US20060235973A1 - Network services infrastructure systems and methods - Google Patents

Network services infrastructure systems and methods Download PDF

Info

Publication number
US20060235973A1
US20060235973A1 US11/105,732 US10573205A US2006235973A1 US 20060235973 A1 US20060235973 A1 US 20060235973A1 US 10573205 A US10573205 A US 10573205A US 2006235973 A1 US2006235973 A1 US 2006235973A1
Authority
US
United States
Prior art keywords
network
services
client
service
network service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/105,732
Other languages
English (en)
Inventor
Brian McBride
Bashar Bou-Diab
Laura Serghi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel Lucent SAS
Original Assignee
Alcatel SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel SA filed Critical Alcatel SA
Priority to US11/105,732 priority Critical patent/US20060235973A1/en
Assigned to ALCATEL reassignment ALCATEL ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCBRIDE, BRIAN, BOU-DIAB, BASHAR SAID, SERGHI, LAURA MIHAELA
Priority to KR1020077026468A priority patent/KR20080008357A/ko
Priority to PCT/IB2006/001334 priority patent/WO2006109187A2/fr
Priority to EP12183660.5A priority patent/EP2547069B1/fr
Priority to JP2008505991A priority patent/JP2008537829A/ja
Priority to EP06744743A priority patent/EP1875715A2/fr
Priority to CN2006100723398A priority patent/CN1855817B/zh
Priority to CN201110230950.XA priority patent/CN102291459B/zh
Publication of US20060235973A1 publication Critical patent/US20060235973A1/en
Assigned to ALCATEL LUCENT reassignment ALCATEL LUCENT CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: ALCATEL
Assigned to CREDIT SUISSE AG reassignment CREDIT SUISSE AG SECURITY AGREEMENT Assignors: ALCATEL LUCENT
Priority to US14/318,963 priority patent/US9516026B2/en
Assigned to ALCATEL LUCENT reassignment ALCATEL LUCENT RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/53Network services using third party service providers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This invention relates generally to network services and, in particular, to infrastructures for providing network services.
  • Network services Services for which information is distributed through a communication network are generally referred to as network services.
  • So-called “web services” are an example of network services, and represent the next generation of web-based technology being used for automatically exchanging information between different applications over the public Internet network.
  • Web services are the framework for building web-based distributed applications over the Internet. They provide efficient and effective automated machine to machine communication between multiple global enterprises. This automation is bringing technology based process and business efficiencies from technology companies to world leading non-technology companies such as retail companies. Whereas purchase orders might cost $120 to process using conventional processing techniques, with suppliers taking days to process restocking orders that sit in warehouses, new web services-based systems can do the same for half a cent, and orders are distributed to warehouses across the globe in seconds.
  • web services are similar to application services, in the sense that they are network accessible functions that can be accessed using standard Internet protocols such as HyperText Transfer Protocol (HTTP), extensible Markup Language (XML), Simple Object Access Protocol (SOAP), etc., over standard interfaces.
  • HTTP HyperText Transfer Protocol
  • XML extensible Markup Language
  • SOAP Simple Object Access Protocol
  • Web services applications are built with pieces of code and data that may come from anywhere in the public Internet. For example, in automated supply chain management, store front purchases are cleared by monetary agents, restocking orders are sent directly to the factories, and billing information is collected by head offices, each with their own software systems.
  • Web services can be viewed as a sophisticated machine to machine Remote Procedure Call (RPC) technology for interconnecting multiple heterogeneous untrusted systems.
  • RPC Remote Procedure Call
  • Web services takes the best of many new technologies by utilizing XML technology for data conversion/transparency and Internet standards such as HyperText Transfer Protocol (HTPP) for communication.
  • HTPP HyperText Transfer Protocol
  • Web services have already proven themselves successful in the enterprise private network space, gaining rapid acceptance as the standard way for applications to communicate. Most current web services, however, are hosted by application servers which are located behind firewalls in corporate enterprise networks.
  • Embodiments of the present invention provide a new network service enabling a specific communication network service provider to offer network services, illustratively web services, as network-resident services.
  • this new network service is provided in a so-called extranet service architecture.
  • the extranet architecture envisions a “network of services” offered to a closed group of members while being administered by a network service provider.
  • the extranet service model is preferably an application layer solution, an overlay network built on top of a network provider's infrastructure.
  • an apparatus for providing network services in a services network includes a policy enforcement module which is configured to enforce rules for client access to the services network in accordance with an authentication policy of the services network and to allow an authenticated client to access the services network to make a network service provided by the client available to another client of the services network, to use a network service provided by another client of the services network, or to both make a network service provided by the client available to another client of the private services network and use a network service provided by another client of the services network.
  • the policy enforcement module may be further configured to allow the authenticated client to make the network service available to any other client in the services network and to use a network service provided by another client according to respective service policies associated with the network services.
  • the apparatus may also include a security module for enforcing secure end to end communication, between the authenticated client and the services network, within the services network and between services network and a destination client of the services network.
  • the security module applies authentication and authorization actions based on the rules to communication traffic, and passes or drops the communication traffic responsive to the authentication and authorization actions. Additional security rules may also be applied to communication traffic.
  • the apparatus may also include a Simple Object Access Protocol (SOAP) proxy module operatively coupled to the policy enforcement module and configured to classify traffic associated with the authenticated client as control traffic or data traffic, to transmit control traffic comprising information associated with the network service provided by the authenticated client for publication in a services registry, and to modify SOAP information in data traffic for further processing.
  • SOAP Simple Object Access Protocol
  • a Universal Description, Discovery, and Integration (UDDI) proxy module may also be operatively coupled to the SOAP proxy module.
  • the SOAP proxy module is further configured to identify received UDDI control traffic, and to forward the received UDDI control traffic to the UDDI proxy module for further processing.
  • the received UDDI control traffic may include requests for network services lookups.
  • the UDDI proxy module handles local or remote resolution of the requests and responds to a client which initiated each request.
  • a service handling module may also be operatively coupled to the SOAP proxy module and configured to exchange data traffic with the SOAP proxy module.
  • the policy enforcement module may allow the authenticated client to publish information associated with the network service to a services registry, and to access the services registry to use a network service provided by another client.
  • the information associated with the network service may include access information specifying access rules for the network service for use by other members of the services network. Access to information associated with a network service provided by another client of the services network from the services registry is controlled by the policy enforcement module in accordance with access rules specified by that other client.
  • a forwarding/routing module which is provided in some embodiments, routes communication traffic in the services network and supports at least one of: a layer1 forwarding method, a layer 2 forwarding method, Internet Protocol (IP) routing, and extensible Markup Language (XML) routing.
  • IP Internet Protocol
  • XML extensible Markup Language
  • the apparatus may be implemented, for example, in a client gateway of a communication system which provides a services network.
  • a network controller of the system is operatively coupled to the client gateway for managing the policies enforced by the client gateway and a registry of available network services.
  • An apparatus for managing policies associated with network services available in a services network includes a client gateway interface to be operatively coupled to a client gateway through which a client of the services network accesses the services network, and a policy manager.
  • the policy manager is operatively coupled to the client gateway interface and configured to distribute network service policies specifying access controls for respective network services to the client gateway through the client gateway interface to cause the client gateway to control access to the network services by the client of the services network in accordance with the network service policies.
  • the policy manager may also manage at least one of: authentication of clients with the services network, and format transformations to be applied to data traffic by the client gateway.
  • the network service policies include policies stored in a network service policies registry
  • the policy manager is further configured to maintain the network service policies registry, and to integrate into the network service policies registry an existing network service policy received from a client of the services network by which a network service is provided.
  • the apparatus may also include any or all of: a security manager operatively coupled to the client gateway interface and configured to manage security of client communications through the services network, a registries manager operatively coupled to the client gateway interface and configured to manage at least one of: a registry of network services available in the services network, service timeout information, extensible Markup Language (XML) schemas, service contracts, Quality of Service (QoS) parameters, subscription information, addressing information, billing information, Service Level Agreement (SLA) monitoring information, transactional network service activity monitoring information, activity logs, performance auditing information, and exception alerts, and a system manager operatively coupled to the client gateway interface and configured to receive and manage audit records captured by the client gateway.
  • a security manager operatively coupled to the client gateway interface and configured to manage security of client communications through the services network
  • a registries manager operatively coupled to the client gateway interface and configured to manage at least one of: a registry of network services available in the services network, service timeout information, extensible Markup Language (XML) schemas,
  • the policy management apparatus may be implemented, for instance in a network controller of a communication system which provides a services network in which private network services provided by network service providers are made accessible to network service consumers through client gateways.
  • An apparatus for managing network services available in a services network includes a client gateway interface to be operatively coupled to a client gateway through which a client of the services network accesses the services network, and a registry manager operatively coupled to the client gateway interface and configured to receive from the client gateway requests regarding information in a services registry and provide requested information responsive thereto, to receive from the client gateway information associated with a network service to be made available in the services network and publish the received information in the services registry, and to receive from the client gateway subscriptions for modifications of the information in the services registry associated with the network and send notifications of the modifications responsive to the subscriptions.
  • a communication system includes a network controller comprising the apparatus, a memory operatively coupled to the network controller for storing the services registry, and a client gateway operatively coupled to at least one client of the services network and to the memory, the client gateway being configured to control access to the network services published in the services registry by the at least one client.
  • a method of providing network services in a services network includes authenticating and authorizing a client of the private services network and, where the client has been authorized, making a network service provided by the client available in the services network or allowing the client to access the services network to use a specific network service or group of network services provided by another client of the services network for which the client has been authorized.
  • the operation of making a network service available may include initiating a connection with the services network for services publication.
  • the operation of allowing the client to access the services network may include allowing the client to use a targeted network service by initiating a connection with the targeted network service and sending requests to and receiving replies from the targeted service.
  • the operation of allowing may also include allowing the client to consult a registry of network services to access information for the specific network service or group of network services or to subscribe to changes at the registry level for the specific network service or group of network services.
  • Network service availability may be controlled in accordance with a service policy of the network service.
  • allowing may include determining network services having associated service policies which permit use by the client.
  • FIG. 1 is a block diagram of a communication system incorporating an embodiment of the invention
  • FIG. 2 is a block diagram of an example client gateway
  • FIG. 3 is a block diagram of an example network controller
  • FIG. 4 is a flow diagram of a method according to an embodiment of the invention.
  • FIG. 1 is a block diagram of a communication system incorporating an embodiment of the invention.
  • the communication system 10 includes enterprise systems 12 , 22 , a mobile end user system 13 , client gateways 16 , 26 , a services network 20 , data traffic switching and routing components generally designated 18 , and a network controller 28 .
  • FIG. 1 Although many enterprise systems 12 , 22 and/or end user systems such as the mobile end user system 13 , can be connected to a client gateway 16 , 26 and also, many client gateways 16 , 26 may reside at the border of the services network 20 , only representative examples of each of these components have been shown in FIG. 1 to avoid congestion. Implementations in which only a single enterprise system 12 , 22 and a single client gateway 16 , 26 are provided, when the services network 20 is first deployed, for example, are also contemplated. It should therefore be appreciated that the system of FIG. 1 , as well as the contents of the other drawings, are intended solely for illustrative purposes, and that the present invention is in no way limited to the particular example embodiments explicitly shown in the drawings and described herein.
  • the enterprise systems 12 , 22 represent networks which may provide, use, or both provide and use, web services applications, offered and managed throughout the services network 20 .
  • an enterprise system includes such components as a firewall to provide external access control and filter external traffic entering the enterprise, traffic switching and routing equipment, one or more servers for supporting network services, and user terminals, illustratively personal computers.
  • a corporate private network is one example of an enterprise system 12 .
  • the mobile end user system 13 is illustrative of an client system which is not part of a specific enterprise system. End user systems may be mobile, as shown, or fixed. The mobile end user system 13 may be connected to the client gateway 16 through a web services mobile gateway, for example. A mobile end user system 13 , as well as fixed end user systems, may instead be physically connected to a client gateway 16 .
  • a portable computer system is mobile in the sense that it may connect to a client gateway through different locations and physical connections in an access network.
  • Embodiments of the present invention relate primarily to offering and using such enterprise network services outside an enterprise environment, as opposed to how these services are actually supported in the enterprise systems 12 , 22 or used in end user systems such as the mobile end user system 13 , and accordingly the enterprise systems 12 , 22 , the mobile client system 13 , and their operation are described only briefly herein to the extent necessary to appreciate aspects of the invention.
  • a virtual extranet service portal which may be implemented as a software application for instance, in the enterprise systems 12 , 22 and the mobile end user system 13 , allow end network service providers and consumers to interact with the services network 20 .
  • a service portal allows users to log into the services network and authenticate themselves with the services network by means of federated identity or another authentication scheme, and may also enable other additional capabilities such as displaying various services lists, descriptions, etc., without substantially affecting how an end user provides and/or consumes network services.
  • connections 14 , 15 , 24 may be direct connections as shown in FIG. 1 , or indirect connections which traverse intermediate components and possibly other communication networks generally referred to herein as access networks.
  • the present invention is not restricted to network connections, or any other particular type of connection, between the enterprise systems 12 , 22 , the mobile end user system 13 , and the client gateways 16 , 26 .
  • the connections 14 , 15 , 24 may thus include any of direct, indirect, wired, and wireless connections.
  • Access to the services network 20 is provided for the enterprise systems 12 , 22 and the mobile end user system 13 by the client gateways 16 , 26 .
  • the client gateways 16 , 26 are edge devices into the services network provider infrastructure, and represent gateways into the virtual extranet service provided by the services network 20 .
  • Each client gateway 16 , 26 is in essence a secure network service proxy appliance for implementing a web service gateway function, supporting proxies for network services and XML “standards”, for example, as well as new features.
  • the client gateways 16 , 26 are high-performance devices implemented at least in part using hardware, and are configured for operation as disclosed herein with embedded software for deployment by a services network provider. An illustrative example of a client gateway 16 , 26 is described in detail below with reference to FIG. 2 .
  • Network services are provided by one or both of the enterprise systems 12 , 22 .
  • the services network 20 is provided by another service provider.
  • a network service provider for the enterprise system, thus offers network services, and a provider of the services network 20 provides, to a network service provider, another service which implements a network of services within which a network service provider may make its network service(s) available for use by network service consumers which are outside its own private system.
  • a provider of a network service is referred to herein primarily as a network service provider, whereas a provider of the services network 20 is referred to primarily as a services network provider.
  • a network service provider provides one or more network services, and a services network provider allows these network services to be managed internally and offered externally, illustratively in a virtual extranet service model.
  • the services network provider will also own or operate the underlying communication network on which the services network is built, although this need not necessarily be the case in all embodiments of the invention.
  • the network controller 28 provides control plane functionality of a service manager, and may be implemented as a network scale device, illustratively as a dedicated card for edge routers or a dedicated XML appliance, to be deployed by an operator of a communication network. It is used for managing the virtual extranet service, for hosting the central repository for all web services published within the virtual extranet, policies, service level agreements (SLAs), other network monitoring data, and to secure, manage, provision and store policies for end-to-end network services applications.
  • SLAs service level agreements
  • the network controller 28 like the client gateways 16 , 26 , is described in further detail below, by way of illustrative example with reference to FIG. 3 .
  • Data traffic traverses the services network 20 through the client gateways 16 , 26 and data switching and/or routing equipment which is designated generally at 18 . Whereas control/management traffic is handled by the network controller 28 , data traffic is processed by the client gateways 16 , 26 and from there, by the switching/routing components 18 .
  • the services network 20 may be implemented as a virtual extranet architecture.
  • the virtual extranet represents an application overlay network built over a basic network provider infrastructure, as a sort of private-managed services network which uses, for example, Internet technology and underlying Layer 1, 2, 3, and 4 technologies to securely share part of an enterprise's information or operations with multiple enterprises, including suppliers, vendors, partners, customers, or other businesses for instance.
  • An overlay network in this case represents a virtual network fabric which may be implemented using layer 1 or 2 forwarding, IP routing and/or application level routing, illustrated by XML router devices.
  • a virtual extranet network may provide connectivity and mechanisms for synchronous communications, e.g. REQUEST/RESPONSE, and also asynchronous communication.
  • the application-level overlay in the virtual network of a services network 20 , 23 may be implemented using application level routers, such as XML routers.
  • Application level routers communicate with each other and client gateways at the application layer, but using underlying normal networking facilities.
  • Overlay networks typically use reliable point-to-point byte streams, such as Transmission Control Protocol (TCP), to implement reliable multicast.
  • TCP Transmission Control Protocol
  • Building the services network 20 as an overlay allows the services network 20 to be modified and deployed relatively easily in comparison with conventional private network service sharing techniques.
  • An overlay services network is also an effective way to build a robust mesh that can effectively route XML packets.
  • embodiments of the invention may be implemented using lower-layer techniques instead of as an overlay network.
  • An overlay network architecture is one example of a possible implementation of the services network 20 .
  • the services network 20 enables network services provided by either one of the enterprise systems 12 , 22 to be made accessible to users in the other enterprise system, and to other members of the services network 20 , such as the mobile end user system 13 .
  • the service implemented by the services network 20 is supported by two distinct types of network elements, the client gateways 16 , 26 and the network controller 28 , which respectively support communication protocols and management functions.
  • the framework of the services network 20 may be divided into three areas, including communication protocols, service description, and service discovery.
  • the service network 20 uses existing standards and specifications which have been developed for each of these areas.
  • SOAP is one standard protocol which may be used to transport web services messages between a web client and a web server application.
  • SOAP also provides for transfer of additional information relating to routing and security mechanisms being used.
  • Web Services Description Language is an XML-based language that provides a description of web services messages, and represents an example of a standardized approach to network service description.
  • SOAP and WSDL web services protocols
  • UDDI Universal Description, Discovery, and Integration
  • web services standards which are referred to herein and may be used in implementing embodiments of the invention include standards relating to reliable messaging (WS-Reliability), policy (WS-Policy), and federated identity (WS-Federation).
  • the client gateways 16 , 26 are service delivery points for clients of the virtual extranet service provided by the services network 20 .
  • the client gateways 16 , 26 also provide secure access to the private extranet service, protecting both the provider of the service and the client, the enterprise systems 12 , 22 and the mobile end user system 13 in FIG. 1 .
  • Communications between the client gateways 16 , 26 through the services network 20 are preferably secure.
  • Standards-based security techniques such as WS-Security, XML-Encryption, and XML-Signature may be used to provide secure communications while leveraging existent enterprise ingress and egress certificates which would normally already have been established for the enterprise systems 12 , 22 and possibly the mobile end user system 13 .
  • These standards-based techniques as well as other techniques which will be apparent to those skilled in the art, ensure that authorized service consumers in the enterprise systems 12 , 22 and the mobile end user system 13 can participate in the virtual extranet services network 20 .
  • the client gateways 16 , 26 also classify and split incoming communication traffic data into control traffic to be forwarded to the network controller 28 and data traffic to be forwarded towards a destination through the components 18 .
  • a potential consumer of a network service can only make use of a network service which is known to exist. It is thus desirable for a network service provider to communicate the existence of a network service to potential consumers. This may be accomplished by publishing network services to registries, for instance.
  • the client gateways 16 , 26 allow the enterprise systems 12 , 22 to publish their respective internal network web services to the services network 20 .
  • the client gateways 16 , 26 also allow the enterprise systems 12 , 22 and the mobile end user system 13 to consume external network services provided by other members of the services network 20 .
  • the extent to which the services provided by an enterprise system 12 , 22 are made available to other members of the services network 20 may be controlled by the client gateway 12 , 22 and the network controller 28 .
  • Network service providers may thus publish internal network services to the services network 20 for use by other members of the services network 20 .
  • the services network 20 and each enterprise system 12 , 22 are expected to be secure private networks, and communications on the connections 14 , 15 , 24 are also secure. This may be accomplished using secure tunnelling techniques, examples of which will be readily apparent to those skilled in the art. Secure communications at both access and network sides of the client gateways 16 , 26 provide a level of assurance that private network services available to members of the services network 20 are provided only by members of the services network 20 and can only be consumed by members of the services network 20 .
  • the client gateways 16 , 26 may also capture comprehensive audit records which may be used locally and/or by the network controller 28 to maintain regulatory and policy compliance, for example. Audit records may also or instead be used by other components or systems, such as a billing system with microbilling capabilities for according service charges to consumers.
  • the network controller 28 provides the central control plane functions for the services network 20 , and thus implements the functionality of a network services manager with a main responsibility of maintaining a network services global repository.
  • the network controller 28 may be implemented as a high-performance hardware-based device with standard-based software for deployment by a services network provider. It is used for managing the virtual extranet service of the services network 20 , to secure, manage, provision, and enforce policies for end-to-end network services applications and also to display and manage the list of available network services.
  • the network controller 28 is the services network management entity, the client gateways 16 , 26 enforce policies and security rules on the actual data. Data traffic traverses a provider's core network, as represented at 18 in FIG. 1 , through the client gateways 16 , 26 , and the network controller 28 processes control and management traffic.
  • the network controller 28 preferably implements at least a subset of core functions, including network web services storage and management of information such as location, ownership, access level groups, services lists, and other basic characteristics of network services, central policy repository and rights management, security specifications, SLA requirements such as hard Quality of Service (QoS) requirements suitable for end business to end business transactions for instance, and additional repositories for things such as client profiles, transaction auditing services, logs, etc.
  • core functions including network web services storage and management of information such as location, ownership, access level groups, services lists, and other basic characteristics of network services, central policy repository and rights management, security specifications, SLA requirements such as hard Quality of Service (QoS) requirements suitable for end business to end business transactions for instance, and additional repositories for things such as client profiles, transaction auditing services, logs, etc.
  • QoS hard Quality of Service
  • the network controller 28 in conjunction with the client gateways 16 , 26 , may take the burden off the enterprise systems 12 , 22 by replacing each enterprise's private management methods and tools with standard-based proxy modules offering the same functions at the edge of the services network 20 .
  • the network controller 28 may also allow some security functions to be delegated to the extranet service, by freeing the local enterprise applications from providing certain security aspects like identity provider service, XML digital signature validation service, XML schema integrity, etc.
  • identity provider service XML digital signature validation service
  • XML schema integrity etc.
  • the network controller 28 also manages the procedure to securely provide the list of internal network services within the services network 20 to all or selected members of the services network 20 .
  • FIG. 2 is a block diagram of an example client gateway.
  • the client gateway 30 includes a services network interface 32 , an access network interface 34 , a policy enforcement module 36 operatively coupled to the interfaces 32 , 34 and to a memory 37 , a security module 38 operatively coupled to the policy enforcement module 36 and to the memory 37 , a SOAP proxy module 42 operatively coupled to the interfaces 32 , 34 , to the policy enforcement module 36 , to the security module 38 , and to the memory 37 , a data collector module 40 operatively coupled to the SOAP proxy module 42 and to the memory 37 , a UDDI proxy module 41 which is operatively coupled to the policy enforcement module 36 , to the security module 38 , to the SOAP proxy module 42 , and to the access network interface 34 , a service handling module 43 operatively coupled to the policy enforcement module 36 , to the security module 38 , and to the SOAP proxy module 42 , and a forwarding/routing module 44 ,
  • the access network interface 34 represents a remote access point through which the client gateway 30 connects to an enterprise system or other form of network service provider or consumer. Although labelled as an access network interface in FIG. 2 , network service providers and consumers need not necessarily communicate with client gateways through network connections. It should therefore be understood that the interface 34 provides an interface to a member of a services network through an access connection, which may or may not strictly be a network connection.
  • an access network interface 34 will be dependent upon the type of connection over which the client gateway 30 communicates with its client.
  • an access network interface 34 would include physical components which exchange communication signals with a communication medium, and hardware- and/or software-implemented components which generate and process the communication signals. Various implementations of such an interface will be apparent to those skilled in the art.
  • the access network interface 34 performs security tunnel termination for clients attempting to connect into services network 20 ( FIG. 1 ).
  • Virtual Local Area Network (VLAN) tunnelling Point-to-Point Protocol (PPP), Multi-Protocol Label Switching (MPLS), and IP Security (IPSec) are all examples of protocols which may be used by the access network interface 34 to communicate with a client.
  • PPP Point-to-Point Protocol
  • MPLS Multi-Protocol Label Switching
  • IPSec IP Security
  • Other protocols and communication schemes will be apparent to those skilled in the art.
  • the memory 37 may include one or more memory devices, such as solid state memory devices, for storing information. Other types of memory device, including memory devices for use in conjunction with movable and/or removable storage media, and multiple memory devices of different types, may also be provided as the memory 37 .
  • the type of memory device or devices implemented as the memory 37 in the client gateway 30 is a matter of design, and will be dependent upon the particular type of equipment in which the client gateway 30 is implemented.
  • a circuit card for communication equipment, for example, would normally incorporate volatile and non-volatile solid state memory devices as the memory 37 .
  • the information stored in the memory 37 may be used by the functional components of the client gateway 30 in performing their respective functions. Any or all of the functional components 36 , 38 , 40 , 41 , 42 , 43 , 44 may access information stored in the memory 37 . Similarly, although no connection between the memory 37 and the interfaces 32 , 34 has been shown in FIG. 2 to avoid congestion, these interfaces or internal components thereof may also interact with the memory 37 .
  • Some or all of the functional components 36 , 38 , 40 , 41 , 42 , 43 , 44 , as well as internal functions or components of the interfaces 32 , 34 , may be implemented as software, which might also be stored in the memory 37 .
  • Functional components which implement services network functions of the client gateway 30 have been shown in somewhat more detail than access-side functions in FIG. 2 , as embodiments of the invention relate primarily to functions which are performed on the services network side of the access network interface 34 .
  • the access network interface 34 provides security functions for access connections
  • a security module 38 which provides network-side security functions has been shown separately from the services network interface 32 in FIG. 2 .
  • Other network-side functional components have similarly been shown separately in FIG. 2 for illustrative purposes.
  • the network-side functions a client gateway may be implemented using further or fewer components than explicitly shown in FIG. 2 , possibly with different interconnections.
  • functions of the policy enforcement module 36 could be incorporated into each component which applies policies.
  • Security policies could be both managed and applied by the security module 38 for instance.
  • functions may be implemented in respective software modules or combined into fewer software modules for execution by a single hardware component, namely a processor such as a microprocessor, an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), or a microcontroller.
  • Software might instead be executed by multiple hardware components, a microprocessor and a DSP or a network processor plus several ASICs and FPGAs for instance.
  • a processor such as a microprocessor, an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), or a microcontroller.
  • Software might instead be executed by multiple hardware components, a microprocessor and a DSP or a network processor plus several ASICs and FPGAs for instance.
  • Combined implementations in which some functions are implemented in software and others are implemented in hardware, which tends to operate faster than software, are also contemplated.
  • functions may be divided or integrated in a different manner than shown in FIG. 2 , and any of the functional modules described herein may be implemented in software, hardware, or some combination thereof.
  • the policy enforcement module 36 implements services network policy enforcement for network services as configured by services network clients in their client profiles and advertised in their services' descriptions to the network controller 28 .
  • policies assertions that specify traditional requirements and capabilities that will ultimately manifest on the wire, such as an authentication scheme required for a specific customer and/or transport protocol selection for instance, are implemented in the client gateway. Therefore, these policies assertions are downloaded from a network controller into client gateways and enforced by the policy enforcement module 36 .
  • Authentication and authorization of network service providers and consumers, administration and verification of transactions involving network services, and ensuring privacy and integrity of communication traffic associated with network services are examples of functions which may be involved in enforcing policies by the policy enforcement module 36 in conjunction with other components.
  • the policy enforcement module 36 may interact with the security module 38 , for example, for authentication such as by verifying a message digital signature.
  • enforcement of security policies may involve both the policy enforcement module 36 , which manages the policies, and the security module 38 , which actually applies the policies by authenticating clients and possibly passing or dropping communication traffic, for example.
  • the policy enforcement module 36 need not itself actually apply the policies it manages for enforcement. Interaction between the policy enforcement module 36 and other components to apply policies to services network clients and transactions will be come apparent as the present description proceeds.
  • client authentication with the virtual extranet service is provided, rather than with each specific network web service as happens with current enterprise-centric network services.
  • a network service consumer in a network service provider system with which the access network interface 34 communicates are clients of the client gateway 30 , and gain access to network services across a services network through a single sign-on with the client gateway 30 .
  • the client gateway 30 thus removes the per-service authentication burden from its clients.
  • Information to be used in client authentication is an example of one type of information which may be stored in the memory 37 , preferably in a secure memory device or area.
  • the policy enforcement module 36 may cooperate with the security module 38 to generate a security assertion in accordance with what the end network service expects in terms of security assertions.
  • the new security assertion is attached to service messages to assert the identity of the client and the integrity of the message.
  • the policy enforcement module 36 may cooperate with the security module 38 to map a specific digital certificate, illustratively an X.509 certificate into a different security assertion, such as a Security Assertion Markup Language (SAML) assertion.
  • SAML Security Assertion Markup Language
  • the policy enforcement module 36 offers hardware implementation of federated identity, access control, and enforcement of policies that have been set up in advance using the network controller 28 ( FIG. 1 ).
  • Federated identity allows users to create and authenticate a user identity and then share the identity between domains and service providers without centrally storing personal information.
  • SLAs tailored for web services operations, may also be in place for either or both of access-side and network-side communication links through which the client gateway 30 communicates with its clients and a services network.
  • the policy enforcement module 36 may also monitor communication traffic levels to enforce SLA-related parameters, which may be stored in the memory 37 .
  • the virtual extranet services network is XML-standard based, and accordingly the policy enforcement module 36 , in conjunction with the service handling module 43 described below, may also enforce XML message header and message payload transformations for ingress data traffic received from clients of the client gateway 30 through the access network interface 34 . Transformations may also be made from other message formats into XML-standard based network service messages. Inverse transformations, as well as transformations between non-XML formats used in access networks and services networks are also contemplated.
  • the security module 38 implements security standards to guarantee the security of communications over the services network.
  • the security module 38 uses web services standards-based tools such as WS-Security, XML-Encryption/Description, and XML-Signature to provide secure datapaths between services network members. These tools allow the client gateway 30 to leverage existent security protocols to ensure that authorized service consumers can participate in an end-to-end private business network.
  • the security module 38 thus represents, in some embodiments, a central certificate and key management service for an enhanced over the core extranet service.
  • the security module 38 provides security functions to all other modules of the client gateway 30 , and specifically to the policy enforcement module 36 , the UDDI proxy module 41 , the SOAP proxy module 42 , the service handling module 43 , and both network interfaces 32 , 34 . These functions may include any or all of verification of signatures, encryption, decryption, signing, and exchanging of symmetric or asymmetric keys using protocols that are well known in the field of telecommunications security.
  • the SOAP proxy module 42 performs SOAP header handling for incoming and outgoing messages between clients and the services network.
  • the SOAP proxy module 42 is a host that has two service addresses in two network interfaces: the access network 34 interface and the services network interface 32 . As far as clients in the access network are concerned, all services advertised to the client by the services network appear to be offered from the SOAP proxy module 42 .
  • the SOAP proxy module 42 which receives SOAP messages, performs such functions and modifications as header handling, and relays the messages to the appropriate processing facility, the UDDI proxy module 41 or the services handling module 43 . Also, messages from the UDDI proxy module 41 and the service handling module 43 are sent to the SOAP proxy module 42 . Messages received from the UDDI proxy module 41 or the service handling module may be processed by the SOAP proxy module 42 to append Uniform Resource Identifier (URI) addressing information for instance.
  • URI Uniform Resource Identifier
  • the SOAP proxy module 42 also interacts with the policy enforcement module 36 and the security module 38 to implement the network service policy on the outgoing message, and then sends the message on the appropriate interface. Policy enforcement, security, access control, auditing, and other functions associated with other modules of the client gateway 30 may thus be triggered by the SOAP proxy module 42 for each message.
  • a service offered by one enterprise EB to another enterprise EA is proxied by the client gateway associated with EA to appear as if offered from a URI of the SOAP proxy module SPA of the client gateway.
  • a service request from enterprise EA for a service offered by enterprise EB is sent to the SOAP proxy module SPA, which applies a set of functions and passes the message to the services handling module 43 .
  • the services handling module 43 passes the message to the SOAP proxy module SPA, which appends the SOAP source and destination URIs SPA and SPB respectively, where SPB is the SOAP proxy module associated with the client gateway of enterprise EB.
  • the request is then sent from SPA to SPB.
  • SOAP proxy module SPB further manipulates the SOAP source and address URIs of the message to SPB and EB before forwarding the request to enterprise EB. In the reverse direction, similar modifications are applied to the response.
  • the SOAP URI is manipulated in such a way to store both the service URI and the SOAP proxy of the gateway associated with that service.
  • the SOAP proxy module 42 classifies and splits incoming traffic into UDDI control traffic to be forwarded to the UDDI proxy module 41 and data traffic, illustratively XML traffic, to be forwarded to the services handling module.
  • Traffic classification may involve deep packet inspection, for example.
  • a traffic classifier of the SOAP proxy module 42 may be operatively coupled to either the services network interface 32 or to another interface which supports communications with a network controller, to provide for exchange of control and/or management traffic with a network controller. It should also be appreciated that the SOAP proxy module 42 may receive control and/or management traffic from a network controller.
  • the UDDI proxy module 41 acts as an access point into a UDDI central repository hosted by the services extranet network, for all UDDI Publish requests received from clients trying to publish new web services or subscribe to published changes of existent web services, and as a proxy module, for all UDDI inquiry requests received from clients initiating ‘find service’ operations.
  • Client access to network services is controlled, as disclosed herein, in accordance with network service policies. These policies may be enforced by the policy enforcement module 36 itself or in conjunction with the UDDI proxy module 41 to restrict the network services for which information is returned to a client system responsive to a find service or analogous operation.
  • the UDDI proxy module 41 expects ingress UDDI-based messages. All other messages that are not UDDI-framed may be discarded by the UDDI proxy module 41 .
  • the UDDI proxy module 41 may cache UDDI entries locally at the client gateway level. This allows the UDDI proxy module 41 to perform local entry lookup and resolution when new UDDI inquiry requests are received. If a UDDI entry is locally found, then a UDDI response message is generated and sent back towards the client requesting the service.
  • UDDI inquiry message is sent to the network controller, for a global look-up into the UDDI global repository.
  • UDDI response is sent back to the same client gateway from where the request came.
  • the client gateway 30 may learn and store the UDDI information for further UDDI lookups.
  • the UDDI proxy module 41 may handle local and remote resolution of service requests.
  • the service handling module 43 receives service messages from the SOAP proxy module 42 , handles the service messages, and sends service messages to the SOAP proxy module 42 .
  • One primary function of the service handling module 43 is to process data traffic associated with a network service and being exchanged between the network service provider and consumer.
  • service messages coming from the access network through the SOAP proxy module 42 are sent to the service handling module 43 , which parses and modifies the messages to adapt them to the services network addressing and formatting rules. Formatting rules may be specified in a services network transform policy managed by the policy enforcement module 36 , for example.
  • the service handling module 43 then sends a corresponding service message to the client gateway associated with the network service provider through the SOAP proxy module and across the services network.
  • the forwarding/routing module 44 preferably performs forwarding/routing decisions (Layer1 or Layer2 forwarding, IP and/or XML routing), towards destinations within the services network. Although this module 44 may have the ability to handle IP traffic, complete with DNS lookups when necessary, as well as networking at the XML level, other embodiments may provide only one, different, or possibly additional routing mechanisms.
  • the basic functionality of the module 44 is to provide content-based routing for the service handling module 43 .
  • the service handling module 43 may use the forwarding/routing module 44 to identify SOAP endpoints for a published message.
  • An example embodiment of the SOAP proxy module 42 , the service handling module 43 , and the forwarding/routing module 44 provides necessary mechanisms for publish-subscribe style networking.
  • An application routing layer of the forwarding/routing module 44 is optional and is best suited to support notification and event distribution type services.
  • the application routing layer stores client subscriptions in a subscription database, and upon reception of an XML multicast document that matches a set of entries in the subscription database, uses these entries to identify the next SOAP endpoints that require the document and forwards the document to those endpoints through the SOAP proxy module 42 .
  • the subscription for documents and publication of documents follow standardized mechanism outlined in the WS-Notification and WS-Eventing recommendations.
  • the services network interface 32 provides at least a physical interface to a services network.
  • the type and structure of the services network interface 32 , and other operations which may be performed on communication traffic which is exchanged with a services network, will be services network-dependent. Many examples of such network interfaces will be apparent to those skilled in the art.
  • the data collector module 40 gathers real-time management and billing information, which may be processed locally and/or forwarded to a network controller or other component for further storage and processing.
  • the data collector module 40 can pull real-time information for various management and billing operations. Data may be collected for activities like transaction auditing, performance auditing, event monitoring, transactional end-to-end business activity monitoring (transaction completion/failure), activity logs, SLA monitoring, warnings and errors thresholds, alerts, etc.
  • the data collector 40 may collect information at any of various stages in a datapath, such as after the security module 38 to count packets discarded per security policy, at the policy enforcement level to compile statistics on discard policies, etc.
  • a client gateway such as shown in FIG. 2 may be configured to allow a network service provider to offer its services into a services network as local services, to allow a network service consumer to use network services which are available in the services network, or both.
  • a client enterprise of the client gateway 30 may include both network service providers, in the form of enterprise application servers, and end user network service consumers.
  • control traffic received from the client illustratively through a secure tunnel terminated at the access network interface 34 , is processed as described above, and forwarded to the network controller in the services network.
  • the level of availability of a network service in the services network may be determined on the basis of an explicit access control rule specified by the network service provider, or the network controller.
  • a network service provider might request that a network service remain private, for use only by consumers within its own private enterprise system. Although not accessible to other members of a services network, restricting access to a private network service in a services network would allow a network service provider to take advantage of other functions of a services network, including policy enforcement and registry hosting for instance.
  • Semi-private network services are also envisioned, in which a network service provider specifies particular services network members or groups to which a network service is to be made available. An unrestricted network service is accessible to all members of a services network.
  • Predetermined network service access controls may instead be configured at a network controller and applied to network services according to a type or class of a network service or a provider of the network service. All network services of a particular type or from a particular network service provider class might have the same predetermined access controls which are established when the network service provider first registers with the services network, for example. Another possible predetermined access control regime would make network services of a group of network service providers which have an existing business relationship available within only that group.
  • any access controls associated with a network service are stored as a service-context or policy by the network controller. These policies are downloaded to each client gateway by the policy enforcement module 36 and applied to the data traffic as described above.
  • offered network services are made available within the services network in accordance with any access controls for each network service. This may be accomplished in several ways. As described above, control traffic is forwarded to and processed by a network controller in the services network. In this case, the network controller may publish information for the network service in a global registry which is accessible to client gateways in the services network. Each client gateway then controls access to registered network services by its clients in accordance with policies associated with the network services.
  • Access controls need not necessarily be implemented at all within a services network.
  • all network services offered within a services network are automatically available to all members of the services network.
  • a network service provider can preferably also modify policies of a network service, to change access controls for instance, in a substantially similar manner by exchanging control traffic with a network controller.
  • the client can also or instead access network services available in a services network through the client gateway 30 .
  • the particular network services which a client is able to access are controlled in accordance with policies managed by the policy enforcement module 36 .
  • a global registry of the services network might include registry entries for network services which are not available to every client, as specified in network service policies stored by a network controller and downloaded to the policy enforcement module 36 . Only those network services to which a client of the client gateway 30 is allowed access are made available to the client.
  • Data traffic which is subsequently exchanged between a client of the client gateway 30 and a remote network service provider through the services network is processed substantially as described above. Traffic destined for the remote network service provider from the client is processed based on security policies by the security module 38 , modified in the SOAP proxy module 42 and handled differently based on the XML message type in the service handling module 43 , and finally the data traffic is routed to the remote network service provider, or actually to the client gateway to which the remote network service provider is connected, by the routing module 44 through the services network interface 32 .
  • Substantially similar processing is applied to data traffic associated with a network service provided by a client of the client gateway 30 .
  • Data traffic received from a remote network service customer through the services network interface 32 is processed, modified, and classified and handled as data traffic by the security module 38 , the SOAP proxy module 42 , and the service handling module 43 .
  • Received data traffic is then forwarded to the client by the access network interface 34 .
  • FIG. 3 is a block diagram of an example network controller.
  • the network controller 50 includes a management system interface 52 , a gateway interface 54 , and a memory 56 which are operatively coupled to managers 60 , 64 , 66 , 69 .
  • the components of the network controller 50 may be provided in either a centralized architecture or a distributed and preferably centrally manageable architecture.
  • the management system interface 52 provides an interface to a management system, such as a Network Management System (NMS) for instance, which implements a central framework for configuration and management of a services network platform.
  • NMS Network Management System
  • the structure and operation of the management system interface 52 will be dependent upon the type of connection over which the network controller 50 communicates with its management system.
  • a network controller communicates with a management system through a managed communication network. Separate NMS management and control channels are also common. Examples of both types of management system interface, including interfaces using XML and interfaces which provide access to Management Information Bases (MIBs) for instance, will be apparent to those skilled in the art.
  • MIBs Management Information Bases
  • the gateway interface 54 represents an interface through which the network controller 50 communicates with client gateways. Although shown as a single component in FIG. 3 , the gateway interface 54 may include respective interfaces, and possibly different types of interface, for communication with multiple client gateways. As described above with reference to FIG. 2 , control traffic may be exchanged between a client gateway and a network controller through the services network, using a services network interface, or some other type of interface.
  • the gateway interface 54 of FIG. 3 thus represents an interface which is compatible with an interface, either the services network interface 32 ( FIG. 2 ) or another interface, provided at client gateways.
  • the management system interface 52 and the gateway interface 54 would generally include physical components which exchange communication signals with a communication medium, and hardware- and/or software-implemented components which generate and process the communication signals.
  • the memory 56 includes one or more memory devices for storing information.
  • the information stored in the memory 56 may include information such as customer profiles and policies, security information, and access lists and access level groups per user per network service for use by components of the network controller 50 , as well as registries information for access and use by other equipment in a services network. It should be appreciated, however, that the memory 56 may include both local and remote memory devices. Whereas network controller software is preferably stored locally, registries might be distributed and stored in a remote memory device which is accessible to both the network controller 50 and client gateways to which network service consumers are connected.
  • managers 60 , 64 , 66 , 69 , and internal functions or components of the interfaces 52 , 54 may be implemented as software. Software implementing these managers and functions might also be stored in the memory 56 .
  • the policy manager 60 provides comprehensive policy provisioning, definition and security policy management capabilities. Policy management is centralized by the policy manager 60 , although the policies pieces of content and data may be stored in a distributed manner throughout the services network. Policy components, such as the policy manager 60 and a registry in the memory 56 in which policy information is stored for instance, may be distributed. Also, policies information is downloaded into the policy enforcement modules in client gateways. By utilizing a centralized approach to policy management for network services, a single set of policies can be managed by delegated administrators, in the services network provider's infrastructure. The policy manager 60 may be configured to automatically download or push policy information to client gateways, to transmit policy information responsive to requests from client gateways, or support both push and pull policy information transfer mechanisms.
  • the policy manager 60 manages network service policies using a network service policies registry.
  • the network services policies registry is a collection of network service policies which establish access controls for all network services offered within a services network.
  • Each individual network service policy may specify privacy parameters, such as the authentication information which must be presented in a message, whether a message has to be signed and/or encrypted, which parts of a message are to be signed and/or encrypted, and how messages or parts thereof are to be signed and/or encrypted.
  • These functions may be provided by implementing existent web services standards, like WS-Security, WS-Policy, WS-PolicyAttachment, WS-PolicyAssertions and WS-SecurityPolicy.
  • consumer profiles and policies are preferably created at registration time.
  • a network service provider publishes its network services within a services network by transmitting control traffic to a network controller through a client gateway.
  • Policies received either from client gateways through the gateway interface 54 or from a management system through the management system interface 52 are centrally managed by the policy manager 60 within the virtual extranet service, but may be physically distributed within the virtual extranet provided by the services network.
  • the policy manager 60 may allow enterprise service policies to be integrated into the services network's global policy registry. All management data at the extranet level may thereby be integrated with other data from enterprise management systems in order to create a globally-managed virtual extranet service.
  • the policy manager 60 also manages user authorizations and security profiles within the services network rather than with specific network service applications as is the typical scenario within an enterprise.
  • a network service consumer in the enterprise space connects to the services network through a client gateway and does a single-sign-on with the services network.
  • the centralization of access control information into one registry entity hosted by the network controller avoids the problem of sharing identity information and access control policies between enterprise systems. Instead, this data is stored within the virtual extranet.
  • the policy manager 60 may also accommodate legacy authorization systems, illustratively by offering the data necessary for translating existent proprietary session cookies into SAML assertions and real-world identities that can then be mapped to other identity repositories.
  • the policy manager 60 may specify message header and message payload transformations to be applied to data traffic by client gateways.
  • transformations are made between XML-based web service messages and other formats of messages in accordance with information, illustratively XML schemas, stored in a registry.
  • the security manager 64 manages the security of services network client communications through a services network.
  • the security manager 64 uses established network services and XML standards to guarantee secure communications. For example, a secure datapath created over the services network core may use WS-Security and XML-Encryption, as described above.
  • client gateways actually establish secure connections through a services network
  • the security manager 64 provides a central certificate and key management service for the services network.
  • Security information is downloaded to client gateways for use in establishing secure communications with other client gateways through the services network.
  • the security manager 64 may be configured to automatically download or push security information to client gateways, to transmit security information responsive to requests from client gateways at runtime when client gateways require security information for network services transactions, or support both push and pull transfer mechanisms.
  • the registries manager 66 manages and sanitizes network service registries, illustratively industry standard registries such as UDDI, with advanced meta-data capabilities for network service location and management.
  • the services network provider can store registry entries for available network services based on classification categories and branding they define, for example.
  • network services are organized in a registry according to permitted levels of access, which may include private, public, semi-private group, and/or others. As described above, some network services may be published privately to specific partners, while other network services are published publicly to the whole services network.
  • a network services registry managed by the registries manager 66 is a collection of network services from all network service providers connected directly or indirectly to a services network. For a new network service provider or consumer which does not have any registries capability at the time when it joins the services network, the registries manager 66 offers a full collections of network services, descriptions, locations, ownerships, and public APIs that allow a network service to be advertized and consumed.
  • An enterprise may instead have its own registries at the time when it joins the services network, in which case the registries manager may allow the internal enterprise network services to be published into the services network's global network service registry.
  • meta-data registries may also be available for storing network services information for purposes other than basic network service location and management. These may include registries for use by other network controller components to manage service aspects such as timeouts, XML schemas to be applied, service contracts, QoS parameters, and subscription and addressing information. Additional registries may store collections of data obtained as a result of storing billing information, SLA monitoring information, transactional end-to-end business activity monitoring information, activity logs and performance auditing information, and exception alerts, for instance.
  • User credentials, general policies and security policies may be stored in the registries as well.
  • clients of a services network have real-time console-access and management tools for real-time monitoring and querying of all registry information, in accordance with their service policy.
  • the system manager 69 receives audit records captured by client gateways to provide centralized control, monitoring, and auditing of transactions, events, warnings, and alerts, for instance, and may also manage delivery of comprehensive contracts and SLAs. Transaction priorities are preferably implemented based on their criticality. Other possible functions of the system manager 69 include reporting on transaction completions/failures and management of SLA contracts.
  • FIG. 4 is a flow diagram of a method according to an embodiment of the invention.
  • the method 70 begins at 72 with an operation of authenticating a client of a services network, in this case a network service provider.
  • a network service provider has been authenticated, a private network service provided by the network service provider can be published in the services network at 74 .
  • a network service consumer authenticated at the same client gateway or at a different client gateway at 76 may be allowed to access the services network at 78 to use the network service.
  • the method 70 as shown in FIG. 4 is intended solely for illustrative purposes, and represents the situation of different clients offering and using a network service. More generally, an authenticated client of a services network may be allowed to make a private network service available to another client of the services network or use a network service provided by another client of the services network. The same client might thus be authenticated only once and subsequently allowed to perform multiple network service-related functions. Once a network service is made available by a client, the client may also change the privacy of the network service, such as to allow the network service to be used by another client of the services network.
  • a services network may include components other than those shown in FIG. 1 , such as public network gateways and services network gateways disclosed in the related applications referenced above.
  • a services network may also include multiple network controllers. Different gateways may be connected to different network controllers. It may be desirable to configure one network controller as a designated network controller for some operations of the services network, such as maintaining a central services registry and communicating with services network gateways.
  • a designated network controller might be the same as an ordinary network controller, but configured as a network controller through a command line interface (CLI) of an operator terminal through a management system interface 52 ( FIG. 3 ), for example.
  • CLI command line interface
  • the network controllers preferably communicate among themselves for exchanging control information about the services contained in each of their registries and about these services' local storage.
  • a network controller may store into its registries information which has been provided to it by gateways and possibly other network controllers.
  • the example client gateway and network controller components shown in FIGS. 2 and 3 are similarly not restrictive. Embodiments of the invention may include fewer or additional components.
  • a management system which communicates with a network controller may also communicate with client gateways for instance, even though no management system interface was shown in the example client gateway 30 of FIG. 2 to avoid congestion.
  • Network service providers and consumers have been described primarily herein as enterprise clients, but need not necessarily be associated with an enterprise. Embodiments of the invention may be implemented in conjunction with non-enterprise network service providers and consumers, such as the mobile end user system 13 .
  • the present invention is also in no way restricted to any particular division of functions between a client gateway and a network controller. Functions may be distributed or integrated in a different manner than explicitly described herein. Registries, for example, could be stored by each client gateway instead of centrally.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
US11/105,732 2005-04-14 2005-04-14 Network services infrastructure systems and methods Abandoned US20060235973A1 (en)

Priority Applications (9)

Application Number Priority Date Filing Date Title
US11/105,732 US20060235973A1 (en) 2005-04-14 2005-04-14 Network services infrastructure systems and methods
KR1020077026468A KR20080008357A (ko) 2005-04-14 2006-04-12 네트웍 서비스 인프라스트럭처 시스템 및 방법
PCT/IB2006/001334 WO2006109187A2 (fr) 2005-04-14 2006-04-12 Systemes d'infrastructures de services de reseau et methodes associees
EP12183660.5A EP2547069B1 (fr) 2005-04-14 2006-04-12 Systèmes d'infrastructures de services de réseau et procédés
JP2008505991A JP2008537829A (ja) 2005-04-14 2006-04-12 ネットワークサービスインフラシステムおよび方法
EP06744743A EP1875715A2 (fr) 2005-04-14 2006-04-12 Systemes d'infrastructures de services de reseau et methodes associees
CN201110230950.XA CN102291459B (zh) 2005-04-14 2006-04-14 网络服务基础设施系统和方法
CN2006100723398A CN1855817B (zh) 2005-04-14 2006-04-14 网络服务基础设施系统和方法
US14/318,963 US9516026B2 (en) 2005-04-14 2014-06-30 Network services infrastructure systems and methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/105,732 US20060235973A1 (en) 2005-04-14 2005-04-14 Network services infrastructure systems and methods

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/318,963 Continuation US9516026B2 (en) 2005-04-14 2014-06-30 Network services infrastructure systems and methods

Publications (1)

Publication Number Publication Date
US20060235973A1 true US20060235973A1 (en) 2006-10-19

Family

ID=36699149

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/105,732 Abandoned US20060235973A1 (en) 2005-04-14 2005-04-14 Network services infrastructure systems and methods
US14/318,963 Active 2025-10-11 US9516026B2 (en) 2005-04-14 2014-06-30 Network services infrastructure systems and methods

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/318,963 Active 2025-10-11 US9516026B2 (en) 2005-04-14 2014-06-30 Network services infrastructure systems and methods

Country Status (6)

Country Link
US (2) US20060235973A1 (fr)
EP (2) EP2547069B1 (fr)
JP (1) JP2008537829A (fr)
KR (1) KR20080008357A (fr)
CN (2) CN102291459B (fr)
WO (1) WO2006109187A2 (fr)

Cited By (63)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060235986A1 (en) * 2005-04-15 2006-10-19 Samsung Electronics Co., Ltd. Web service processing apparatus and method
US20070061431A1 (en) * 2005-09-12 2007-03-15 Sap Ag. Systems and methods for providing a local client proxy
US20070061445A1 (en) * 2005-09-13 2007-03-15 Deganaro Louis R Cooperative routing between traffic control device and multi-server application
WO2007065262A1 (fr) * 2005-12-08 2007-06-14 Sxip Identity Corporation Structure d'identites en reseau
US20080019376A1 (en) * 2006-07-21 2008-01-24 Sbc Knowledge Ventures, L.P. Inline network element which shares addresses of neighboring network elements
US20080148345A1 (en) * 2006-12-19 2008-06-19 Canon Kabushiki Kaisha Single point authentication for web service policy definition
US20080228915A1 (en) * 2007-03-16 2008-09-18 Ricoh Company, Ltd Event notification device and event notification method
US20080256258A1 (en) * 2007-04-16 2008-10-16 Chatterjee Pallab K Business-to-Business Internet Infrastructure
US20080301248A1 (en) * 2004-12-21 2008-12-04 Pfitzmann Birgit M Determining an applicable policy for an incoming message
US20090150563A1 (en) * 2007-12-07 2009-06-11 Virtensys Limited Control path I/O virtualisation
US20090165089A1 (en) * 2007-12-20 2009-06-25 Richard Bennett Methods and Apparatus for Management of User Presence in Communication Activities
US20090210532A1 (en) * 2006-01-31 2009-08-20 Matsushita Electric Industrial Co., Ltd. Method for selective service updates for communication networks
US20100205014A1 (en) * 2009-02-06 2010-08-12 Cary Sholer Method and system for providing response services
US7962089B1 (en) * 2007-07-02 2011-06-14 Rockwell Collins, Inc. Method and system of supporting policy based operations for narrowband tactical radios
US8079059B1 (en) * 2005-05-31 2011-12-13 Imera Systems, Inc. Method and system for providing terminal view access of a client device in a secure network
US20120060212A1 (en) * 2010-09-03 2012-03-08 Ricoh Company, Ltd. Information processing apparatus, information processing system, and computer-readable storage medium
US8160579B1 (en) * 2006-03-06 2012-04-17 Cisco Technology, Inc. Performing deep packet inspection for a communication session
US20120173727A1 (en) * 2009-09-25 2012-07-05 Zte Corporation Internet Access Control Apparatus, Method and Gateway Thereof
US20120271953A1 (en) * 2007-02-02 2012-10-25 The Mathworks, Inc. Scalable architecture
US8418233B1 (en) * 2005-07-29 2013-04-09 F5 Networks, Inc. Rule based extensible authentication
US8533308B1 (en) 2005-08-12 2013-09-10 F5 Networks, Inc. Network traffic management through protocol-configurable transaction processing
US8559313B1 (en) 2006-02-01 2013-10-15 F5 Networks, Inc. Selectively enabling packet concatenation based on a transaction boundary
WO2014069978A1 (fr) * 2012-11-02 2014-05-08 Silverlake Mobility Ecosystem Sdn Bhd Procédé de traitement de requêtes pour des services numériques
US20140173688A1 (en) * 2011-08-30 2014-06-19 Kai Fischer Method and System for Providing Device-Specific Operator Data for an Automation Device in an Automation Installation
US20140169172A1 (en) * 2012-12-18 2014-06-19 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
EP2760250A1 (fr) * 2011-09-23 2014-07-30 ZTE Corporation Système de nuage à plates-formes m2m et procédé associé de traitement de services m2m
US20140245395A1 (en) * 2012-10-16 2014-08-28 Guest Tek Interactive Entertainment Ltd. Off-site user access control
US8868757B1 (en) * 2006-05-24 2014-10-21 Avaya Inc. Two-way web service router gateway
US20150161273A1 (en) * 2007-08-28 2015-06-11 International Business Machines Corporation System and method of sensing and responding to service discoveries
US9106606B1 (en) 2007-02-05 2015-08-11 F5 Networks, Inc. Method, intermediate device and computer program code for maintaining persistency
US9130846B1 (en) 2008-08-27 2015-09-08 F5 Networks, Inc. Exposed control components for customizable load balancing and persistence
CN104935454A (zh) * 2014-03-18 2015-09-23 安讯士有限公司 面向服务的架构中的能力监测
US20150288767A1 (en) * 2014-04-03 2015-10-08 Centurylink Intellectual Property Llc Network Functions Virtualization Interconnection Hub
US9185531B2 (en) 2010-08-25 2015-11-10 Htc Corporation Method of handling service group ownership transfer in a communication system and related communication device
EP2235912A4 (fr) * 2008-01-24 2016-05-04 Ericsson Telefon Ab L M Procédé et dispositif pour contrôler des services web globaux
US9531716B1 (en) * 2009-08-07 2016-12-27 Cisco Technology, Inc. Service enabled network
US9596123B2 (en) 2010-12-03 2017-03-14 International Business Machines Corporation Identity provider discovery service using a publish-subscribe model
US9614772B1 (en) 2003-10-20 2017-04-04 F5 Networks, Inc. System and method for directing network traffic in tunneling applications
US9832069B1 (en) 2008-05-30 2017-11-28 F5 Networks, Inc. Persistence based on server response in an IP multimedia subsystem (IMS)
US9882833B2 (en) 2015-09-28 2018-01-30 Centurylink Intellectual Property Llc Intent-based services orchestration
US9979751B2 (en) 2013-09-20 2018-05-22 Open Text Sa Ulc Application gateway architecture with multi-level security policy and rule promulgations
US20180217871A1 (en) * 2015-07-31 2018-08-02 Hewlett Packard Enterprise Development LP. Discovering and publishing api information
US10225327B2 (en) 2014-08-13 2019-03-05 Centurylink Intellectual Property Llc Remoting application servers
US10313254B1 (en) 2007-03-30 2019-06-04 Extreme Networks, Inc. Network management interface for a network element with network-wide information
US10474437B2 (en) 2015-11-03 2019-11-12 Open Text Sa Ulc Streamlined fast and efficient application building and customization systems and methods
US10613892B2 (en) 2014-08-15 2020-04-07 Centurylink Intellectual Property Llc Multi-line/multi-state virtualized OAM transponder
US10630717B2 (en) * 2015-05-15 2020-04-21 Avaya, Inc. Mitigation of WebRTC attacks using a network edge system
US10693878B2 (en) * 2017-04-26 2020-06-23 Cisco Technology, Inc. Broker-coordinated selective sharing of data
US10713076B2 (en) 2013-11-21 2020-07-14 Centurylink Intellectual Property Llc Physical to virtual network transport function abstraction
US10749948B2 (en) 2010-04-07 2020-08-18 On24, Inc. Communication console with component aggregation
US10785325B1 (en) 2014-09-03 2020-09-22 On24, Inc. Audience binning system and method for webcasting and on-line presentations
US10826875B1 (en) * 2016-07-22 2020-11-03 Servicenow, Inc. System and method for securely communicating requests
US10824756B2 (en) 2013-09-20 2020-11-03 Open Text Sa Ulc Hosted application gateway architecture with multi-level security policy and rule promulgations
US10965615B2 (en) * 2012-03-30 2021-03-30 Nokia Solutions And Networks Oy Centralized IP address management for distributed gateways
US11108827B2 (en) 2013-09-20 2021-08-31 Open Text Sa Ulc Application gateway architecture with multi-level security policy and rule promulgations
US11188822B2 (en) 2017-10-05 2021-11-30 On24, Inc. Attendee engagement determining system and method
US11281723B2 (en) 2017-10-05 2022-03-22 On24, Inc. Widget recommendation for an online event using co-occurrence matrix
US11388037B2 (en) 2016-02-25 2022-07-12 Open Text Sa Ulc Systems and methods for providing managed services
US11429781B1 (en) 2013-10-22 2022-08-30 On24, Inc. System and method of annotating presentation timeline with questions, comments and notes using simple user inputs in mobile devices
US11438410B2 (en) 2010-04-07 2022-09-06 On24, Inc. Communication console with component aggregation
US11683353B2 (en) 2017-09-08 2023-06-20 Convida Wireless, Llc Automated service enrollment in a machine-to-machine communications network
US11971948B1 (en) 2008-05-30 2024-04-30 On24, Inc. System and method for communication between Rich Internet Applications
US11979327B1 (en) * 2023-05-08 2024-05-07 Dell Products, L.P. Managed network traffic prioritization

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8355337B2 (en) * 2009-01-28 2013-01-15 Headwater Partners I Llc Network based service profile management with user preference, adaptive policy, network neutrality, and user privacy
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US9137209B1 (en) * 2008-12-10 2015-09-15 Amazon Technologies, Inc. Providing local secure network access to remote services
US9524167B1 (en) 2008-12-10 2016-12-20 Amazon Technologies, Inc. Providing location-specific network access to remote services
US8230050B1 (en) 2008-12-10 2012-07-24 Amazon Technologies, Inc. Providing access to configurable private computer networks
US8201237B1 (en) 2008-12-10 2012-06-12 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US11985155B2 (en) 2009-01-28 2024-05-14 Headwater Research Llc Communications device with secure data path processing agents
US20110110377A1 (en) * 2009-11-06 2011-05-12 Microsoft Corporation Employing Overlays for Securing Connections Across Networks
CN102123477B (zh) * 2010-01-08 2015-06-10 中兴通讯股份有限公司 M2m核心网络的接入实现方法及装置
CN103209165B (zh) * 2012-01-17 2016-04-13 阿尔卡特朗讯 Ims中的应用服务器框架以及转发会话控制逻辑的方法
US9398102B2 (en) 2013-03-06 2016-07-19 Netskope, Inc. Security for network delivered services
US9059977B2 (en) * 2013-03-13 2015-06-16 Route1 Inc. Distribution of secure or cryptographic material
US9794333B2 (en) 2013-06-17 2017-10-17 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Workload and defect management systems and methods
US9430481B2 (en) 2013-06-17 2016-08-30 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Storage disk file subsystem and defect management systems and methods
US9544202B2 (en) 2013-08-29 2017-01-10 Oracle International Corporation Dynamic assignment and enforcement of application-driven per-connection service level agreements
US9497088B2 (en) 2013-08-29 2016-11-15 Oracle International Corporation Method and system for end-to-end classification of level 7 application flows in networking endpoints and devices
KR102136039B1 (ko) 2014-06-30 2020-07-20 알까뗄 루슨트 소프트웨어 정의 네트워크에서의 보안
US10027637B2 (en) * 2015-03-12 2018-07-17 Vormetric, Inc. Secure and control data migrating between enterprise and cloud services
US11425169B2 (en) 2016-03-11 2022-08-23 Netskope, Inc. Small-footprint endpoint data loss prevention (DLP)
EP3220599B1 (fr) * 2016-03-16 2019-06-19 Panasonic Avionics Corporation Système de régulation des exceptions de pare-feu mises en uvre de manière dynamique basée sur la demande
US9985870B2 (en) * 2016-07-29 2018-05-29 Nanning Fugui Precision Industrial Co., Ltd. Network service method and system based on software defined networking
US10834113B2 (en) 2017-07-25 2020-11-10 Netskope, Inc. Compact logging of network traffic events
IT201800011108A1 (it) * 2018-12-14 2020-06-14 Telecom Italia Spa Metodo e sistema per erogare servizi dedicati riservati ad una predefinita area di servizio
US11416641B2 (en) 2019-01-24 2022-08-16 Netskope, Inc. Incident-driven introspection for data loss prevention
CN112887346A (zh) * 2019-11-29 2021-06-01 阿里健康信息技术有限公司 一种服务网络系统、服务请求处理方法和存储介质
CN112468345B (zh) * 2020-12-11 2022-04-12 浙江大学 一种基于分布式生成树的跨界服务网络架构
US11082445B1 (en) 2021-01-21 2021-08-03 Netskope, Inc. Preventing phishing attacks via document sharing
US11475158B1 (en) 2021-07-26 2022-10-18 Netskope, Inc. Customized deep learning classifier for detecting organization sensitive data in images on premises
US11444978B1 (en) 2021-09-14 2022-09-13 Netskope, Inc. Machine learning-based system for detecting phishing websites using the URLS, word encodings and images of content pages
US11336689B1 (en) 2021-09-14 2022-05-17 Netskope, Inc. Detecting phishing websites via a machine learning-based system using URL feature hashes, HTML encodings and embedded images of content pages
US11438377B1 (en) 2021-09-14 2022-09-06 Netskope, Inc. Machine learning-based systems and methods of using URLs and HTML encodings for detecting phishing websites
US11947682B2 (en) 2022-07-07 2024-04-02 Netskope, Inc. ML-based encrypted file classification for identifying encrypted data movement
EP4425828A1 (fr) * 2023-03-01 2024-09-04 Deutsche Telekom AG Techniques pour fournir des services liés à un réseau

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081900A (en) * 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
US20020143819A1 (en) * 2000-05-31 2002-10-03 Cheng Han Web service syndication system
US20030099237A1 (en) * 2001-11-16 2003-05-29 Arindam Mitra Wide-area content-based routing architecture
US20030214955A1 (en) * 2002-05-14 2003-11-20 Samsung Electronics Co., Ltd. Apparatus and method for offering connections between network devices located in different home networks
US20040078424A1 (en) * 2002-10-16 2004-04-22 Nokia Corporation Web services via instant messaging
US20040107196A1 (en) * 2002-12-02 2004-06-03 Ye Chen Web service agent
US20040128622A1 (en) * 2002-12-26 2004-07-01 Mountain Highland Mary Method and server for communicating information between publishers and subscribers of web services
US20040242329A1 (en) * 2003-03-05 2004-12-02 Blackburn Christopher W. Discovery service in a service-oriented gaming network environment
US20040268121A1 (en) * 2003-06-30 2004-12-30 Art Shelest Reducing network configuration complexity with transparent virtual private networks
US20050005116A1 (en) * 2002-09-18 2005-01-06 Commerce One Operations, Inc. Dynamic interoperability contract for web services
US20050086197A1 (en) * 2003-09-30 2005-04-21 Toufic Boubez System and method securing web services
US20050228984A1 (en) * 2004-04-07 2005-10-13 Microsoft Corporation Web service gateway filtering
US20050273668A1 (en) * 2004-05-20 2005-12-08 Richard Manning Dynamic and distributed managed edge computing (MEC) framework
US20060047832A1 (en) * 2004-05-21 2006-03-02 Christopher Betts Method and apparatus for processing web service messages
US20060080352A1 (en) * 2004-09-28 2006-04-13 Layer 7 Technologies Inc. System and method for bridging identities in a service oriented architecture
US20060080419A1 (en) * 2004-05-21 2006-04-13 Bea Systems, Inc. Reliable updating for a service oriented architecture
US20060161616A1 (en) * 2005-01-14 2006-07-20 I Anson Colin Provision of services over a common delivery platform such as a mobile telephony network
US7127700B2 (en) * 2002-03-14 2006-10-24 Openwave Systems Inc. Method and apparatus for developing web services using standard logical interfaces to support multiple markup languages
US20070124423A1 (en) * 2002-12-17 2007-05-31 Berkland Philip T Apparatus and Method for Flexible Web Service Deployment
US7457870B1 (en) * 2004-02-27 2008-11-25 Packeteer, Inc. Methods, apparatuses and systems facilitating classification of web services network traffic
US7698398B1 (en) * 2003-08-18 2010-04-13 Sun Microsystems, Inc. System and method for generating Web Service architectures using a Web Services structured methodology

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7339895B2 (en) * 2001-08-21 2008-03-04 Hitachi, Ltd. Gateway device and control method for communication with IP and IPV6 protocols
CN1423461A (zh) * 2001-11-23 2003-06-11 中望商业机器有限公司 宽带接入网关
AU2003234202A1 (en) * 2002-04-23 2003-11-10 Edgile, Inc. System for managing and delivering digital services through computer networks
US7463637B2 (en) 2005-04-14 2008-12-09 Alcatel Lucent Public and private network service management systems and methods
US7483438B2 (en) 2005-04-14 2009-01-27 Alcatel Lucent Systems and methods for managing network services between private networks

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081900A (en) * 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
US20020143819A1 (en) * 2000-05-31 2002-10-03 Cheng Han Web service syndication system
US20030099237A1 (en) * 2001-11-16 2003-05-29 Arindam Mitra Wide-area content-based routing architecture
US7127700B2 (en) * 2002-03-14 2006-10-24 Openwave Systems Inc. Method and apparatus for developing web services using standard logical interfaces to support multiple markup languages
US20030214955A1 (en) * 2002-05-14 2003-11-20 Samsung Electronics Co., Ltd. Apparatus and method for offering connections between network devices located in different home networks
US20050005116A1 (en) * 2002-09-18 2005-01-06 Commerce One Operations, Inc. Dynamic interoperability contract for web services
US20040078424A1 (en) * 2002-10-16 2004-04-22 Nokia Corporation Web services via instant messaging
US20040107196A1 (en) * 2002-12-02 2004-06-03 Ye Chen Web service agent
US20070124423A1 (en) * 2002-12-17 2007-05-31 Berkland Philip T Apparatus and Method for Flexible Web Service Deployment
US20040128622A1 (en) * 2002-12-26 2004-07-01 Mountain Highland Mary Method and server for communicating information between publishers and subscribers of web services
US20040242329A1 (en) * 2003-03-05 2004-12-02 Blackburn Christopher W. Discovery service in a service-oriented gaming network environment
US20040268121A1 (en) * 2003-06-30 2004-12-30 Art Shelest Reducing network configuration complexity with transparent virtual private networks
US7698398B1 (en) * 2003-08-18 2010-04-13 Sun Microsystems, Inc. System and method for generating Web Service architectures using a Web Services structured methodology
US20050086197A1 (en) * 2003-09-30 2005-04-21 Toufic Boubez System and method securing web services
US7457870B1 (en) * 2004-02-27 2008-11-25 Packeteer, Inc. Methods, apparatuses and systems facilitating classification of web services network traffic
US20050228984A1 (en) * 2004-04-07 2005-10-13 Microsoft Corporation Web service gateway filtering
US20050273668A1 (en) * 2004-05-20 2005-12-08 Richard Manning Dynamic and distributed managed edge computing (MEC) framework
US20060080419A1 (en) * 2004-05-21 2006-04-13 Bea Systems, Inc. Reliable updating for a service oriented architecture
US20060047832A1 (en) * 2004-05-21 2006-03-02 Christopher Betts Method and apparatus for processing web service messages
US20060080352A1 (en) * 2004-09-28 2006-04-13 Layer 7 Technologies Inc. System and method for bridging identities in a service oriented architecture
US20060161616A1 (en) * 2005-01-14 2006-07-20 I Anson Colin Provision of services over a common delivery platform such as a mobile telephony network

Cited By (124)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9614772B1 (en) 2003-10-20 2017-04-04 F5 Networks, Inc. System and method for directing network traffic in tunneling applications
US7987253B2 (en) * 2004-12-21 2011-07-26 International Business Machines Corporation Determining an applicable policy for an incoming message
US20080301248A1 (en) * 2004-12-21 2008-12-04 Pfitzmann Birgit M Determining an applicable policy for an incoming message
US20060235986A1 (en) * 2005-04-15 2006-10-19 Samsung Electronics Co., Ltd. Web service processing apparatus and method
US8079059B1 (en) * 2005-05-31 2011-12-13 Imera Systems, Inc. Method and system for providing terminal view access of a client device in a secure network
US8418233B1 (en) * 2005-07-29 2013-04-09 F5 Networks, Inc. Rule based extensible authentication
US9210177B1 (en) * 2005-07-29 2015-12-08 F5 Networks, Inc. Rule based extensible authentication
US9225479B1 (en) 2005-08-12 2015-12-29 F5 Networks, Inc. Protocol-configurable transaction processing
US8533308B1 (en) 2005-08-12 2013-09-10 F5 Networks, Inc. Network traffic management through protocol-configurable transaction processing
US20070061431A1 (en) * 2005-09-12 2007-03-15 Sap Ag. Systems and methods for providing a local client proxy
US7801996B2 (en) * 2005-09-12 2010-09-21 Sap Ag Systems and methods for providing a local client proxy
US8917714B2 (en) * 2005-09-13 2014-12-23 International Business Machines Corporation Cooperative routing between traffic control device and multi-server application
US20080263223A1 (en) * 2005-09-13 2008-10-23 International Business Machines Corporation Cooperative routing between traffic control device and multi-server application
US20070061445A1 (en) * 2005-09-13 2007-03-15 Deganaro Louis R Cooperative routing between traffic control device and multi-server application
WO2007065262A1 (fr) * 2005-12-08 2007-06-14 Sxip Identity Corporation Structure d'identites en reseau
US20070143860A1 (en) * 2005-12-08 2007-06-21 Sxip Identity Corporation Networked identity framework
US8635679B2 (en) 2005-12-08 2014-01-21 Webler Solutions, Llc Networked identity framework
US8601127B2 (en) * 2006-01-31 2013-12-03 Panasonic Corporation Method for selective service updates for communication networks
US20090210532A1 (en) * 2006-01-31 2009-08-20 Matsushita Electric Industrial Co., Ltd. Method for selective service updates for communication networks
US8611222B1 (en) 2006-02-01 2013-12-17 F5 Networks, Inc. Selectively enabling packet concatenation based on a transaction boundary
US8565088B1 (en) 2006-02-01 2013-10-22 F5 Networks, Inc. Selectively enabling packet concatenation based on a transaction boundary
US8559313B1 (en) 2006-02-01 2013-10-15 F5 Networks, Inc. Selectively enabling packet concatenation based on a transaction boundary
US8160579B1 (en) * 2006-03-06 2012-04-17 Cisco Technology, Inc. Performing deep packet inspection for a communication session
US8719895B1 (en) 2006-03-06 2014-05-06 Cisco Technology, Inc. Determining a policy output for a communication session
US8438613B2 (en) 2006-03-06 2013-05-07 Cisco Technology, Inc. Establishing facets of a policy for a communication session
US8868757B1 (en) * 2006-05-24 2014-10-21 Avaya Inc. Two-way web service router gateway
US20080019376A1 (en) * 2006-07-21 2008-01-24 Sbc Knowledge Ventures, L.P. Inline network element which shares addresses of neighboring network elements
US8347403B2 (en) * 2006-12-19 2013-01-01 Canon Kabushiki Kaisha Single point authentication for web service policy definition
US20080148345A1 (en) * 2006-12-19 2008-06-19 Canon Kabushiki Kaisha Single point authentication for web service policy definition
US8549096B2 (en) * 2007-02-02 2013-10-01 The Mathworks, Inc. Scalable architecture
US20120271953A1 (en) * 2007-02-02 2012-10-25 The Mathworks, Inc. Scalable architecture
US8918511B2 (en) 2007-02-02 2014-12-23 The Mathworks, Inc. Scalable architecture
US9106606B1 (en) 2007-02-05 2015-08-11 F5 Networks, Inc. Method, intermediate device and computer program code for maintaining persistency
US9967331B1 (en) 2007-02-05 2018-05-08 F5 Networks, Inc. Method, intermediate device and computer program code for maintaining persistency
US7844704B2 (en) * 2007-03-16 2010-11-30 Ricoh Company, Ltd. Event notification device and event notification method
US20080228915A1 (en) * 2007-03-16 2008-09-18 Ricoh Company, Ltd Event notification device and event notification method
US10313254B1 (en) 2007-03-30 2019-06-04 Extreme Networks, Inc. Network management interface for a network element with network-wide information
US20080256258A1 (en) * 2007-04-16 2008-10-16 Chatterjee Pallab K Business-to-Business Internet Infrastructure
US10210532B2 (en) * 2007-04-16 2019-02-19 Jda Software Group, Inc. Business-to-business internet infrastructure
US7962089B1 (en) * 2007-07-02 2011-06-14 Rockwell Collins, Inc. Method and system of supporting policy based operations for narrowband tactical radios
US20150161273A1 (en) * 2007-08-28 2015-06-11 International Business Machines Corporation System and method of sensing and responding to service discoveries
US11468132B2 (en) 2007-08-28 2022-10-11 Kyndryl, Inc. System and method of sensing and responding to service discoveries
US11068555B2 (en) 2007-08-28 2021-07-20 International Business Machines Corporation System and method of sensing and responding to service discoveries
US10042941B2 (en) * 2007-08-28 2018-08-07 International Business Machines Corporation System and method of sensing and responding to service discoveries
US10599736B2 (en) 2007-08-28 2020-03-24 International Business Machines Corporation System and method of sensing and responding to service discoveries
US20090150563A1 (en) * 2007-12-07 2009-06-11 Virtensys Limited Control path I/O virtualisation
US9021125B2 (en) * 2007-12-07 2015-04-28 Micron Technology, Inc. Control path I/O virtualisation
US8838803B2 (en) * 2007-12-20 2014-09-16 At&T Intellectual Property I, L.P. Methods and apparatus for management of user presence in communication activities
US20090165089A1 (en) * 2007-12-20 2009-06-25 Richard Bennett Methods and Apparatus for Management of User Presence in Communication Activities
EP2235912A4 (fr) * 2008-01-24 2016-05-04 Ericsson Telefon Ab L M Procédé et dispositif pour contrôler des services web globaux
US9832069B1 (en) 2008-05-30 2017-11-28 F5 Networks, Inc. Persistence based on server response in an IP multimedia subsystem (IMS)
US11971948B1 (en) 2008-05-30 2024-04-30 On24, Inc. System and method for communication between Rich Internet Applications
US9130846B1 (en) 2008-08-27 2015-09-08 F5 Networks, Inc. Exposed control components for customizable load balancing and persistence
US20100205014A1 (en) * 2009-02-06 2010-08-12 Cary Sholer Method and system for providing response services
US9531716B1 (en) * 2009-08-07 2016-12-27 Cisco Technology, Inc. Service enabled network
US20120173727A1 (en) * 2009-09-25 2012-07-05 Zte Corporation Internet Access Control Apparatus, Method and Gateway Thereof
US10749948B2 (en) 2010-04-07 2020-08-18 On24, Inc. Communication console with component aggregation
US12081618B2 (en) 2010-04-07 2024-09-03 On24, Inc. Communication console with component aggregation
US11438410B2 (en) 2010-04-07 2022-09-06 On24, Inc. Communication console with component aggregation
US9185531B2 (en) 2010-08-25 2015-11-10 Htc Corporation Method of handling service group ownership transfer in a communication system and related communication device
US9286126B2 (en) * 2010-09-03 2016-03-15 Ricoh Company, Ltd. Information processing apparatus, information processing system, and computer-readable storage medium
US20120060212A1 (en) * 2010-09-03 2012-03-08 Ricoh Company, Ltd. Information processing apparatus, information processing system, and computer-readable storage medium
US9596122B2 (en) 2010-12-03 2017-03-14 International Business Machines Corporation Identity provider discovery service using a publish-subscribe model
US9596123B2 (en) 2010-12-03 2017-03-14 International Business Machines Corporation Identity provider discovery service using a publish-subscribe model
US9544300B2 (en) * 2011-08-30 2017-01-10 Siemens Aktiengesellschaft Method and system for providing device-specific operator data for an automation device in an automation installation
US20140173688A1 (en) * 2011-08-30 2014-06-19 Kai Fischer Method and System for Providing Device-Specific Operator Data for an Automation Device in an Automation Installation
EP2760250A1 (fr) * 2011-09-23 2014-07-30 ZTE Corporation Système de nuage à plates-formes m2m et procédé associé de traitement de services m2m
EP2760250A4 (fr) * 2011-09-23 2014-11-26 Zte Corp Système de nuage à plates-formes m2m et procédé associé de traitement de services m2m
US10965615B2 (en) * 2012-03-30 2021-03-30 Nokia Solutions And Networks Oy Centralized IP address management for distributed gateways
US9917840B2 (en) 2012-10-16 2018-03-13 Guest Tek Interactive Entertainment Ltd. Off-site user access control
US20160028733A1 (en) * 2012-10-16 2016-01-28 Guest Tek Interactive Entertainment Ltd. Off-site user access control
US20140245395A1 (en) * 2012-10-16 2014-08-28 Guest Tek Interactive Entertainment Ltd. Off-site user access control
US9462000B2 (en) * 2012-10-16 2016-10-04 Guest Tek Interactive Entertainment Ltd. Off-site user access control
US9178861B2 (en) * 2012-10-16 2015-11-03 Guest Tek Interactive Entertainment Ltd. Off-site user access control
US9450936B2 (en) 2012-11-02 2016-09-20 Silverlake Mobility Ecosystem Sdn Bhd Method of processing requests for digital services
WO2014069978A1 (fr) * 2012-11-02 2014-05-08 Silverlake Mobility Ecosystem Sdn Bhd Procédé de traitement de requêtes pour des services numériques
US20140169172A1 (en) * 2012-12-18 2014-06-19 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
US10291751B2 (en) 2012-12-18 2019-05-14 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
US9271188B2 (en) * 2012-12-18 2016-02-23 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
US9584636B2 (en) 2012-12-18 2017-02-28 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
US10939226B2 (en) * 2012-12-18 2021-03-02 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
US20190268448A1 (en) * 2012-12-18 2019-08-29 At&T Intellectual Property I, L.P. Dynamic in-band service control mechanism in mobile network
US11115438B2 (en) 2013-09-20 2021-09-07 Open Text Sa Ulc System and method for geofencing
US9979751B2 (en) 2013-09-20 2018-05-22 Open Text Sa Ulc Application gateway architecture with multi-level security policy and rule promulgations
US10268835B2 (en) 2013-09-20 2019-04-23 Open Text Sa Ulc Hosted application gateway architecture with multi-level security policy and rule promulgations
US10284600B2 (en) 2013-09-20 2019-05-07 Open Text Sa Ulc System and method for updating downloaded applications using managed container
US10824756B2 (en) 2013-09-20 2020-11-03 Open Text Sa Ulc Hosted application gateway architecture with multi-level security policy and rule promulgations
US10116697B2 (en) 2013-09-20 2018-10-30 Open Text Sa Ulc System and method for geofencing
US11102248B2 (en) 2013-09-20 2021-08-24 Open Text Sa Ulc System and method for remote wipe
US11108827B2 (en) 2013-09-20 2021-08-31 Open Text Sa Ulc Application gateway architecture with multi-level security policy and rule promulgations
US10171501B2 (en) * 2013-09-20 2019-01-01 Open Text Sa Ulc System and method for remote wipe
US11429781B1 (en) 2013-10-22 2022-08-30 On24, Inc. System and method of annotating presentation timeline with questions, comments and notes using simple user inputs in mobile devices
US10713076B2 (en) 2013-11-21 2020-07-14 Centurylink Intellectual Property Llc Physical to virtual network transport function abstraction
US20150271276A1 (en) * 2014-03-18 2015-09-24 Axis Ab Capability monitoring in a service oriented architecture
CN104935454A (zh) * 2014-03-18 2015-09-23 安讯士有限公司 面向服务的架构中的能力监测
KR101762237B1 (ko) * 2014-03-18 2017-08-04 엑시스 에이비 서비스 지향 아키텍쳐 내에서 능력을 모니터링하는 방법
US9705995B2 (en) * 2014-03-18 2017-07-11 Axis Ab Capability monitoring in a service oriented architecture
US11212159B2 (en) 2014-04-03 2021-12-28 Centurylink Intellectual Property Llc Network functions virtualization interconnection gateway
US9948493B2 (en) 2014-04-03 2018-04-17 Centurylink Intellectual Property Llc Network functions virtualization interconnection gateway
US20150288767A1 (en) * 2014-04-03 2015-10-08 Centurylink Intellectual Property Llc Network Functions Virtualization Interconnection Hub
US9998320B2 (en) 2014-04-03 2018-06-12 Centurylink Intellectual Property Llc Customer environment network functions virtualization (NFV)
US10992734B2 (en) 2014-08-13 2021-04-27 Centurylink Intellectual Property Llc Remoting application servers
US10225327B2 (en) 2014-08-13 2019-03-05 Centurylink Intellectual Property Llc Remoting application servers
US10613892B2 (en) 2014-08-15 2020-04-07 Centurylink Intellectual Property Llc Multi-line/multi-state virtualized OAM transponder
US10929172B2 (en) 2014-08-15 2021-02-23 Centurylink Intellectual Property Llc Multi-line/multi-state virtualized OAM transponder
US10785325B1 (en) 2014-09-03 2020-09-22 On24, Inc. Audience binning system and method for webcasting and on-line presentations
US10630717B2 (en) * 2015-05-15 2020-04-21 Avaya, Inc. Mitigation of WebRTC attacks using a network edge system
US11714685B2 (en) * 2015-07-31 2023-08-01 The Conundrum Ip Llc Discovering and publishing API information
US12131195B2 (en) * 2015-07-31 2024-10-29 The Conundrum Ip Llc Discovering and publishing API information
US20180217871A1 (en) * 2015-07-31 2018-08-02 Hewlett Packard Enterprise Development LP. Discovering and publishing api information
US10673777B2 (en) 2015-09-28 2020-06-02 Centurylink Intellectual Property Llc Intent-based services orchestration
US9882833B2 (en) 2015-09-28 2018-01-30 Centurylink Intellectual Property Llc Intent-based services orchestration
US10250525B2 (en) 2015-09-28 2019-04-02 Centurylink Intellectual Property Llc Intent-based services orchestration
US10474437B2 (en) 2015-11-03 2019-11-12 Open Text Sa Ulc Streamlined fast and efficient application building and customization systems and methods
US11593075B2 (en) 2015-11-03 2023-02-28 Open Text Sa Ulc Streamlined fast and efficient application building and customization systems and methods
US11388037B2 (en) 2016-02-25 2022-07-12 Open Text Sa Ulc Systems and methods for providing managed services
US10826875B1 (en) * 2016-07-22 2020-11-03 Servicenow, Inc. System and method for securely communicating requests
US11411957B2 (en) * 2017-04-26 2022-08-09 Cisco Technology, Inc. Broker-coordinated selective sharing of data
US10693878B2 (en) * 2017-04-26 2020-06-23 Cisco Technology, Inc. Broker-coordinated selective sharing of data
US11683353B2 (en) 2017-09-08 2023-06-20 Convida Wireless, Llc Automated service enrollment in a machine-to-machine communications network
US12041097B2 (en) 2017-09-08 2024-07-16 Convida Wireless, Llc Automated service enrollment in a machine-to-machine communications network
US11281723B2 (en) 2017-10-05 2022-03-22 On24, Inc. Widget recommendation for an online event using co-occurrence matrix
US11188822B2 (en) 2017-10-05 2021-11-30 On24, Inc. Attendee engagement determining system and method
US11979327B1 (en) * 2023-05-08 2024-05-07 Dell Products, L.P. Managed network traffic prioritization

Also Published As

Publication number Publication date
KR20080008357A (ko) 2008-01-23
CN102291459A (zh) 2011-12-21
WO2006109187A3 (fr) 2007-03-08
EP2547069A1 (fr) 2013-01-16
WO2006109187A2 (fr) 2006-10-19
EP2547069B1 (fr) 2015-11-04
CN1855817A (zh) 2006-11-01
US9516026B2 (en) 2016-12-06
JP2008537829A (ja) 2008-09-25
CN102291459B (zh) 2015-02-11
EP1875715A2 (fr) 2008-01-09
US20140317683A1 (en) 2014-10-23
CN1855817B (zh) 2012-07-04

Similar Documents

Publication Publication Date Title
US9516026B2 (en) Network services infrastructure systems and methods
US7483438B2 (en) Systems and methods for managing network services between private networks
US7463637B2 (en) Public and private network service management systems and methods
US20080033845A1 (en) Publication Subscription Service Apparatus And Methods
EP2076999B1 (fr) Systèmes et procédés de gestion d'utilisation de services en réseau
EP1820294B1 (fr) Mise en oeuvre de fonctions de securite sur une capacite utile de message dans un element de reseau
US9491201B2 (en) Highly scalable architecture for application network appliances
US8300529B2 (en) Service-centric communication network monitoring
US8239520B2 (en) Network service operational status monitoring
US8266327B2 (en) Identity brokering in a network element
US7290286B2 (en) Content provider secure and tracable portal
US20070028001A1 (en) Applying quality of service to application messages in network elements
US20070294253A1 (en) Secure domain information protection apparatus and methods
Tripunitara et al. Connectivity provisioning with security attributes

Legal Events

Date Code Title Description
AS Assignment

Owner name: ALCATEL, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MCBRIDE, BRIAN;BOU-DIAB, BASHAR SAID;SERGHI, LAURA MIHAELA;REEL/FRAME:016478/0894;SIGNING DATES FROM 20050413 TO 20050414

AS Assignment

Owner name: ALCATEL LUCENT,FRANCE

Free format text: CHANGE OF NAME;ASSIGNOR:ALCATEL;REEL/FRAME:024057/0733

Effective date: 20061130

AS Assignment

Owner name: CREDIT SUISSE AG, NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:LUCENT, ALCATEL;REEL/FRAME:029821/0001

Effective date: 20130130

Owner name: CREDIT SUISSE AG, NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNOR:ALCATEL LUCENT;REEL/FRAME:029821/0001

Effective date: 20130130

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE

AS Assignment

Owner name: ALCATEL LUCENT, FRANCE

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:033868/0555

Effective date: 20140819