Sentinel appliance in an internet of things realm

US 10,205,712 B2
Filed: 09/25/2015
Issued: 02/12/2019
Est. Priority Date: 06/10/2015
Status: Active Grant

First Claim

Patent Images

1. A sentinel device configured to provide Internet of things (IoT) security, comprising:

a hardware platform;

a trusted execution environment (TEE) to execute on the hardware platform; and

a security engine to operate within the TEE and operable to;

communicatively couple to a trusted gateway device via a first interface and communicatively couple to a second device via a second interface;

receive a domain security policy for a domain of the second device;

determine that the second device lacks at least some security features to satisfy the domain security policy;

identify a key negotiation for an encrypted connection between the trusted gateway device and the second device;

request a service appliance key for the key negotiation;

receive the service appliance key; and

perform a service appliance function on traffic between the trusted gateway and the second device, comprising providing security functions to satisfy at least some of the security features lacking in the second device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, there is disclosed a computing apparatus, comprising: a trusted execution environment (TEE); and a security engine operable to: identify a key negotiation for an encrypted connection between a first device and a second device; request a service appliance key for the key negotiation; receive the service appliance key; and perform a service appliance function on traffic between the first device and the second device. There is also disclosed a method of providing the security engine, and a computer-readable medium having stored thereon executable instructions for providing the security engine.

Citations

25 Claims

1. A sentinel device configured to provide Internet of things (IoT) security, comprising:
- a hardware platform;
  
  a trusted execution environment (TEE) to execute on the hardware platform; and
  
  a security engine to operate within the TEE and operable to;
  
  communicatively couple to a trusted gateway device via a first interface and communicatively couple to a second device via a second interface;
  
  receive a domain security policy for a domain of the second device;
  
  determine that the second device lacks at least some security features to satisfy the domain security policy;
  
  identify a key negotiation for an encrypted connection between the trusted gateway device and the second device;
  
  request a service appliance key for the key negotiation;
  
  receive the service appliance key; and
  
  perform a service appliance function on traffic between the trusted gateway and the second device, comprising providing security functions to satisfy at least some of the security features lacking in the second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The sentinel device of claim 1, wherein the trusted gateway device is in a first realm and the second device is in a second realm.
  - 3. The sentinel device of claim 1, wherein the security engine is operable to route traffic from the trusted gateway device to the sentinel device.
  - 4. The sentinel device of claim 3, wherein the security engine is operable to perform routing at an application layer.
  - 5. The sentinel device of claim 3, wherein the security engine is operable to perform internet protocol routing.
  - 6. The sentinel device of claim 1, wherein the sentinel device further comprises a service appliance engine operable to perform a service appliance security monitoring function.
  - 7. The sentinel device of claim 6, wherein the service appliance security monitoring function is selected from the group consisting of network monitoring, data loss prevention, packet processing, security scanning, antivirus, firewall, deep packet inspection, reputation services, security information and event monitoring, network access control, and anomaly prevention.
  - 8. The sentinel device of claim 1, wherein the security engine is operable to establish a secure connection with the service appliance key.
  - 9. The sentinel device of claim 8, wherein the service appliance key is different from a key for the encrypted connection between the trusted gateway device and the second device.
  - 10. The sentinel device of claim 1, wherein the security engine is operable to receive a service appliance ticket comprising the service appliance key and a second key different from the service appliance key.
  - 11. The sentinel device of claim 1, wherein the encrypted connection between the trusted gateway device and the second device is encrypted within the TEE.

12. One or more tangible, non-transitory computer readable storage mediums having stored thereon executable instructions for providing a security engine to operate within a trusted execution environment (TEE), wherein the security engine is operable to:
- communicatively couple to a trusted gateway device via a first interface and communicatively couple to a second device via a second interface;
  
  receive a domain security policy for a domain of the second device;
  
  determine that the second device lacks at least some security features to satisfy the domain security policy;
  
  identify a key negotiation for an encrypted connection between the trusted gateway device and the second device;
  
  request a service appliance key for the key negotiation;
  
  receive the service appliance key; and
  
  perform a service appliance function on traffic between the trusted gateway device and the second device, comprising providing security functions to satisfy at least some of the security features lacking in the second device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The one or more tangible, non-transitory computer readable mediums of claim 12, wherein the trusted gateway device is in a first realm and the second device is in a second realm.
  - 14. The one or more tangible, non-transitory computer readable mediums of claim 12, wherein the security engine is operable to route traffic from the trusted gateway device to the second device.
  - 15. The one or more tangible, non-transitory computer readable mediums of claim 14, wherein the security engine is operable to perform routing at an application layer.
  - 16. The one or more tangible, non-transitory computer readable mediums of claim 14, wherein the security engine is operable to perform internet protocol routing.
  - 17. The one or more tangible, non-transitory computer readable mediums of claim 12, wherein the instructions further provide for a service appliance engine operable to perform a service appliance security monitoring function.
  - 18. The one or more tangible, non-transitory computer readable mediums of claim 17, wherein the service appliance security monitoring function is selected from the group consisting of network monitoring, data loss prevention, packet processing, security scanning, antivirus, firewall, deep packet inspection, reputation services, security information and event monitoring, network access control, and anomaly prevention.
  - 19. The one or more tangible, non-transitory computer readable mediums of claim 12, wherein the security engine is operable to establish a secure connection with the service appliance key.
  - 20. The one or more tangible, non-transitory computer readable mediums of claim 19, wherein the service appliance key is different from a key for the encrypted connection between the trusted gateway device and the second device.
  - 21. The one or more tangible, non-transitory computer readable mediums of claim 12, wherein the encrypted connection between the trusted gateway device and the second device is encrypted within the TEE.

22. A computer-implemented method of providing Internet of things (IoT) security, comprising:
- providing a trusted execution environment (TEE) to execute on a hardware platform;
  
  within the TEE;
  
  communicatively coupling to a trusted gateway device via a first interface and communicatively coupling to a second device via a second interface;
  
  receiving a domain security policy for a domain of the second device;
  
  determining that the second device lacks at least some security features to satisfy the domain security policy;
  
  identifying a key negotiation for an encrypted connection between the trusted gateway device and the second device;
  
  requesting a service appliance key for the key negotiation;
  
  receiving the service appliance key; and
  
  performing a service appliance function on traffic between the trusted gateway and the second device, comprising providing security functions to satisfy at least some of the security features lacking in the second device.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22, wherein the trusted gateway device is in a first realm and the second device is in a second realm.
  - 24. The method of claim 22, further comprising routing traffic from the trusted gateway device to a sentinel device.
  - 25. The method of claim 22, further comprising providing routing at an application layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Smith, Ned M., Hunt, Simon, Sambandam, Venkata Ramanan
Primary Examiner(s)
Powers, William S

Application Number

US14/866,203
Publication Number

US 20170063815A1
Time in Patent Office

1,236 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/10   for controlling access to d...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 9/0844   with user authentication or...

H04L 9/3234   involving additional secure...

H04L 9/3263   involving certificates, e.g...

Sentinel appliance in an internet of things realm

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Sentinel appliance in an internet of things realm

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links