Approach for securely deploying network devices

US 20060242695A1
Filed: 04/22/2005
Published: 10/26/2006
Est. Priority Date: 04/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for deploying a network device, the computer-implemented method comprising:

establishing a secure introduction connection between the network device and a registrar;

the registrar providing bootstrap configuration data to the network device over the secure introduction connection, wherein the bootstrap configuration data is used to establish a secure management connection between the network device and a secure management gateway; and

the secure management gateway providing user-specific configuration data and security policy data to the network device over the secure management connection;

wherein the user-specific configuration data and security policy data are used to establish a secure data connection between the network device and a secure data gateway.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to an approach for securely deploying and configuring network devices, a secure introduction connection is established between a network device being deployed and a registrar. The secure introduction connection may conform to a secure communications protocol, such as HTTPS. The registrar provides bootstrap configuration data to the network device over the secure introduction connection. The bootstrap configuration data is used to establish a secure management connection between the network device and a secure management gateway. The secure management connection may conform to a secure communications protocol, such as IPsec or HTTPS. The secure management gateway provides user-specific configuration data and security policy data to the network device over the secure management connection. The user-specific configuration data and policy data are used to establish a secure data connection, such as a Dynamic Multipoint Virtual Private Network (DMVPN) connection, between the network device and the secure data gateway.

Citations

36 Claims

1. A computer-implemented method for deploying a network device, the computer-implemented method comprising:
- establishing a secure introduction connection between the network device and a registrar;
  
  the registrar providing bootstrap configuration data to the network device over the secure introduction connection, wherein the bootstrap configuration data is used to establish a secure management connection between the network device and a secure management gateway; and
  
  the secure management gateway providing user-specific configuration data and security policy data to the network device over the secure management connection;
  
  wherein the user-specific configuration data and security policy data are used to establish a secure data connection between the network device and a secure data gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method as recited in claim 1, wherein the secure introduction connection conforms to the HTTPS communications protocol.
  - 3. The computer-implemented method as recited in claim 1, wherein the secure management connection conforms to one of an IPsec communications protocol and the HTTPS communications protocol.
  - 4. The computer-implemented method as recited in claim 1, wherein the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 5. The computer-implemented method as recited in claim 1, wherein the secure management connection conforms to an IPsec communications protocol and the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 6. The computer-implemented method as recited in claim 1, further comprising the registrar receiving, from a Web browser executing on the network device, a simple certificate enrollment protocol (SCEP) request that conforms to the HTTPS communications protocol.
  - 7. The computer-implemented method as recited in claim 1, further comprising:
    - causing a networking services agent to be instantiated on the network device;
      
      the secure management gateway receiving, from the networking services agent instantiated on the network device, data that indicates that the secure management connection has been established; and
      
      the secure management gateway providing the data to a networking services engine for processing.
  - 8. The computer-implemented method as recited in claim 1, further comprising the secure management gateway providing updated user-specific configuration data and security policy data to the network device over the secure management connection, wherein the updated user-specific configuration data and security policy data enable the secure management connection to be updated.
  - 9. The computer-implemented method as recited in claim 1, wherein the network device is a router, the secure management gateway is a management router and the secure data gateway is a corporate router.

10. A computer-readable medium for deploying a network device, the computer-readable medium carrying instructions which, when executed by one or more processors, cause:
- establishing a secure introduction connection between the network device and a registrar;
  
  the registrar providing bootstrap configuration data to the network device over the secure introduction connection, wherein the bootstrap configuration data is used to establish a secure management connection between the network device and a secure management gateway; and
  
  the secure management gateway providing user-specific configuration data and security policy data to the network device over the secure management connection;
  
  wherein the user-specific configuration data and security policy data are used to establish a secure data connection between the network device and a secure data gateway.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable medium as recited in claim 10, wherein the secure introduction connection conforms to the HTTPS communications protocol.
  - 12. The computer-readable medium as recited in claim 10, wherein the secure management connection conforms to one of an IPsec communications protocol and the HTTPS communications protocol.
  - 13. The computer-readable medium as recited in claim 10, wherein the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 14. The computer-readable medium as recited in claim 10, wherein the secure management connection conforms to an IPsec communications protocol and the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 15. The computer-readable medium as recited in claim 10, further comprising additional instructions which, when executed by the one or more processors, cause the registrar receiving, from a Web browser executing on the network device, a simple certificate enrollment protocol (SCEP) request that conforms to the HTTPS communications protocol.
  - 16. The computer-readable medium as recited in claim 10, further comprising additional instructions which, when executed by the one or more processors, cause:
    - causing a networking services agent to be instantiated on the network device;
      
      the secure management gateway receiving, from the networking services agent instantiated on the network device, data that indicates that the secure management connection has been established; and
      
      the secure management gateway providing the data to a networking services engine for processing.
  - 17. The computer-readable medium as recited in claim 10, further comprising additional instructions which, when executed by the one or more processors, cause the secure management gateway providing updated user-specific configuration data and security policy data to the network device over the secure management connection, wherein the updated user-specific configuration data and security policy data enable the secure management connection to be updated.
  - 18. The computer-readable medium as recited in claim 10, wherein the network device is a router, the secure management gateway is a management router and the secure data gateway is a corporate router.

19. An apparatus for deploying a network device, the apparatus comprising a memory storing instructions which, when executed by one or more processors, cause:
- establishing a secure introduction connection between the network device and a registrar;
  
  the registrar providing bootstrap configuration data to the network device over the secure introduction connection, wherein the bootstrap configuration data is used to establish a secure management connection between the network device and a secure management gateway; and
  
  the secure management gateway providing user-specific configuration data and security policy data to the network device over the secure management connection;
  
  wherein the user-specific configuration data and security policy data are used to establish a secure data connection between the network device and a secure data gateway.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The apparatus as recited in claim 19, wherein the secure introduction connection conforms to the HTTPS communications protocol.
  - 21. The apparatus as recited in claim 19, wherein the secure management connection conforms to one of an IPsec communications protocol and the HTTPS communications protocol.
  - 22. The apparatus as recited in claim 19, wherein the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 23. The apparatus as recited in claim 19, wherein the secure management connection conforms to an IPsec communications protocol and the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 24. The apparatus as recited in claim 19, wherein the memory further stores additional instructions which, when executed by the one or more processors, cause the registrar receiving, from a Web browser executing on the network device, a simple certificate enrollment protocol (SCEP) request that conforms to the HTTPS communications protocol.
  - 25. The apparatus as recited in claim 19, wherein the memory further stores additional instructions which, when executed by the one or more processors, cause:
    - causing a networking services agent to be instantiated on the network device;
      
      the secure management gateway receiving, from the networking services agent instantiated on the network device, data that indicates that the secure management connection has been established; and
      
      the secure management gateway providing the data to a networking services engine for processing.
  - 26. The apparatus as recited in claim 19, wherein the memory further stores additional instructions which, when executed by the one or more processors, cause the secure management gateway providing updated user-specific configuration data and security policy data to the network device over the secure management connection, wherein the updated user-specific configuration data and security policy data enable the secure management connection to be updated.
  - 27. The apparatus as recited in claim 19, wherein the network device is a router, the secure management gateway is a management router and the secure data gateway is a corporate router.

28. An apparatus for deploying a network device, the apparatus comprising:
- means for establishing a secure introduction connection between the network device and a registrar;
  
  means for the registrar providing bootstrap configuration data to the network device over the secure introduction connection, wherein the bootstrap configuration data is used to establish a secure management connection between the network device and a secure management gateway; and
  
  means for the secure management gateway providing user-specific configuration data and security policy data to the network device over the secure management connection;
  
  wherein the user-specific configuration data and security policy data are used to establish a secure data connection between the network device and a secure data gateway.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The apparatus as recited in claim 28, wherein the secure introduction connection conforms to the HTTPS communications protocol.
  - 30. The apparatus as recited in claim 28, wherein the secure management connection conforms to one of an IPsec communications protocol and the HTTPS communications protocol.
  - 31. The apparatus as recited in claim 28, wherein the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 32. The apparatus as recited in claim 28, wherein the secure management connection conforms to an IPsec communications protocol and the secure data connection is a dynamic multipoint VPN (DMVPN) connection.
  - 33. The apparatus as recited in claim 28, further comprising means for causing the registrar receiving, from a Web browser executing on the network device, a simple certificate enrollment protocol (SCEP) request that conforms to the HTTPS communications protocol.
  - 34. The apparatus as recited in claim 28, further comprising means for:
    - causing a networking services agent to be instantiated on the network device;
      
      the secure management gateway receiving, from the networking services agent instantiated on the network device, data that indicates that the secure management connection has been established; and
      
      the secure management gateway providing the data to a networking services engine for processing.
  - 35. The apparatus as recited in claim 28, further comprising means for causing the secure management gateway providing updated user-specific configuration data and security policy data to the network device over the secure management connection, wherein the updated user-specific configuration data and security policy data enable the secure management connection to be updated.
  - 36. The apparatus as recited in claim 28, wherein the network device is a router, the secure management gateway is a management router and the secure data gateway is a corporate router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Aggarwal, Gautam, Pritikin, Max, Leonardo, Pedro J., Nedeltchev, Plamen, Iacobacci, David

Granted Patent

US 7,748,035 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 41/0806   for initial configuration o...

H04L 41/082   the condition being updates...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Approach for securely deploying network devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Approach for securely deploying network devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links