Integrated multi-level network appliance, platform and system, and remote management method and system therefor
First Claim
1. An integrated multi-level network appliance comprising:
- two or more isolated level-specific hardware-integrated processing engines each operable to implement a corresponding network-related resource associated with a respective network level in accordance with a designated multi-level network architecture; and
a trusted single-chip switch including a plurality of hardware ports associated therewith and configured to define in hardware multiple hardware-isolated data communication paths embedded therein;
wherein each of said isolated level-specific hardware-integrated processing engines interfaces with said switch via a designated level-specific input hardware port thereof in hardware so to route level-specific processing engine traffic therethrough along selected ones of said embedded hardware-isolated data communication paths to operatively interconnect said processing engines across network architecture levels through internal integrated hardware-isolated network connections;
wherein said level specific processing engine traffic is securely routed via each said designated level-specific hardware input port of said switch independent of level specific processing engine traffic data; and
wherein each of said isolated level-specific hardware-integrated processing engines is physically segregated such that a designated level-specific hardware-integrated processing engine interfacing with a single level-specific switch hardware input port is inaccessible in hardware upon corresponding level-specific processing engine traffic being received via a distinct level-specific switch hardware input port.
1 Assignment
0 Petitions
Accused Products
Abstract
Described include various embodiments of an integrated multi-level network appliance and system, and remote management system and method therefor. In one embodiment, the appliance can comprise: two or more hardware-integrated processing engines each operable to implement a corresponding network-related resource associated with a respective network level in accordance with a designated multi-level network architecture; an integrated processor operable to execute the processing engines; one or more integrated data storage resources accessible to the processing engines to implement each corresponding network-related resource; and a trusted single-chip switch having a plurality of hardware ports associated therewith and configured to define in hardware multiple data communication paths embedded therein.
-
Citations
20 Claims
-
1. An integrated multi-level network appliance comprising:
-
two or more isolated level-specific hardware-integrated processing engines each operable to implement a corresponding network-related resource associated with a respective network level in accordance with a designated multi-level network architecture; and a trusted single-chip switch including a plurality of hardware ports associated therewith and configured to define in hardware multiple hardware-isolated data communication paths embedded therein; wherein each of said isolated level-specific hardware-integrated processing engines interfaces with said switch via a designated level-specific input hardware port thereof in hardware so to route level-specific processing engine traffic therethrough along selected ones of said embedded hardware-isolated data communication paths to operatively interconnect said processing engines across network architecture levels through internal integrated hardware-isolated network connections; wherein said level specific processing engine traffic is securely routed via each said designated level-specific hardware input port of said switch independent of level specific processing engine traffic data; and wherein each of said isolated level-specific hardware-integrated processing engines is physically segregated such that a designated level-specific hardware-integrated processing engine interfacing with a single level-specific switch hardware input port is inaccessible in hardware upon corresponding level-specific processing engine traffic being received via a distinct level-specific switch hardware input port.
-
-
2. The integrated appliance of claim 1, wherein said switch further comprises one or more channel data processing resources embedded therein to integrally operate on said processing engine traffic along at least one of said communication paths.
-
3. The integrated appliance of claim 2, wherein said one or more channel data processing resources comprise an embedded hardware security module (HSM) hardwired to interface with at least two of said hardware ports, each one of which operable to electronically receive given input hardware port-specific cryptographic data thereon to initiate execution of an internal cryptographic process as a function thereof;
wherein said HSM comprises; two or more segregated hardware port-specific storage spaces, each physically isolated in hardware from any other of said segregated hardware port-specific storage spaces, operatively linked to a corresponding hardware port via a corresponding hardware link, and storing respective secured hardware port-specific cryptographic data thereon exclusively retrievable upon said given input hardware port-specific cryptographic data corresponding thereto and being received via said corresponding one of said hardware ports such that said respective secured hardware port-specific cryptographic data is inaccessible in hardware upon said given input hardware port-specific data being received via a distinct hardware port; and a cryptographic engine operable to execute said cryptographic process based on said secured port-specific cryptographic data retrieved from said segregated hardware port-specific storage spaces as a function of said given input port-specific cryptographic data.
-
4. The integrated appliance of claim 3, wherein said given segregated hardware port-specific storage space is exclusively accessible in hardware, independent of said given input hardware port-specific cryptographic data, via said corresponding hardware link.
-
5. The integrated appliance of claim 3, wherein said HSM is operable as a multi-level HSM wherein said at least two hardware ports are respectively associated with one said respective network level.
-
6. The integrated appliance of claim 5, wherein each said respective network level corresponds to a distinct network security zone.
-
7. The integrated appliance of claim 3, wherein said one or more channel data processing resources comprise an inline channel encryption resource executed distinctly from said cryptographic engine.
-
8. The integrated appliance of claim 7, wherein said cryptographic engine is operable to execute a control plane cryptographic process, whereas said inline channel encryption resource is operable to execute a communication plane cryptographic process subsequent to successful execution of said control plane cryptographic process.
-
9. The integrated appliance of claim 8, wherein said control plane cryptographic process comprises a new session initiation process invoking a private key stored in said segregated port-specific storage space, whereas said communication plane cryptographic process comprises an in-session cryptographic process invoking a distinct session key.
-
10. The integrated appliance of claim 2, wherein said one or more channel data processing resources comprise an embedded hardware security module (HSM) hardwired to interface with at least two of said hardware ports, each one of which operable to electronically receive given input hardware port-specific cryptographic data thereon to initiate execution of an internal cryptographic process as a function thereof;
-
wherein said HSM comprises; two or more segregated hardware port-specific storage spaces each operatively linked to a corresponding hardware port via a corresponding hardware link, and storing respective secured hardware port-specific cryptographic data thereon exclusively retrievable upon said given input hardware port-specific cryptographic data being received via said corresponding hardware port, wherein a given segregated hardware port-specific storage space is exclusively accessible in hardware, independent of said given input hardware port-specific cryptographic data, via said corresponding hardware link; and a cryptographic engine operable to execute said cryptographic process based on said secured port-specific cryptographic data retrieved from said segregated hardware port-specific storage space as a function of said given input port-specific cryptographic data.
-
-
11. The integrated appliance of claim 10, wherein said HSM is operable as a multi-level HSM wherein said at least two hardware ports are respectively associated with one said respective network level.
-
12. The integrated appliance of claim 11, wherein each said respective network level corresponds to a distinct network security zone.
-
13. The integrated appliance of claim 1, wherein said switch is implemented in a field-programmable gate array (FPGA).
-
14. The integrated appliance of claim 1, wherein said switch is reconfigurable to reconfigure one or more of said embedded data communication paths.
-
15. The integrated appliance of claim 14, wherein said switch is remotely reconfigurable.
-
16. The integrated appliance of claim 1, further comprising a common external administration interface to provide authorised external access to distinct appliance resources in accordance with a designated multi-tier authorisation protocol, wherein selective access to designated ones of said appliance resources is provided via said administration interface as a function of distinctly defined administrator access authentication profiles.
-
17. The integrated appliance of claim 16, wherein said designated multi-tier authorisation protocol defines distinct administrative access permissions for said switch and at least one of said processing engines.
-
18. An integrated multi-level network appliance comprising:
-
two or more isolated level-specific hardware-integrated processing engines each operable to implement a corresponding network-related resource associated with a respective network level in accordance with a designated multi-level network architecture; a trusted single-chip switch including a plurality of hardware ports associated therewith and configured to define in hardware multiple hardware-isolated data communication paths embedded therein; and an embedded hardware security module (HSM) hardwired to interface with at least one of said hardware ports to electronically receive input hardware port-specific cryptographic data thereon to initiate execution of an internal cryptographic process as a function thereof via an embedded cryptographic engine thereof; wherein each of said isolated level-specific hardware-integrated processing engines interfaces with said switch via a designated level-specific hardware port thereof in hardware so to route level-specific processing engine traffic therethrough along selected ones of said embedded hardware-isolated data communication paths to operatively interconnect said processing engines across network architecture levels through internal integrated hardware-isolated network connections.
-
-
19. The integrated multi-level network appliance of claim 18, wherein said switch comprises one or more channel data processing resources embedded therein to integrally operate on said processing engine traffic along at least one of said communication paths, and wherein said one or more channel data processing resources comprise said HSM.
-
20. An integrated multi-level network appliance comprising:
-
two or more isolated level-specific hardware-integrated processing engines each operable to implement a corresponding network-related resource associated with a respective network level in accordance with a designated multi-level network architecture; a trusted single-chip switch including a plurality of hardware ports associated therewith and configured to define in hardware multiple hardware-isolated data communication paths embedded therein; wherein each of said isolated level-specific hardware-integrated processing engines interfaces with said switch via a designated level-specific input hardware port thereof in hardware so to route level-specific processing engine traffic therethrough along selected ones of said embedded hardware-isolated data communication paths to operatively interconnect said processing engines across network architecture levels through internal integrated hardware-isolated network connections, and a common external administration interface to provide authorised external access to distinct appliance resources in accordance with a designated multi-tier authorisation protocol, wherein selective access to designated ones of said appliance resources is provided via said administration interface as a function of distinctly defined administrator access authentication profiles.
-
Specification