Carrier network security interface for fielded devices
First Claim
1. A network device, comprising:
- a processor; and
a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising;
receiving service information that facilitates communication between a field device and a service device via a communication link at a second security level associated with a second security service, wherein the service device is not associated with a network operator identity associated with the network device;
receiving field device information associated with the field device for use in connection with operating the communication link using the network device;
determining identification information associated with the field device from the field device information;
selecting a first security service based on the identification information to facilitate communication with the field device via the communication link at a first security level associated with the first security service;
in response to selecting the first security service associated with permissive use of the network device for the communication link with the field device, receiving security information related to the field device accessing the second security service via the network device based on the service information without authentication of the field device via the service device;
adapting the communication link to convey data at the second security level after the communication link is determined to be successfully established at the first security level, wherein the adapting comprises encrypting the data to be unreadable by network devices associated with the network operator identity; and
conveying the data at the second security level between the field device and the service device, as endpoint devices of the communication link, via the network device for decryption at one of the endpoint devices.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed subject matter provides carrier-side security services for fielded devices. In contrast to conventional authentication systems for fielded devices, wherein an end-to-end communications pathway is typically established for authentication of a fielded device by a back-end service provider, authentication and security services can be moved into the carrier network. A security service monitor component can be at the carrier network and can authenticate field components without establishing a communications pathway to the back-end service provider. Further, security service monitor component can provide security services for communications with an authenticated field component. In an aspect, this can allow for centralization of security elements from the periphery of back-end service providers into the carrier network. In a further aspect, security service monitor component can host a security services platform for back-end service providers.
66 Citations
20 Claims
-
1. A network device, comprising:
-
a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising; receiving service information that facilitates communication between a field device and a service device via a communication link at a second security level associated with a second security service, wherein the service device is not associated with a network operator identity associated with the network device; receiving field device information associated with the field device for use in connection with operating the communication link using the network device; determining identification information associated with the field device from the field device information; selecting a first security service based on the identification information to facilitate communication with the field device via the communication link at a first security level associated with the first security service; in response to selecting the first security service associated with permissive use of the network device for the communication link with the field device, receiving security information related to the field device accessing the second security service via the network device based on the service information without authentication of the field device via the service device; adapting the communication link to convey data at the second security level after the communication link is determined to be successfully established at the first security level, wherein the adapting comprises encrypting the data to be unreadable by network devices associated with the network operator identity; and conveying the data at the second security level between the field device and the service device, as endpoint devices of the communication link, via the network device for decryption at one of the endpoint devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
receiving, by a network device comprising a processor, service information associated with a service device, wherein the service device is not one of the network devices and wherein the service information is stored by the network device as stored service information to enable communication between a field device and the service device via a service authentication protocol; receiving, by the network device, an indication of the service authentication protocol associated with the service device, wherein the indication of the service authentication protocol is stored by the network device as stored service authentication protocol information; receiving, by the network device, first identification information from an unauthenticated field device; authenticating, by the network device, the unauthenticated field device to a network devices of a network comprising the network device based on the first identification information; in response to authenticating the field device to the network devices of the network, authenticating, by the network device, the field device to the service device based on the stored service information and the stored service authentication protocol information without authenticating the field device via the service device; and carrying, by the network device, encrypted data via a communication link between the field device and the service device comprising the network device, wherein the encrypted data is encrypted in accordance with the service authentication protocol and is decryptable by the field device. - View Dependent Claims (16, 17)
-
-
18. A non-transitory machine-readable storage medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, comprising:
-
receiving an identifier associated with a field device accessing the network device, wherein the network device is one of a set of network devices of a network; authenticating, by the network device, the field device according to a first security profile related to accessing the network device based on the identifier; authenticating, by the network device in response to determining that the field device is authenticated to the network device in accordance with the first security profile, the field device according to a second security profile stored by the network device, without authentication of the field device via the service device, based on the identifier, wherein the second security profile is associated with a service device and the set of network devices does not comprise the service device; establishing a communication link based on the second security profile, wherein the communication link facilitates encryption of communication between the field device and the service device; and conveying data encrypted in accordance with the second security profile between the field device and the service device, as endpoint devices of the communication link, via the network device for decryption at one of the endpoint devices, wherein the data is unreadable by the set of network devices. - View Dependent Claims (19, 20)
-
Specification