Network management using secure mesh command and control framework
First Claim
1. A method comprising:
- receiving, by a processor of a first target client machine of a set of target client machines operatively coupled to a first host machine, first command data from the first host machine, wherein the first host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine;
executing, by the processor of the first target client machine, the first command data;
receiving, by the processor of the first client machine, a request from a second target client machine of the set of target client machines, the request for the first client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential;
authenticating, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine;
establishing, in view of the authenticating, a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine;
determining, by the processor of the first target client machine, that the second target client machine is listed on an access control list of the first target client machine as authorized to initiate execution of the second command data on the first target client machine; and
executing, by the processor of the first target client machine, the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments relate to systems and methods for network management using a secure mesh command and control framework. A network management server can communicate with a set of supervisory hosts, which in turn communicate with an underlying set of targets. The set of targets can have associated digital certificates which can be authenticated by common certificate authorities. A controlled target can authenticate one or more other target requesting access to the controlled target via the trusted common certificate authority. One authenticated target can therefore mesh on a trusted basis with another target to perform installation, monitoring, testing, or other activities directly on the target of interest, without channeling commands through an intervening supervisory host.
64 Citations
17 Claims
-
1. A method comprising:
-
receiving, by a processor of a first target client machine of a set of target client machines operatively coupled to a first host machine, first command data from the first host machine, wherein the first host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine; executing, by the processor of the first target client machine, the first command data; receiving, by the processor of the first client machine, a request from a second target client machine of the set of target client machines, the request for the first client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential; authenticating, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine; establishing, in view of the authenticating, a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine; determining, by the processor of the first target client machine, that the second target client machine is listed on an access control list of the first target client machine as authorized to initiate execution of the second command data on the first target client machine; and executing, by the processor of the first target client machine, the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
a first target client machine of a set of target client machines supported by a first host machine, the first target client machine comprising; a memory to store an access control list; and a processor operatively coupled to the memory, the processor to; receive, by the processor, first command data from the first host machine, wherein the host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine; execute the first command data; receive a request from a second target client machine of the set of target client machines, the request for the first target client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential; authenticate, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine; establish a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine; determine that the second target client machine is listed on the access control list as authorized to initiate execution of the second command data on the first target client machine; and execute the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine. - View Dependent Claims (8, 9, 10, 11, 12)
-
13. A non-transitory computer readable medium comprising instructions that, when executed by a processor, cause the processor to:
-
receive, by the processor of a first target client machine of a set of target client machines supported by a first host machine, first command data from the first host machine, wherein the first host machine receives the first command data from a network server operatively coupled to a plurality of host machines comprising the first host machine; execute, by the processor of the first target client machine, the first command data; receive, by the processor of the first client machine, a request from a second target client machine of the set of target client machines, the request for the first client machine to execute second command data received from the second target client machine, wherein the request comprises a security credential; authenticate, by the processor of the first target client machine, the second target client machine by determining that the security credential associated with the second target client machine is signed by a common certificate authority associated with the first host machine; establish a secure channel between the first target client machine and the second target client machine operatively coupled to the first target client machine; determine, by the processor of the first target client machine, that the second target client machine is listed on an access control list of the first target client machine as authorized to initiate execution of the second command data on the first target client machine; and execute, by the processor of the first target client machine, the second command data in response to determining that the second target client machine is authorized to initiate execution of the second command data on the first target client machine. - View Dependent Claims (14, 15, 16, 17)
-
Specification