Apparatus, method and system for improving network security

US 7,577,996 B1
Filed: 02/06/2004
Issued: 08/18/2009
Est. Priority Date: 02/06/2004
Status: Active Grant

First Claim

Patent Images

1. A system for protecting sensitive information in a network comprising:

a network component for storing the sensitive information necessary for authorized network access;

a network device, attachable to the network, that lacks the sensitive information necessary for authorized network access and is inoperative, at least in part, until the sensitive information is stored therein;

wherein, when the network device is attached to the network, the sensitive information necessary for authorized network access is downloaded from the network component and stored in the network device so that the network device becomes operational;

wherein, when the network device is disconnected from the network, the sensitive information necessary for authorized network access is erased from the network device, thereby making the network device inoperative at least in part and removing the sensitive information necessary for authorized network access from the network device;

wherein the network component is located in a secure environment comprising security for both physical access and network communications;

wherein the sensitive information necessary for authorized network access is selected from the group consisting of configuration information, a software image, and a combination of the forgoing; and

wherein the sensitive information is bundled with self-extracting software as stored at the network component.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems and related methods are disclosed for improving operational security of a network and/or network devices, such as wireless access points (APs). In the disclosed systems, a network device is not fully operational until it is attached to a network and downloads sensitive information. The information is stored in the network device so that when the device is disconnected from the network, the sensitive information is erased from the device, making the device inoperative and removing sensitive information, such as passwords, network security keys, or the like. Disabling the network device in this manner not only prevents the theft of sensitive network access information, by also discourages theft of the device itself because it cannot be used on another network without the configuration information. In addition to downloading configuration information, the network device can also download an executable image that is likewise not permanently resident on the device.

Citations

19 Claims

1. A system for protecting sensitive information in a network comprising:
- a network component for storing the sensitive information necessary for authorized network access;
  
  a network device, attachable to the network, that lacks the sensitive information necessary for authorized network access and is inoperative, at least in part, until the sensitive information is stored therein;
  
  wherein, when the network device is attached to the network, the sensitive information necessary for authorized network access is downloaded from the network component and stored in the network device so that the network device becomes operational;
  
  wherein, when the network device is disconnected from the network, the sensitive information necessary for authorized network access is erased from the network device, thereby making the network device inoperative at least in part and removing the sensitive information necessary for authorized network access from the network device;
  
  wherein the network component is located in a secure environment comprising security for both physical access and network communications;
  
  wherein the sensitive information necessary for authorized network access is selected from the group consisting of configuration information, a software image, and a combination of the forgoing; and
  
  wherein the sensitive information is bundled with self-extracting software as stored at the network component.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the configuration information is selected from the group consisting of a password, a user ID, a network security key, and any combination of the forgoing.
  - 3. The system of claim 1, wherein the network device includes a volatile memory for storing the sensitive information.
  - 4. The system of claim 1, wherein the network component is a LAN switch comprising a server utilizing Simple Network Management Protocol (SNMP).
  - 5. The system of claim 1, wherein the network device provides network access to a voice over IP phone, wherein the voice over IP phone stores configuration data and software images in volatile memory.
  - 6. The system of claim 1, wherein the network device is powered by a network cable using Power over Ethernet (PoE).

7. A method for protecting sensitive information in a network comprising:
- storing the sensitive information necessary for authorized network access at a network component;
  
  attaching a network device to the network, the network device lacking the sensitive information necessary for authorized network access and being inoperative, at least in part, until the sensitive information necessary for authorized network access is stored therein;
  
  downloading the sensitive information necessary for authorized network access from the network component to the network device;
  
  storing the sensitive information necessary for authorized network access in the network device so that the network device becomes operational on the network;
  
  when the network device is disconnected from the network, erasing the sensitive information necessary for authorized network access from the network device, thereby rendering the network device inoperative, at least in part;
  
  wherein the network component is located in a secure environment comprising security for both physical access and network communications;
  
  wherein the sensitive information necessary for authorized network access is selected from the group consisting of configuration information, a software image, and a combination of the forgoing; and
  
  wherein the sensitive information is bundled with self-extracting software as stored at the network component.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the configuration information is selected from the group consisting of a password, a user ID, a network security key, and any combination of the forgoing.
  - 9. The method of claim 7 wherein the network device includes a volatile memory for storing the sensitive information necessary for authorized network access.
  - 10. The method of claim 7, wherein the network component is a LAN switch comprising a server utilizing Simple Network Management Protocol (SNMP).
  - 11. The method of claim 7, wherein the network device provides network access to a voice over IP phone, wherein the voice over IP phone stores configuration data and software images in volatile memory.
  - 12. The method of claim 7, wherein the network device is powered by a network cable using Power over Ethernet (PoE).

13. A device that is non-operational on a network unless the device is storing configuration information necessary for authorized network access comprising:
- an interface for communicating with the network;
  
  a memory whose contents are erased upon loss of power to the device;
  
  means for downloading from a network component of the network and storing in the memory the configuration information necessary for authorized network access so that the configuration information necessary for authorized network access is not retained when the device is powered down, wherein the configuration information necessary for authorized network access, when stored in the memory, permits the device to operate on the network;
  
  wherein the device is a wireless access point (AP);
  
  wherein the network component is located in a secure environment comprising security for both physical access and network communications;
  
  wherein the means for downloading includes a bootstrap program for downloading from the network an executable image;
  
  wherein the executable image permits the device to download the configuration information necessary for authorized network access;
  
  wherein the configuration information necessary for authorized network access includes security information for allowing end user devices to access the network through the wireless AP; and
  
  wherein the device provides network access to a voice over IP phone that stores the security information and a software image in volatile memory.
- View Dependent Claims (14, 15)
- - 14. The device of claim 13, further comprising means for storing the executable image in the memory.
  - 15. The device of claim 13, wherein the configuration information necessary for authorized network access includes security information for allowing the device access to the network.

16. A network system, comprising:
- a switch for attaching a device to a network so that information can be communicated between the device and the network system, wherein the device is not fully operational when first connected to the switch; and
  
  means for downloading configuration information necessary for authorized network access from a network component of the network system to a volatile memory included in the device in response to a request from the device, so that the configuration information necessary for authorized network access is not retained in the device when the device is powered down, the device being operable on the network after the configuration information necessary for authorized network access is downloaded into the volatile memory;
  
  means for downloading an executable image from the network system to the device;
  
  wherein the request is generated by running the executable image on the device;
  
  wherein the device is a wireless access point (AP);
  
  wherein the network component is located in a secure environment comprising security for both physical access and network communications;
  
  wherein the configuration information necessary for authorized network access includes security information for allowing end user devices to access the network system through a wireless AP; and
  
  wherein the device provides network access to a voice over IP phone that stores the security information and a software image in volatile memory.
- View Dependent Claims (17, 18, 19)
- - 17. The network system of claim 16, wherein the device is powered by a network cable using Power over Ethernet (PoE).
  - 18. The network system of claim 16, wherein the configuration information necessary for authorized network access includes security information for allowing the device access to the network.
  - 19. The network system of claim 16, further comprising means for authenticating the device on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Extreme Networks, Inc.
Inventors
Merchant, Shehzad T., Maitra, Amit K., Srinivasan, Balaji, Li, Jia-Ru, Lin, Victor C., Peters, Matthew R., Pitcher, Derek H., Jain, Vipin K., Rathi, Manish M.
Primary Examiner(s)
NGUYEN, MINH DIEU T

Application Number

US10/773,394
Time in Patent Office

2,020 Days
Field of Search

713/201, 713/187, 709223-225, 726/26, 455/410
US Class Current

726/26
CPC Class Codes

H04L 63/0853 using an additional device,...

Apparatus, method and system for improving network security

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, method and system for improving network security

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links