Secure access systems and methods to network elements operating in a network

US 9,503,443 B2
Filed: 09/15/2014
Issued: 11/22/2016
Est. Priority Date: 09/15/2014
Status: Active Grant

First Claim

Patent Images

1. A network element, configured to operate in a network to provide various network functions therein, the network element comprising:

a main processor communicatively coupled to a main memory, wherein the main processor is configured to perform Operations, Administration, Maintenance, and Provisioning (OAM&

P) associated with the network element, wherein the main processor is accessible through a plurality of access techniques comprising an access port communicatively coupled to a Data Communication Network (DCN) and signaling through overhead of data signals received by the network element; and

a supervisory plane comprising a secure processor and a secure memory communicatively coupled thereto, wherein the supervisory plane is separate from and communicatively coupled to the main processor and the main memory, the supervisory plane is configured to allow secure, direct access to the main processor and the main memory, and wherein the secure processor is accessible via a secure DCN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network element, configured to operate in a network to provide various network functions therein, includes a main processor communicatively coupled to a main memory, wherein the main processor is configured to perform Operations, Administration, Maintenance, and Provisioning (OAM&P) associated with the network element, wherein the main processor is accessible through one or more access techniques; and a supervisory plane comprising a secure processor and a secure memory communicatively coupled thereto, wherein the supervisory plane is separate from and communicatively coupled to the main processor and the main memory, the supervisory plane is configured to allow secure, direct access to the main processor and the main memory.

Citations

20 Claims

1. A network element, configured to operate in a network to provide various network functions therein, the network element comprising:
- a main processor communicatively coupled to a main memory, wherein the main processor is configured to perform Operations, Administration, Maintenance, and Provisioning (OAM&
  
  P) associated with the network element, wherein the main processor is accessible through a plurality of access techniques comprising an access port communicatively coupled to a Data Communication Network (DCN) and signaling through overhead of data signals received by the network element; and
  
  a supervisory plane comprising a secure processor and a secure memory communicatively coupled thereto, wherein the supervisory plane is separate from and communicatively coupled to the main processor and the main memory, the supervisory plane is configured to allow secure, direct access to the main processor and the main memory, and wherein the secure processor is accessible via a secure DCN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The network element of claim 1, wherein the main processor is accessible via any of a local access craft port, the Data Communication Network (DCN), a control plane interface via the signaling, and a Software Defined Networking (SDN) controller interface.
  - 3. The network element of claim 1, wherein the main processor and the main memory are controllable through the supervisory plane, but the supervisory plane is not controllable through the main processor and the main memory.
  - 4. The network element of claim 1, wherein the supervisory plane is accessed through an out-of-band, remote, and secure network, and the supervisory plane is inaccessible through the plurality of access techniques.
  - 5. The network element of claim 1, wherein the supervisory plane utilizes a WRITE mode and a READ mode with the main processor and the main memory, the WRITE mode allowing modification from the supervisory plane to the main processor and the main memory, but no modifications are allowed from the main processor and the main memory to the supervisory plane.
  - 6. The network element of claim 5, wherein the READ mode includes providing performance management data from the main processor to the supervisory plane, wherein the performance management data is utilized to detect intrusions or malicious activity associated with the network element.
  - 7. The network element of claim 1, wherein the supervisory plane is configured to provide authentication for proper use, authenticated users, and operation of the network element.
  - 8. The network element of claim 1, wherein the supervisory plane is configured to selectively halt/lock the network element where the network element continues to function, but locks further commands or configurations through any of the plurality of access techniques.
  - 9. The network element of claim 1, wherein the supervisory plane is configured to selectively reset/restore the network element where the main memory is wiped and a main configuration therein deleted, and a selected configuration copy in the secure memory is loaded into the main memory and the network element is rebooted.
  - 10. The network element of claim 1, wherein the supervisory plane is configured to selectively zeroize the network element where the main memory is wiped and a main configuration therein deleted, and the network element is rebooted.
  - 11. The network element of claim 1, wherein the supervisory plane is configured to selectively disable the network element to prevent any further use of commands to the network element.
  - 12. The network element of claim 1, wherein the supervisory plane includes a secure boot functionality with an encrypted operate system in the secure memory, configured to selectively load into the main memory.
  - 13. The network element of claim 1, wherein the supervisory plane is configured to sense a plurality of factors associated with the network element including location, movement, and intrusion-related data, and to report the plurality of factors to a user.
  - 14. The network element of claim 1, wherein the supervisory plane is configured to provide secure access to one or more virtual machines performing Network Functions Virtualization (NFV) in the network element.
  - 15. The network element of claim 1, wherein the network element is configured to perform the various network switching and transport functions at Layers 0, 1, 2, and/or 3+.

16. A supervisory plane, in a network element, to provide secure access and control of the network element, the network element configured to operate in a network to provide various network functions therein, the supervisory plane comprising:
- a secure processor communicatively coupled to a secure memory, wherein the supervisory plane is separate from and communicatively coupled to a main processor and main memory, the supervisory plane is configured to allow secure, direct access to the main processor and the main memory, and wherein the secure processor is accessible via a secure Data Communication Network (DCN);
  
  wherein the main processor is configured to perform Operations, Administration, Maintenance, and Provisioning (OAM&
  
  P) associated with the network element, wherein the main processor is accessible through a plurality of access techniques comprising an access port communicatively coupled to a DCN and signaling through overhead of data signals received by the network element; and
  
  wherein the main processor and the main memory are controllable through the supervisory plane, but the supervisory plane is not controllable through the main processor and the main memory.
- View Dependent Claims (17)
- - 17. The supervisory plane of claim 16, wherein the supervisory plane is accessed through an out-of-band, remote, and secure network, and the supervisory plane is inaccessible through the main processor and the main memory and through the plurality of access techniques.

18. A method, in a network element operating in a network and providing various network functions therein, the network element configured with a supervisory plane to provide secure access and control of the network element, the method comprising:
- operating the network element in the network with a main processor and main memory configured to perform Operations, Administration, Maintenance, and Provisioning (OAM&
  
  P) associated with the network element, wherein the main processor is accessible through a plurality of access techniques comprising an access port communicatively coupled to a Data Communication Network (DCN) and signaling through overhead of data signals received by the network element;
  
  responsive to an event, allowing access to the network element through a supervisory plane with a secure processor communicatively coupled to a secure memory, wherein the supervisory plane is separate from and communicatively coupled to the main processor and the main memory, the supervisory plane is configured to allow secure, direct access to the main processor and the main memory, and wherein the secure processor is accessible via a secure DCN; and
  
  performing a secure function with the supervisory plane on the main processor and/or the main memory.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the event is any of an intrusion into the network element, the network element is non-responsive or compromised, and a sensor provides a notification related to remote sensing.
  - 20. The method of claim 18, wherein the secure function is any of locking the main memory and the main processor, resetting the network element, zeroizing the network element, and disabling the network element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ciena Corporation
Original Assignee
Ciena Corporation
Inventors
Krauss, David Jordan, Alexander, Stephen B., Blair, Loudon Thomas
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/486,524
Publication Number

US 20160080342A1
Time in Patent Office

799 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/04   Network management architec...

H04L 41/28   Restricting access to netwo...

H04L 41/342   between virtual entities, e...

H04L 41/344   Out-of-band transfers

H04L 41/40   using virtualisation of net...

H04L 41/5096   wherein the managed service...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/01   Protocols

Secure access systems and methods to network elements operating in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure access systems and methods to network elements operating in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links