Mechanism for embedding network based control systems in a local network interface device
First Claim
1. An apparatus to provide a proxy for network services of a secure station connected to a network to a host station, said apparatus comprising:
- a bus interface circuit coupled between said host station and said network;
a security circuit coupled to said bus interface circuit, said security circuit including a processor;
a memory coupled to said processor, said memory to contain parameter information utilized by said network services, said security circuit to allow said parameter information from said network to be stored in said memory, said security circuit to allow authorized access to said parameter information by said host station without network communication between the host station and the secure station; and
a carrier sense circuit coupled to said bus interface circuit detecting a disconnection of said host station from said network.
2 Assignments
0 Petitions
Accused Products
Abstract
A secure, trusted network management function embedded within a network interface device is provided. The network interface device connects a host computer to a network and contains a host bus interface, a network interface, and control logic. The network interface device incorporates a secure language processor, non-volatile memory, and a carrier sense circuit. The secure language processor executes a secure language program, and the non-volatile memory stores identification keys for remote devices and objects of value for network applications. If an application program is to be executed or accessed by the host computer, the secure language processor verifies that the object of value allows such execution or access. If a remote network device attempts to control the functionality of the network interface device, the secure language processor verifies that the remote network device has the authority to issue such a command.
71 Citations
15 Claims
-
1. An apparatus to provide a proxy for network services of a secure station connected to a network to a host station, said apparatus comprising:
-
a bus interface circuit coupled between said host station and said network;
a security circuit coupled to said bus interface circuit, said security circuit including a processor;
a memory coupled to said processor, said memory to contain parameter information utilized by said network services, said security circuit to allow said parameter information from said network to be stored in said memory, said security circuit to allow authorized access to said parameter information by said host station without network communication between the host station and the secure station; and
a carrier sense circuit coupled to said bus interface circuit detecting a disconnection of said host station from said network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
said network service comprises a verification routine executable by said processor; and
said security circuit to transmit a first set of commands to said host station if said verification routine returns a first value when executed by said processor, said first set of commands to enable said first station to execute an application program executable by said first station, said verification routine to utilize said parameter information contained in said memory.
-
-
3. The apparatus of claim 2 wherein said parameter information includes a counter to store a counter value and said verification routine comprises an authentication routine to verify the identity of a user of said host station, said verification routine further comprising a decrement routine to decrement the value of said counter value.
-
4. The apparatus of claim 3 wherein said authentication routine further includes a plurality of identification parameters, each of said identification parameters to verify the identity of one of a plurality of users of host first station.
-
5. The apparatus of claim 2 wherein said security circuit to transmit said first set of commands to said first station if said verification routine returns said first value, and said security circuit to transmit a second set of commands to said first station if said verification routine returns a second value.
-
6. The apparatus of claim 2 wherein said security circuit to transmit said first set of commands to said first station if said verification routine returns said first value and said first station is disconnected from said network.
-
7. The network interface device according to claim 1 wherein said secure security circuit to provide said secure network management services even when said network is disconnected from said host computer.
-
8. An apparatus to provide access to network interface functions of a secure station connected to a network to a host station, said apparatus comprising:
-
a bus interface circuit coupled between said host station and said network;
a processor disposed within a secure circuit and coupled to said host station; and
a memory coupled to said processor, said memory to contain parameter information utilized by said network interface functions, said processor to allow said parameter information from said network to be stored in said memory, said processor to allow authorized access to said parameter information by said host station without network communication between the secure station and the host station. - View Dependent Claims (9, 10)
-
-
11. A method of providing secure network management functions within a network interface device, said network interface comprising a memory, a processor, and a bus interface circuit, said bus interface circuit coupling said first network station to a network, said network coupled to a second network station, said method comprising the steps of:
-
storing a first parameter in said memory;
storing a security routine in said memory, said security routine comprising instructions and one or more data objects, said security routine containing a second parameter;
causing said processor to execute said security routine;
transmitting a first set of commands to said first network station if said security routine returns a first value; and
transmitting a second set of commands to said first network station if said security routine returns a second value said processor allowing said data objects from said network to be stored in said memory, said processor denying access to said data objects by said first network station. - View Dependent Claims (12, 13, 14, 15)
said first parameter comprises a data string corresponding to the identity of a user of said first network station, and one of said one or more data objects comprises a counter;
wherein the step of causing said processor to execute said security routine further comprises the steps of;
verifying the identity of said user by comparing a character string input by said user to said first parameter, checking a value associated with said counter, decrementing said counter if said value exceeds a threshold value, and issuing an authorization command allowing the transmission of said first set of commands if said counter exceeds said threshold value and said character string matches said first parameter.
-
-
13. The method of claim 12 wherein said first set of commands to cause said network interface device to modify usage of said network.
-
14. The method of claim 11 wherein said first set of commands causes said first network station to execute an application program executable by said first network station.
-
15. The method of claim 11 wherein said first parameter comprises a data string corresponding to the address of an authorized network station, and wherein the step of causing said processor to execute said security routine further comprises the steps of:
-
verifying the authority of a network station requesting access by comparing said first parameter with a character string transmitted by said network station requesting access; and
issuing an authorization command allowing the transmission of said first set of commands if said character string matches said first parameter.
-
Specification