Search

EP-4736396-A1 - SECURE, APPLICATION-AWARE ROUTING

EP4736396A1EP 4736396 A1EP4736396 A1EP 4736396A1EP-4736396-A1

Abstract

Techniques for extending application-aware routing (AAR) policies to enable intelligent routing decisions based on device security posture. The techniques may include receiving, from a client device, traffic that is to be sent over a network to an application and determining a security score associated with the traffic. The security score may be based on a security posture associated with the client device, a security level associated with a connectivity network used by the client device, and the like. The techniques may also include determining, based at least in part on the security score and based at least in part on an application-aware routing policy, a path for sending the traffic to the application.

Inventors

  • SUNDARARAJAN, BALAJI
  • RADHAKRISHNAN, Prab
  • SINGH, Ram, Dular
  • RAGHAVAN, VISHNUPRASAD

Assignees

  • Cisco Technology, Inc.

Dates

Publication Date
20260506
Application Date
20240625

Claims (20)

  1. 1. A method comprising: receiving an application-aware routing policy associated with a network; receiving, from a client device, traffic that is to be sent over the network to an application; determining a security score associated with the traffic; determining, based at least in part on the security score and based at least in part on the application- aware routing policy, a path for sending the traffic to the application; and causing the traffic to be sent to the application via the path.
  2. 2. The method of claim 1. wherein the security score is based at least in part on a security posture of the client device.
  3. 3. The method of claim 1 or 2, wherein the security score is based at least in part on a security level of a connectivity network of the client device.
  4. 4. The method of any of claims 1 to 3, further comprising determining a traffic signature associated with the traffic, wherein determining the path for sending the traffic to the application is further based at least in part on the traffic signature associated with the traffic.
  5. 5. The method of any of claims 1 to 4, wherein a value of the security score is based at least in part on at least one of: whether the client device is a trusted device or an untrusted device, or whether the client device is utilizing a private netw ork or a public network.
  6. 6. The method of any of claims 1 to 5, further comprising determining that a value of the security score meets or exceeds a threshold value, wherein the path is a direct path for sending the traffic to the application.
  7. 7. The method of any of claims 1 to 6, further comprising determining that a value of the security' score is less than a threshold value, wherein the path for sending the traffic to the application includes a cloud -delivered security service.
  8. 8. The method of any of claims 1 to 7. wherein the security score associated with the traffic is at least partially determined using an identity provider service.
  9. 9. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that, when executed, cause the one or more processors to perform operations comprising: receiving an application-aware routing policy associated with a network; receiving, from a client device, traffic that is to be sent over the network to an application; determining a security score associated with the traffic; determining, based at least in part on the security score and based at least in part on the application-aware routing policy, a path for sending the traffic to the application; and causing the traffic to be sent to the application via the path.
  10. 10. The system of claim 9, wherein the security score is based at least in part on a security posture of the client device.
  11. 11. The system of claim 9 or 10, wherein the security score is based at least in part on a security level of a connectivity network of the client device.
  12. 12. The system of any of claims 9 to 11, the operations further comprising determining a traffic signature associated with the traffic, wherein determining the path for sending the traffic to the application is further based at least in part on the traffic signature associated with the traffic.
  13. 13. The system of any of claims 9 to 12, wherein a value of the security score is based at least in part on at least one of: whether the client device is a trusted device or an untrusted device, or whether the client device is utilizing a private network or a public network.
  14. 14. The system of any of claims 9 to 13. the operations further comprising determining that a value of the security score meets or exceeds a threshold value, wherein the path is a direct path for sending the traffic to the application.
  15. 15. The system of any of claims 9 to 14. the operations further comprising determining that a value of the security score is less than a threshold value, wherein the path for sending the traffic to the application includes a cloud-delivered security service.
  16. 16. The system of any of claims 9 to 15. wherein the security score associated with the traffic is at least partially determined using an identity provider service.
  17. 17. One or more non-transitory computer-readable media storing instructions that, when executed, cause one or more processors to perform operations comprising: receiving an application-aware routing policy associated with a network; receiving, from a client device, traffic that is to be sent over the network to an application; determining a security score associated with the traffic; determining, based at least in part on the security score and based at least in part on the application- aware routing policy, a path for sending the traffic to the application; and causing the traffic to be sent to the application via the path.
  18. 18. The one or more non-transitory computer-readable media of claim 17, wherein the security score is based at least in part on a security posture of the client device.
  19. 19. The one or more non-transitory computer-readable media of claim 17 or 18, wherein the security score is based at least in part on a security level of a connectivity network of tire client device.
  20. 20. The one or more non-transitory computer-readable media of any of claims 17 to 19, the operations further comprising determining a traffic signature associated with the traffic, wherein determining the path for sending the traffic to the application is further based at least in part on the traffic signature associated with the traffic.

Description

SECURE, APPLICATION-AWARE ROUTING CROSS REFERENCE TO RELATED APPLICATIONS [0001] This application claims priority to U.S. Patent Application No. 18/215,644, filed June 28, 2023, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD [0002] The present disclosure relates generally to techniques for, among other things, extending application- aware routing (AAR) policies to enable intelligent routing decisions based on device security posture and/or the security level of the netw ork used to connect. BACKGROUND [0003] Identity -based security policies assume that a user identity or device identity is enough to establish a policy decision. However, the same user or device can have a dynamic nature as the user can login to a system using different devices or even from different networks. As such, for a device-based security policy , the device can sometimes go out of compliance without consequence. In modern network architectures, such as a software-defined wide area network (SD-WAN), vendors generally define application data traffic steering policies based on application service level agreements (SLAs) and/or service level objectives. As such, a path taken by application data traffic through a network can be optimized by directing the application data traffic to wide area network (WAN) links that support the required levels of packet loss, latency, jitter, or other metrics defined in an application’s SLA. Due to the use of identity -based security policies in these architectures, non- compliant application data traffic can be sent over links intended for security -compliant traffic. BRIEF DESCRIPTION OF THE DRAWINGS [0004] The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. [0005] FIG. 1 illustrates an example architecture in which various aspects of the techniques disclosed herein may be performed to extend application-aware routing (AAR) policies to enable intelligent routing decisions based on device security posture. [0006] FIG. 2 illustrates another example architecture in which various aspects of the techniques disclosed herein may be performed. [0007] FIG. 3 is a pictorial flow diagram illustrating an example method associated with the techniques described herein. [0008] FIG. 4 is a flow diagram illustrating an example method associated with the techniques described herein. [0009] FIG. 5 is a block diagram illustrating an example packet switching system that can be utilized to implement various aspects of the technologies disclosed herein. [0010] FIG. 6 is a block diagram illustrating certain components of an example node that can be utilized to implement various aspects of the technologies disclosed herein. [0011] FIG. 7 is a computer architecture diagram showing an illustrative computer hardware architecture for implementing a computing device that can be utilized to implement aspects of the various technologies presented herein. DESCRIPTION OF EXAMPLE EMBODIMENTS OVERVIEW [0012] Aspects of the invention are set out in the independent claims and preferred features are set out in the dependent claims. Features of one aspect may be applied to each aspect alone or in combination with other features. [0013] This application is directed to techniques for extending application-aware routing (AAR) policies to enable intelligent routing decisions based on device security posture and/or the security' level of the network used to connect. By way of example, and not limitation, a method according to the techniques disclosed herein may include receiving, from a client device, traffic that is to be sent over a network to an application. In some examples, a security score associated with the traffic may be detennined, as well as a path for sending the traffic to the application. In some examples, the path may be determined based at least in part on the security score and based at least in part on an application-aware routing policy. In some examples, the method may include causing the traffic to be sent to the application via the path. [0014] Additionally, the teclmiques described herein may be performed as a method and/or by a system having non-transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, performs the techniques described above and herein. EXAMPLE EMBODIMENTS [0015] As noted above, a user or device can have a dynamic nature and, as a result, the user or device can sometimes go out of compliance with respect to an identity -based security policy. Due to the use of identitybased security policies in application