NETCONF/DMI-based secure network device discovery

US 8,621,211 B1
Filed: 10/24/2008
Issued: 12/31/2013
Est. Priority Date: 10/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a processor, data associated with devices that are manageable by a management system,the data identifying;

one or more brands of the devices that are manageable by the management system, andone or more types of the devices that are manageable by the management system;

receiving, by the processor, discovery rule inputs that include a plurality of network addresses and simple network management protocol (SNMP) parameters;

filtering, by the processor and based on the SNMP parameters, the plurality of network addresses to remove a first network address of the plurality of network addresses,the first network address being associated with the one or more of;

a broadcast address,a multicast address,a loop back address, ora previously discovered device;

obtaining, by the processor and based on the discovery rule inputs, information for a network device associated with a second network address, of the plurality of network addresses, that differs from the first network address,the information identifying;

a particular brand associated with the network device, anda particular device type associated with the network device;

determining, by the processor, that the network device is manageable by the management system based on a comparison of the information to the data associated with devices that are manageable by the management system,determining that the network device is manageable by the management system including;

determining that the particular brand, associated with the network device, is included in the one or more brands of the devices that are manageable by the management system, anddetermining that the particular device type, associated with the network device, is included in the one or more types of the devices that are manageable by the management system; and

identifying, by the processor and to the management system, the network device based on determining that the network device is manageable by the management system,the management system obtaining device configuration information associated with the network device and managing the network device using the device configuration information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system receives discovery rule inputs that include addresses, verifies one or more device identifiers for one or more addresses, obtains device information from each verified device associated with the one or more verified device identifiers, determines whether each verified device is a discovered device based on the device information, and automatically adds each verified device as a discovered device to a management system without human intervention when it is determined that the verified device is discovered. The system further creates device configuration information, creates an identifier and password, provides device configuration information, the identifier, and the password, to each of the discovered devices based on the NETCONF or the Device Management Interface standards, waits for a connection from the discovered devices, imports device configuration information from the discovered devices when the connection has been established, and indicates that the discovered devices are managed devices.

18 Citations

View as Search Results

17 Claims

1. A method comprising:
- determining, by a processor, data associated with devices that are manageable by a management system,the data identifying;
  
  one or more brands of the devices that are manageable by the management system, andone or more types of the devices that are manageable by the management system;
  
  receiving, by the processor, discovery rule inputs that include a plurality of network addresses and simple network management protocol (SNMP) parameters;
  
  filtering, by the processor and based on the SNMP parameters, the plurality of network addresses to remove a first network address of the plurality of network addresses,the first network address being associated with the one or more of;
  
  a broadcast address,a multicast address,a loop back address, ora previously discovered device;
  
  obtaining, by the processor and based on the discovery rule inputs, information for a network device associated with a second network address, of the plurality of network addresses, that differs from the first network address,the information identifying;
  
  a particular brand associated with the network device, anda particular device type associated with the network device;
  
  determining, by the processor, that the network device is manageable by the management system based on a comparison of the information to the data associated with devices that are manageable by the management system,determining that the network device is manageable by the management system including;
  
  determining that the particular brand, associated with the network device, is included in the one or more brands of the devices that are manageable by the management system, anddetermining that the particular device type, associated with the network device, is included in the one or more types of the devices that are manageable by the management system; and
  
  identifying, by the processor and to the management system, the network device based on determining that the network device is manageable by the management system,the management system obtaining device configuration information associated with the network device and managing the network device using the device configuration information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where filtering the plurality of network addresses further comprises:
    - verifying the plurality of network addresses,where verifying the plurality network addresses includes;
      
      pinging the plurality network addresses using the SNMP parameters;
      
      retrieving, based on pinging the plurality network addresses, device identifiers associated with the plurality network addresses; and
      
      verifying the network addresses based on a comparison of the device identifiers to one or more stored device identifiers included in a management information base (MIB) associated with the management system to produce verification results; and
      
      discarding one or more of the plurality of network addresses based on the verification results.
  - 3. The method of claim 1, where the discovery rule inputs further include secure shell (SSH) parameters, andwhere filtering the plurality of network addresses is further based on the SSH parameters.
  - 4. The method of claim 3, where filtering the plurality of network addresses further includes:
    - retrieving one or more public keys, associated with the plurality of network addresses, based on the SSH parameters;
      
      authenticating the plurality of network addresses based on the retrieved one or more public keys to produce authentication results; and
      
      discarding one or more of the plurality of network addresses based on the authentication results.
  - 5. The method of claim 3, where obtaining the information further includes:
    - logging onto the network device based on the SSH parameters; and
      
      obtaining, based on logging onto the device, the information using at least one of a network configuration (NETCONF) protocol or a device management interface (DMI) protocol.
  - 6. The method of claim 5, further comprising:
    - creating, based on the information, the device configuration information associated with the network device, an identifier, and a password; and
      
      providing the device configuration information, the identifier, and the password, to the network device using the at least one of the NETCONF protocol or the DMI protocol,the management system using the device configuration information, the identifier, and the password to manage the network device.
  - 7. The method of claim 6, where creating the device configuration information further includes:
    - detecting a connection associated with the network device; and
      
      determining the configuration information based on the connection.
  - 8. The method of claim 6, where providing the device configuration information, the identifier, and the password includes:
    - automatically logging on to the one of the devices using secure shell (SSH); and
      
      providing, when logged on to the network device, the device configuration information, the identifier, and the password to the network device.

9. A device comprising:
- a memory; and
  
  one or more processors to;
  
  store, in the memory, data associated with devices that are manageable by a management system,the data identifying;
  
  one or more brands of the devices that are manageable by the management system, andone or more types of the devices that are manageable by the management system;
  
  receive inputs that include addresses, public key parameters, and simple network management protocol (SNMP) parameters that include privacy and authentication parameters;
  
  filter the addresses to remove a first address, of the address,the first address being associated with the one or more of;
  
  a broadcast address,a multicast address,a loop back address, ora previously discovered device;
  
  verify, based on the SNMP parameters, a device identifier associated with a second address included in the filtered addresses,the one or more processors, when verifying the device identifier, being further to;
  
  perform public key verification of the second address based on the public key parameters;
  
  obtain information related to a network device associated with the second address;
  
  determine, based on the information, whether the network device is manageable by the management system,the network device being determined as manageable by the management system when;
  
  a particular brand, associated with the network device, is included in the one or more brands of the devices that are manageable by the management system, anda particular device type, associated with the network device, is included in the one or more types of the devices that are manageable by the management system; and
  
  forward, to the management system, the information,the management system using the information to manage the network device.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The device of claim 9, where the device includes one of a router, a bridge, a switch, a gateway, a security device, or a computer.
  - 11. The device of claim 9, where the public key parameters correspond to secure shell (SSH) parameters.
  - 12. The device of claim 9, where, when performing the public key verification for the second address, the one or more processors are further to:
    - receive a user input indicating whether a public key, for the second address, is accepted or rejected, andperform the public key verification for the second address based on the user input.
  - 13. The device of claim 9, where the one or more processors are further to:
    - automatically log on to the network device, andprovide, to the network device and when logged on to the network devices, an identifier and a password, andwhere the identifier and the password enables of the network device to connect with the device, andwhere the one or more processors automatically log on to the network device based on a secure shell (SSH) protocol.
  - 14. The device of claim 13, where the one or more processors are further to:
    - detect a connection between the device and the network device,receive, when the connection is detected, configuration information for the network device,store, in the memory, the configuration information for the network device, andprovide the configuration information to the management system,the management system further using the configuration information to manage the network device.

15. A computer-readable memory device to store instructions, the instructions comprising:
- one or more instructions, which when executed by a processor, cause the processor to store data identifying devices that are manageable by a management system,the data including;
  
  first data identifying one or more brands of the devices that are manageable by the management system, andsecond data identifying one or more types of the devices that are manageable by the management system;
  
  one or more instructions, which when executed by the processor, cause the processor to receive discovery rule inputs that include at least one of a range of addresses or subnet masks;
  
  one or more instructions, which when executed by the processor, cause the processor to filter the at least one of the range of addresses or the subnet masks to remove at least one of an address or a subnet mask when the at least one of the address or the subnet mask is associated with;
  
  a broadcast,a multicast,a loop back, ora previously discovered device;
  
  one or more instructions, which when executed by the processor, cause the processor to verify one or more device identifiers associated with the filtered at least one of the range of addresses or the subnet masks,the one or more instructions to verify the one or more device identifiers including;
  
  one or more instructions to verify the one or more device identifiers using simple network management protocol (SNMP);
  
  one or more instructions, which when executed by the processor, cause the processor to perform public key verification for one or more devices corresponding to the one or more verified device identifiers;
  
  one or more instructions, which when executed by the processor, cause the processor to obtain respective information from the one or more devices;
  
  one or more instructions, which when executed by the processor, cause the processor to determine, based on the respective information, whether the one or more devices are manageable by the management system,one or more instructions to determine whether the one or more devices are manageable by the management system including;
  
  the one or more instructions to determine that a device, of the one or more devices, is manageable by the management system whena particular brand, associated with the device, is included in the one or more brands of the devices that are manageable by the management system, anda particular device type, associated with the device, is included in the one or more types of the devices that are manageable by the management system; and
  
  one or more instructions, which when executed by the processor, cause the processor to provide, to the management system, the respective information when the one or more devices are manageable by the management system,the management system using the respective information to manage the one or more devices.
- View Dependent Claims (16, 17)
- - 16. The computer-readable memory device of claim 15, where the one or more instructions to obtain the respective information further comprise:
    - one or more instructions to obtain, based on the respective information, respective device configuration information from each of the one or more devices using at least one of a network configuration (NETCONF) protocol or a device management interface protocol; and
      
      one or more instructions to provide the respective device configuration information to the management system,the management system managing the one or more devices further based on the respective device configuration information.
  - 17. The computer-readable memory device of claim 15, further comprising:
    - one or more instructions to generate login information based on the respective information; and
      
      one or more instructions to authenticate, based on the login information, a login request from the one or more devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Kishore, Uday, Joyce, Roshan
Primary Examiner(s)
Shaw, Peter
Assistant Examiner(s)
HO, DAO Q

Application Number

US12/257,587
Time in Patent Office

1,894 Days
Field of Search

713/168, 713/171
US Class Current

713/168
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 12/1886   with traffic restrictions f...

H04L 41/0213   Standardised network manage...

H04L 41/0803   Configuration setting

H04L 41/0806   for initial configuration o...

H04L 41/0866   Checking the configuration

H04L 41/12   Discovery or management of ...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

NETCONF/DMI-based secure network device discovery

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

NETCONF/DMI-based secure network device discovery

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others