US 11,888,900 B2
Cryptographic security audit using network service zone locking
Matthew Scott Robertson, Santa Clara, CA (US); David McGrew, Poolesville, MD (US); Timothy David Keanini, Austin, TX (US); Sunil Amin, Atlanta, GA (US); and Ellie Marie Daw, Raleigh, NC (US)
Assigned to CISCO TECHNOLOGY, INC., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Apr. 24, 2020, as Appl. No. 16/857,607.
Application 16/857,607 is a continuation of application No. 15/854,879, filed on Dec. 27, 2017, granted, now 10,673,901.
Prior Publication US 2020/0252435 A1, Aug. 6, 2020
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 9/08 (2006.01); H04L 9/32 (2006.01); H04L 9/06 (2006.01)
CPC H04L 63/20 (2013.01) [H04L 9/088 (2013.01); H04L 9/0825 (2013.01); H04L 9/0844 (2013.01); H04L 9/3268 (2013.01); H04L 63/105 (2013.01); H04L 9/0643 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, at a service, captured traffic flow data regarding an encrypted traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone;
identifying, by the service and from the captured traffic flow data, one or more cryptographic parameters of the encrypted traffic flow;
determining, by the service, whether the one or more cryptographic parameters of the encrypted traffic flow satisfy an inter-zone policy associated with the first and second network zones, wherein the inter-zone policy defines which cryptographic parameters of the encrypted traffic flow are allowed between the first and second network zones and is determined based on input received via a user interface; and
causing, by the service, performance of a mitigation action in the network when the one or more cryptographic parameters of the encrypted traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.