Networking as a service: delivering network services using remote appliances controlled via a hosted, multi-tenant management system

US 8,347,355 B2
Filed: 01/21/2009
Issued: 01/01/2013
Est. Priority Date: 01/17/2008
Status: Active Grant

First Claim

Patent Images

1. A hosted multi-tenant centralized network management system (NMS) for delivering network services, said centralized NMS being adapted to authenticate customer premises equipment (CPE), wherein said CPE is deployed without a pre-shared key (PSK) or certificate, said CPE being coupled to an end user computer, said centralized NMS comprising:

a login server, a memory device and a network management server;

wherein said login server is adapted to generate a temporary PSK, store said temporary PSK associated with an identity of said CPE in a database in said memory device, and send a prompt for a device password to said end user computer, the generation of a temporary PSK being in response to receipt of an automatic authentication request over an internet connection from said end user computer, said automatic authentication request including said identity of said CPE;

wherein said login server is further adapted to validate said device password received from said end user computer and send said temporary PSK to said CPE;

wherein said network management server is adapted to validate said temporary PSK received from said CPE, and send an encrypted version of said device password to said CPE, said validation including identifying said CPE identity in said database, said encrypted version of said device password being an authentication token for subsequent communications between said CPE and said centralized NMS.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Networking as a Service (NaaS) delivers network services using remote appliances controlled by a hosted, multi-tenant management system. The system may include a heartbeating process for communication between a web-based server and appliances, in which the appliances periodically contact the management system on the server. The heartbeating process allows the appliances to maintain a completely up-to-date configuration. Furthermore, heartbeating allows for comprehensive monitoring of appliances and for software distribution. The system may also include means for authenticating appliances, without the need for pre-installed PSKs or certificates.

61 Citations

View as Search Results

21 Claims

1. A hosted multi-tenant centralized network management system (NMS) for delivering network services, said centralized NMS being adapted to authenticate customer premises equipment (CPE), wherein said CPE is deployed without a pre-shared key (PSK) or certificate, said CPE being coupled to an end user computer, said centralized NMS comprising:
- a login server, a memory device and a network management server;
  
  wherein said login server is adapted to generate a temporary PSK, store said temporary PSK associated with an identity of said CPE in a database in said memory device, and send a prompt for a device password to said end user computer, the generation of a temporary PSK being in response to receipt of an automatic authentication request over an internet connection from said end user computer, said automatic authentication request including said identity of said CPE;
  
  wherein said login server is further adapted to validate said device password received from said end user computer and send said temporary PSK to said CPE;
  
  wherein said network management server is adapted to validate said temporary PSK received from said CPE, and send an encrypted version of said device password to said CPE, said validation including identifying said CPE identity in said database, said encrypted version of said device password being an authentication token for subsequent communications between said CPE and said centralized NMS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system as in claim 1, wherein said CPE has stored in memory a redirect command to a secure link to said centralized NMS, wherein said CPE is adapted to, capture an end user HTML session and send a response to said end user computer, said response having a redirect to said secure link to said login server of said centralized NMS for said automatic authentication request from said end user computer and wherein the URL of said redirect includes information about said CPE, said information including said identity of said CPE.
  - 3. The system as in claim 1, wherein said CPE has stored in memory a redirect command to a secure link to said centralized NMS, and wherein said CPE is adapted to, after receiving said temporary PSK from said login server, store said temporary PSK in memory at said CPE.
  - 4. The system as in claim 1, wherein said sending by said login server to said CPE of said temporary PSK includes sending by said login server a confirm page to said end user computer, said confirm page including an executable program with the URL of said CPE and said temporary PSK, wherein said executable program causes said end user computer to automatically send said temporary PSK to said CPE.
  - 5. The system as in claim 4, wherein said executable program causes said end user computer to issue an insecure HTTP POST of said temporary PSK to said CPE.
  - 6. The system as in claim 1, wherein said identity of said CPE includes a MAC address or a serial number.
  - 7. The system as in claim 1, wherein said device password is a PSK.
  - 8. The system as in claim 1, wherein said encrypted version of said device password is a cryptographic hash of said device password.
  - 9. The system as in claim 8, wherein said cryptographic hash includes an MD5 hash.
  - 10. The system as in claim 1, wherein said CPE is locked down in a walled garden with access only to a data network service (DNS) and said centralized NMS.
  - 11. The system as in claim 1, wherein said temporary PSK is a random or pseudorandom number.

12. A method of authenticating a customer premises equipment (CPE), wherein said CPE is deployed without a pre-shared key (PSK) or certificate, said CPE being coupled to an end user computer, said method comprising:
- generating a temporary PSK by a login server of a centralized network management system (NMS) in response to receiving over an internet connection an automatic authentication request from said end user computer, said request including a device identity of said CPE;
  
  storing said temporary PSK associated with said identity of said CPE in a database of said centralized NMS;
  
  sending from said login server to said end user computer a prompt for a device password;
  
  validating said device password by said login server in response to said password being transmitted from said end user computer to said login server;
  
  sending said temporary PSK to said CPE by said login server;
  
  receiving said temporary PSK from said CPE by a network management server of said centralized NMS;
  
  validating said temporary PSK by said network management server, wherein saidvalidation includes identifying said CPE identity in said database; and
  
  sending by said network management server an encrypted version of said device password to said CPE;
  
  wherein said CPE uses said encrypted version of said device password as an authentication token for subsequent communications with said centralized NMS.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method as in claim 12, wherein said CPE has stored in memory a redirect command to a secure link to said centralized NMS.
  - 14. The method as in claim 13, further comprising:
    - capturing an end user HTML session by said CPE; and
      
      sending by said CPE a response to said end user computer, said response having a redirect to said secure link to said login server of said centralized NMS for said automatic authentication request from said end user computer, wherein the URL of said redirect includes information about said CPE, said information including said identity of said CPE.
  - 15. The method as in claim 13, further comprising, after said sending by said login server to said CPE of said temporary PSK, storing in memory said temporary PSK at said CPE.
  - 16. The method as in claim 12, wherein said validating said device password includes comparing said device password with device passwords stored in said database of said centralized NMS.
  - 17. The method as in claim 12, wherein said sending by said login server to said CPE of said temporary PSK includes:
    - sending by said login server a confirm page to said end user computer, said confirm page including an executable program with the URL of said CPE and said temporary PSK;
      
      wherein said executable program causes said end user computer to automatically send said temporary PSK to said CPE.
  - 18. The method as in claim 17, wherein said executable program causes said end user computer to issue an insecure HTTP POST of said temporary PSK to said CPE.
  - 19. The method as in claim 12, wherein said identity of said CPE includes a MAC address or a serial number.
  - 20. The method as in claim 12, wherein said device password is a PSK.

21. A method comprising:
- receiving an automatic authentication request from a network device on a network at a network management system (NMS) for authenticating the network device on the network, wherein the request includes an identifier of the network device;
  
  generating at a login server of the NMS a temporary pre-shared key (PSK) in response to receiving the authentication request;
  
  storing by the login server of the NMS the temporary PSK in association with the identifier of the network device in a datastore of the NMS;
  
  sending from the login server of the NMS a prompt for a device password to an end user computer;
  
  receiving at the login server of the NMS a device password from the end user computer in response to the prompt for a device password;
  
  validating by the login server of the NMS the device password;
  
  sending from the login server of the NMS the temporary PSK to the network device;
  
  receiving at a network management server of the NMS a key from the network device;
  
  validating the key by the network management server of the NMS, wherein said validation includes determining the key matches the temporary PSK in the datastore of the NMS and identifying the identifier of the network device in the datastore of the centralized NMS;
  
  sending from the network management server of the NMS an encrypted version of the device password to the network device;
  
  wherein the NMS uses said the encrypted version of the device password as an authentication token for subsequent communications with the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Mower, Carl Steven, Palmer, Matthew Alan, Mayhew, Steven Couch
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US12/357,390
Publication Number

US 20090187970A1
Time in Patent Office

1,441 Days
Field of Search

726/3, 726/6, 726/4, 726/9, 726/5, 713/155, 713/168, 713/176, 713/153, 709/220, 709/222, 709/227
US Class Current

726/3
CPC Class Codes

H04L 43/10   Active monitoring, e.g. hea...

H04L 67/025   for remote control or remot...

H04L 67/125   involving control of end-de...

Networking as a service: delivering network services using remote appliances controlled via a hosted, multi-tenant management system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Networking as a service: delivering network services using remote appliances controlled via a hosted, multi-tenant management system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links