.

Abstract: According to one or more embodiments of the disclosure, an asset inventory service executed by one or more devices receives telemetry data collected passively by a sensor application regarding a node in a network. The asset inventory service requests, after receiving the telemetry data, that the sensor application perform active discovery of nodes in the network. The asset inventory service receives active discovery data collected by the sensor application via active discovery of nodes in the network. The asset inventory service generates, based on the telemetry data and the active discovery data, an identity profile for the node.

Abstract: According to one or more embodiments of the disclosure, a networking device receives a policy for an endpoint in a network. The policy specifies one or more component tags and one or more activity tags that were assigned to the endpoint based on deep packet inspection of traffic associated with the endpoint. The networking device identifies a set of tags for a particular traffic flow in the network associated with the endpoint. The set of tags comprises one or more component tags or activity tags associated with the particular traffic flow. The networking device makes a determination that the particular traffic flow violates the policy based on the set of tags comprising a tag that is not in the policy. The networking device initiates, based on the determination that the particular traffic flow violates the policy, a corrective measure with respect to the particular traffic flow.

Abstract: According to one or more embodiments of the disclosure, a service obtains one or more component tags and one or more activity tags that were assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device. The service determines an intent of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint device. The service translates the intent of the endpoint device into a network segmentation policy. The service configures a network overlay in the network that implements the network segmentation policy.

Abstract: According to one or more embodiments of the disclosure, a device in a network identifies a packet sent via the network towards an endpoint as being a control packet for the endpoint. The device extracts one or more control parameter values from the control packet. The device compares the one or more control parameter values to a policy associated with the endpoint. The device initiates a corrective measure, based on a determination that the one or more control parameter values violate the policy associated with the endpoint.

Abstract: A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.

Abstract: A technique for key sharing among multiple key servers connected to one another over a communication network is provided herein. Each key sever of the multiple key servers stores respective cryptographic keys, and provides the keys to a local device group connected with the key server, to enable the device group to encrypt messages with the keys. Each key server acts as a proxy for the other key servers in order to receive other keys from the other key servers over the network, and provide the other keys to the device group for use to decrypt messages received from other local device groups respectively connected with the other key servers that were encrypted with the other keys and to check message integrity. The multiple key servers may share keys with each other directly, or alternatively, indirectly through a central key server, as needed to support secure communications between their respective device groups.