US20200322215A1 - Network access system configuration - Google Patents

Network access system configuration Download PDF

Info

Publication number
US20200322215A1
US20200322215A1 US16/783,903 US202016783903A US2020322215A1 US 20200322215 A1 US20200322215 A1 US 20200322215A1 US 202016783903 A US202016783903 A US 202016783903A US 2020322215 A1 US2020322215 A1 US 2020322215A1
Authority
US
United States
Prior art keywords
network
electronic device
network entity
communication
network access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US16/783,903
Inventor
Thomas E. Hemphill
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Pelion Technology Inc
Original Assignee
Arm Cloud Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Arm Cloud Technology Inc filed Critical Arm Cloud Technology Inc
Priority to US16/783,903 priority Critical patent/US20200322215A1/en
Assigned to WIGWAG INC. reassignment WIGWAG INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEMPHILL, THOMAS E.
Publication of US20200322215A1 publication Critical patent/US20200322215A1/en
Assigned to ARM CLOUD TECHNOLOGY, INC. reassignment ARM CLOUD TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WIGWAG INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0876Aspects of the degree of configuration automation
    • H04L41/0886Fully automatic configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present disclosure generally relates to network communication, and more specifically to dynamically configuring a network access system.
  • a network device such as, but not limited to a router.
  • a router may be a device that forwards data packets to various devices within a communication system employing one or more communication standards.
  • network security may be managed, at least in part, by a network access system such as, but not limited to, a firewall.
  • a firewall may monitor and control the incoming and outgoing network traffic.
  • a firewall may prevent unauthorized access to or from a communication system.
  • firewalls may be static in operation and thus unable to provide a sufficient level of security to connected devices. Accordingly, it may be desirable to provide a device aware network access system that may be dynamically configurable.
  • a method includes detecting, at a network entity, an electronic device associated with a first class of devices; selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activating the one or more communication services in response to selecting the device controller from the set of device controllers; and configuring a network access system at the network entity based on the one or more communication services.
  • a computer-readable storage medium comprising one or more programs for execution by one or more processors of an electronic device, the one or more programs including instructions which, when executed by the one or more processors, cause the electronic device to: detect an electronic device associated with a first class of devices; select a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activate the one or more communication services in response to selecting the device controller from the set of device controllers; and configure a network access system at the network entity based on the one or more communication services.
  • an electronic apparatus comprising: one or more processors; memory; and one or more programs stored in the memory, the one or more programs including instructions for: detecting an electronic device associated with a first class of devices; selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activating the one or more communication services in response to selecting the device controller from the set of device controllers; and configuring a network access system at the network entity based on the one or more communication services.
  • an electronic apparatus comprising: a memory unit; and a processing unit connected to the memory unit, wherein the processing unit is configured to: detect an electronic device associated with a first class of devices; select a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activate the one or more communication services in response to selecting the device controller from the set of device controllers; and configure a network access system at the network entity based on the one or more communication services.
  • an electronic apparatus comprising: means for detecting an electronic device associated with a first class of devices; means for selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; means for activating the one or more communication services in response to selecting the device controller from the set of device controllers; and means for configuring a network access system at the network entity based on the one or more communication services.
  • FIG. 1 illustrates a schematic diagram of a communication system including a network entity and one or more electronic devices in accordance with some aspects of the present disclosure.
  • FIG. 2 illustrates a block diagram of a network entity in accordance with some aspects of the present disclosure.
  • FIG. 3 illustrates a network entity including one or more device controllers in accordance with some aspects of the present disclosure.
  • FIG. 4 illustrates an example of a device controller in accordance with some aspects of the present disclosure.
  • FIG. 5 illustrates a schematic diagram of a communication network in accordance with some aspects of the present disclosure.
  • FIGS. 6A and 6B are flow diagrams of a method of configuring a network access system in accordance with some aspects of the present disclosure.
  • FIG. 7 illustrates a functional block diagram of a network entity in accordance with some aspects of the present disclosure.
  • the present aspects generally relate to configuring a network access system. Specifically, the present aspects may automatically and/or dynamically configure a network access system such as, but not limited to, a firewall at a network entity according to or based on one or more detected automation devices.
  • a network access system e.g., firewall
  • the network access system may authorize access or block unauthorized access while permitting outward communication.
  • a second set of electronic devices classified as automation devices operating according to a set of communication parameters (e.g., rules or standards) different from the first set of electronic devices may be detected by the network entity. These automation devices in turn may transmit and receive data packets via network entity.
  • the network access system e.g., firewall
  • Such an implementation may leave the network vulnerable as a number of different protocols or layers by which access to or from the network may be made via the automation device that is unaccounted for. With the network access system unable to establish or configure accordingly, unauthorized access may be made to the network.
  • a network entity may transmit and receive Internet Protocol (IP) data packets between one or more networks in accordance with one or more communication standards or protocols.
  • IP Internet Protocol
  • a communications protocol may be a system of rules that allow two or more entities of a communications system to transmit information via any kind of variation of a physical quantity.
  • a network entity may not make determinations based on content of the data packet beyond the network or transport layer (e.g., layer 3 and 4 in the Open Systems Interconnection (OSI) network model).
  • OSI Open Systems Interconnection
  • a network entity may perform deep packet inspection to look at specific protocols for some signature representing a specific risk. For instance, a Simple Mail Transfer Protocol (SMTP) gateway may inspect or search for viruses in email traffic.
  • SMTP Simple Mail Transfer Protocol
  • monitoring and determining whether to permit access to a network may be specific to only a number of protocols. This is due in part to a development and maintaining of homogeneity in protocol structure and operation. Yet, automation devices may operate outside of the typical protocol structure. That is, automation devices may trigger a fading of protocol homogeneity and conversely to a more heterogeneous structure of additional protocols. Accordingly, a network access system (e.g., firewall) of a network entity (e.g., router) may expand its access monitoring and/or determinations to the additional protocols or layers.
  • communication with automation devices may involve protocols or layers above data packets at Layer 3.
  • these communication standards may include, but are not limited to, ZigBee, Bluetooth, Z-Wave, 6LoWPAN, and/or Thread.
  • Some of the aforementioned communication protocols may operate according to or otherwise include an external computer or ‘hub’ to bridge them to the Internet along with a user application that works with that bridge. That is, their respective communication protocol does not operate solely according to or solely access the Internet Protocol. This may result in numerous hubs being established at a location (e.g., home or office) as automation devices are added. Furthermore, the security of each of these hubs may be separately controlled resulting in a disjointed automation device security policy lacking cohesion and uniformity.
  • a network access system e.g., firewall
  • a network access system e.g., firewall
  • automation devices may be designed and programmed with a distinct set of constraints than traditional “fatter” clients or devices on a network, such as smartphones, tablets and personal computers. Constraints such as comparatively less amounts of random access memory (RAM) and permanent storage like flash memory, limit the sophistication of the software on such a device.
  • RAM random access memory
  • automation devices may be upgraded less often than larger electronic devices. As such, automation devices may be prone to having security holes, and hence more stringent network access (e.g., firewalling) control may be desirable.
  • a network access system of some network entities may implement security according to Network Address Translation (NAT).
  • NAT Network Address Translation
  • NAT may conceal vulnerable laptops and PCs in the home behind a single address which allows outbound communications, but not inbound requests.
  • automation devices e.g., sensor devices and/or controllable devices
  • these devices may desire access to and from the Internet, which NAT may prevent.
  • some network entities employing NAT may allow all or nearly all outbound data packets out of the network.
  • an automation device may send data to the unauthorized entity (e.g., server). That is, even in such a case where unauthorized access is obtained to the network, the automation device is nonetheless not prevented (e.g., via a firewall) from sending data to the unauthorized entity.
  • the unauthorized entity e.g., server
  • the present methods and apparatus may provide an efficient and effective solution, as compared to current solutions, to provide a network entity (e.g., router) having a network access system (e.g., firewall) that dynamically configures network access according to detected automated devices.
  • a network entity e.g., router
  • a network access system e.g., firewall
  • the present methods and apparatus may detect an electronic device associated with or belonging to a first class of devices (e.g., automation devices), and configure a network access system (e.g., firewall) at the network entity (e.g., router) based on the one or more communication services associated with a device controller.
  • Communication system 100 may include network entity 102 , which may be configured to transmit and receive data packets to various devices within communication system 100 employing one or more communication standards (e.g., WiFi).
  • communication system 100 may include one or more automation devices (e.g., first automation device 110 , second automation device 114 , and third automation device 114 ), as well as electronic device 116 .
  • an automation device may be a device embedded with electronics, software, sensors, and/or network connectivity, which may enable the device to collect and exchange data.
  • one or more automation devices 110 , 112 , and/or 114 and/or electronic device 116 may connect to network entity 102 via a compliant wireless link or connection to obtain general connectivity to Internet 108 or to other wide area networks.
  • communication system 100 includes first host device 104 and second host device 106 , each of which may be configured to store and communicate data with corresponding automation devices 110 , 112 , 114 , and/or electronic device 116 .
  • first host device 104 may include data specific to or otherwise associated with first automation device 110 .
  • first host device 104 and second host device 106 may be accessed via Internet 108 to provide device-specific data or information to automation devices 110 , 112 , 114 , and/or electronic device 116 .
  • first automation device 110 may communicate with corresponding first host device 104 (e.g., via network entity 102 and Internet 108 ) to transmit and receive data specific to the operation and usage of first automation device 110 .
  • a first hub or network may be established including first automation device 110 and first host device 104 .
  • communication with a corresponding host device may be done so according to one or more communication standards or protocols.
  • the first hub or network may communicate according to a first communication standard or protocol (e.g., Bluetooth).
  • second automation device 112 and/or third automation device 114 may communicate with corresponding second host device 106 (e.g., via network entity 102 and Internet 108 ) to transmit and receive data specific to the operation and usage of second automation device 112 and/or third automation device 114 .
  • a second hub or network may be established.
  • the second hub or network may communicate according to a second communication standard or protocol (e.g., ZigBee), which may be the same as or distinct from the first communication standard or protocol.
  • first host device 104 and second host device 106 may each be one or more servers.
  • Communication system 100 may also include network access system 120 , which may be configured to monitor and control incoming and outgoing network traffic based on one or more security parameters.
  • network access system 120 may be or otherwise include a firewall.
  • network access system 120 may prevent unauthorized access to or from a private network of or at network entity 102 .
  • network access system 120 may be embodied within, performed at or by, or includes one or both of hardware or software.
  • network access system 120 may be a network firewall, a network access point, and/or an industrial gateway or commercial base station.
  • an automation device may be a device associated with or otherwise referred to as an Internet-of-Things device.
  • an automation device may be or otherwise include, but not limited to, a device (e.g., sensor and/or controller) used, for instance, in lighting systems, power control systems, Heating, Ventilation, and Air Conditioning (HVAC) systems, thermostats, security systems (e.g., cameras, motion detectors, and/or locks), garage doors, water systems (e.g., sprinklers, filtration, and/or pumps), a shading device, a wearable electronic sensor, a security device, an image capturing device, a recording device, an appliance, voice command device, or an entertainment device.
  • HVAC Heating, Ventilation, and Air Conditioning
  • network entity 102 may be an access point configured to permit one or more automation devices and/or electronic devices to connect to a network (e.g., WLAN) using one or more communication standards (e.g., WiFi).
  • the access point may connect, be part of, or otherwise include a router, which may be configured to forward or route data packets from one end or device (e.g., automation devices 110 , 112 , 114 and/or electronic device 116 ) to another end or device (e.g., first host device 104 and/or second host device 106 ). That is, in some aspects, the access point may be an integral component of the router.
  • the one or more communication standards may include, but are not limited to, 6lowPAN, ZIGBEE, DASH7, BLUETOOTH, IEEE 802.11 (WiFi), WiMAX, and/or a cellular standard (e.g., LTE).
  • electronic device 116 and/or automation devices 110 , 112 , and/or 114 may also be used as an access point.
  • the access point may serve as a hub or base station for the network and a wireless device serves as a user of the network (e.g., WLAN).
  • electronic device 116 may include, be implemented as, or known as an access terminal (“AT”), a subscriber station, a subscriber unit, a mobile station, a remote station, a remote terminal, a user terminal, a user agent, a user device, user equipment, or some other terminology.
  • an access terminal may comprise a cellular telephone, a cordless telephone, a Session Initiation Protocol (“SIP”) phone, a wireless local loop (“WLL”) station, a personal digital assistant (“PDA”), a handheld device having wireless connection capability, or some other suitable processing device connected to a wireless modem.
  • SIP Session Initiation Protocol
  • WLL wireless local loop
  • PDA personal digital assistant
  • one or more aspects disclosed herein may be incorporated into a phone (e.g., a cellular phone or smartphone), a computer (e.g., a laptop), a portable communication device, a headset, a portable computing device (e.g., a personal data assistant), an entertainment device (e.g., a music or video device, or a satellite radio), a gaming device or system, a global positioning system device, or any other suitable device that is configured to communicate via a wireless medium.
  • a phone e.g., a cellular phone or smartphone
  • a computer e.g., a laptop
  • a portable communication device e.g., a headset
  • a portable computing device e.g., a personal data assistant
  • an entertainment device e.g., a music or video device, or a satellite radio
  • gaming device or system e.g., a gaming device or system
  • a global positioning system device e.g., a global positioning system device, or any other suitable device
  • communication system 100 may include or otherwise be part of a sensor network, hone sensor network, wireless sensor network, environmental sensor network, traffic sensor network, and/or surveillance sensor network.
  • FIG. 2 illustrates a block diagram of a design of network entity 102 .
  • transmit (TX) data and control processor 210 may receive traffic data from a data source and/or control information from a controller/processor 202 .
  • Processor 202 may process (e.g., format, encode, decode, and/or symbol map) the traffic data and control information and provide modulation symbols.
  • Modulator (MOD) 206 may process the modulation symbols and provide output chips/data.
  • Transmitter (TMTR) 214 may process (e.g., convert to analog, amplify, filter, and upconvert) the output data and generate a downlink signal, which may be transmitted via one or more antennas 220 a or 220 b.
  • Processor 404 may include or be a component of a processing system implemented with one or more processors.
  • the one or more processors may be implemented with any combination of general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • DSPs digital signal processors
  • FPGAs field programmable gate array
  • PLDs programmable logic devices
  • controllers state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • one or more automation devices 110 , 112 , and/or 114 ( FIG. 1 ) and/or electronic device 116 ( FIG. 1 ), may transmit data to network entity 102 .
  • the uplink data or signals from the one or more automation devices 110 , 112 , and/or 114 ( FIG. 1 ) and/or electronic device 116 ( FIG. 1 ) may be received by one or more antennas 220 a or 220 b , conditioned by receiver 216 , demodulated by a demodulator 208 , and processed by RX data and control processor 212 to recover the data and control information sent by the one or more automation devices 110 , 112 , and/or 114 ( FIG. 1 ) and/or electronic device 116 ( FIG. 1 ).
  • the processing for uplink transmission may be similar to or different from the processing for downlink transmission.
  • Controllers/processors 202 may direct the operation at network entity 102 .
  • Memories 222 may store data and program codes for the network entity 102 .
  • Scheduler 230 may schedule the one or more automation devices 110 , 112 , and/or 114 ( FIG. 1 ) and/or electronic device 116 ( FIG. 1 ), for downlink and/or uplink transmission and may provide assignments of system resources.
  • FIG. 2 Although a number of separate components are illustrated in FIG. 2 , those of skill in the art will recognize that one or more of the components may be combined or commonly implemented. Further, each of the components illustrated in FIG. 2 may be implemented using a plurality of separate elements.
  • memory 222 may be or otherwise take the form of one or more computer-readable storage mediums.
  • the computer-readable storage mediums may be tangible and non-transitory.
  • the memory may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state memory devices.
  • a corresponding memory controller may control access to memory by other components of network entity 102 and/or one or more modules and/or components of network entity 102 .
  • Executable instructions for performing these functions are, optionally, included in a transitory computer-readable storage medium or other computer program product configured for execution by one or more processors.
  • memory 222 of network entity 102 and/or each one of the modules and/or components of network entity 102 may be a non-transitory computer-readable storage medium, for storing computer-executable instructions, which, when executed by one or more computer processors, for example, can cause the computer processors to perform the techniques described herein.
  • the computer executable instructions can also be stored and/or transported within any non-transitory computer readable storage medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
  • a “non-transitory computer-readable storage medium” may be any medium that can tangibly contain or store computer-executable instructions for use by or in connection with the instruction execution system, apparatus, or device.
  • the non-transitory computer-readable storage medium can include, but is not limited to, magnetic, optical, and/or semiconductor storages. Examples of such storage include magnetic disks, optical discs based on CD, DVD, or Blu-ray technologies, as well as persistent solid-state memory such as flash, solid-state drives, and the like.
  • FIG. 3 illustrates network entity 102 including one or more device controllers in accordance with some aspects of the present disclosure.
  • network entity 102 may communicate with one or more automation devices (e.g., first automation device 320 , second automation device 330 , and/or third automation device 340 ).
  • one or more of first automation device 320 , second automation device 330 , and/or third automation device 340 may be the same as or similar to automation devices 110 , 112 , and/or 114 ( FIG. 1 ).
  • network entity 102 may be configured to receive, generate, and/or store one or more device controllers (e.g., first device controller 302 , second device controller 308 , and/or third device controller 314 ) associated with respective automation devices.
  • the one or more device controllers 302 , 308 , and/or 314 of network entity 102 enable network entity 102 to dynamically configure network access system 120 (e.g., firewall) so as to prevent unauthorized access to the network on which the devices reside.
  • a device controller may be instantiated for an automation device on a network. Further, a device controller may permit controlling and/or listening to an automation device's capabilities.
  • the device controller can also contain security parameters, services, and/or rules for an automation device.
  • the one or more device controllers 302 , 308 , and/or 314 may configure network access system 120 to manage communication between one or more automation devices 320 , 330 , and/or 340 and respective host devices (e.g., first host device 104 and/or second host device 106 , FIG. 1 ) based on defined parameters and/or rules in order to securely connect and communicate with the respective host device (e.g., first host device 104 and/or second host device 106 , FIG. 1 ).
  • the defined parameters and/or rules may be one or more communication services, or more specifically, one or more facades.
  • one or more device controllers 302 , 308 , 314 may manage operation between network entity 102 and the one or more devices (e.g., first device 320 , second device 330 , and/or third device 340 ) according to one or more communication services.
  • the one or more communication services may each be a facade or pattern of usage that specifies one or more of a device capability characteristics or one or more network services (e.g., ports, services, and/or network addresses).
  • a device capability characteristic may include a representation of a defined device operation.
  • an automation device in the form of a programmable light switch device may include, a dimmable characteristic permitting or at least indicating that the automation device is capable of dimming, a switchable characteristic permitting or at least indicating that the automation device is capable of switching ON and OFF, and/or a has Wattage characteristic that permits or at least indicates the wattage by which automation device operates
  • each device controller may include one or more facades that, upon execution or activation of a device controller, configures one or more network access characteristics (e.g., rules, parameters, definition, communication capability/operation) of network access system 120 (e.g., firewall).
  • network access characteristics e.g., rules, parameters, definition, communication capability/operation
  • configuring the one or more network access characteristics of network access system 120 upon execution or activation of a respective device controller includes network entity 102 may adjust a whitelist or blacklist to include or exclude, respectively, one or both of the remote server service or the local access service.
  • configuring the one or more network access characteristics includes restricting communication on one or more outbound ports at network entity 102 .
  • configuring the one or more network access characteristics of network access system 120 includes configuring or adjusting a first set of network access characteristics to a second set of network access characteristics based on the facades.
  • a first set of network access characteristics may be a first set of communication parameters (e.g., one or more ports, addresses, protocols) by which network access system 120 may permit one or more automation devices 320 , 330 , and/or 340 to operate or communicate thereto.
  • the first set of communication parameters which in some aspects, may be a port or address, may be adjusted to define or obtain a second set of network access characteristics based on the facades.
  • first device controller 302 which may include first facade 304 and optionally second facade 306 , may be associated with or otherwise correspond to first automation device 320 .
  • second device controller 308 which may include third facade 310 and optionally fourth facade 312 .
  • an optional third device controller 314 may include fifth facade 316 and optionally sixth facade 318 .
  • first facade 304 , second facade 306 , third facade 310 , fourth facade 312 , fifth facade 316 , and/or sixth facade 318 may each be or otherwise include one of a device capability characteristic or a network service.
  • FIG. 4 illustrates an example of first device controller 302 in accordance with some aspects of the present disclosure. It should be understood that although first device controller 302 is shown, the aspects described herein with respect to FIG. 4 are not limited to first device controller 302 .
  • First device controller 302 may include first facade 304 and second facade 306 each including one or more communication services, and more specifically, one or more network services.
  • first facade 304 and/or second facade 306 of device controller 302 includes or specifies one or both of a remote server service (e.g., cloud network service) of a respective automation device, and/or one or more local access service (e.g., firewall) parameters of a local application in the local access network.
  • first device controller 302 may also include one or more additional facades, each of which may be one of a device capability characteristic or a network service.
  • first facade 304 may include or otherwise indicate one or more remote server services that specifies one or more hosts and/or ports of or used in accessing one or more remote host devices (e.g., first host device 104 and/or second host device 106 , FIG. 1 )).
  • the one or more remote host devices may be a cloud based service at a remote server associated with an automation device for which first device controller 302 enables secure communication between the aforementioned server and automation device.
  • first facade 304 may include or otherwise indicate one or more remote access parameters or rules which, when implemented by network entity 102 , may configure one or more network access characteristics of network access system 120 ( FIGS. 1 and 3 ) to enable or otherwise permit secure connection to a specified remote host device (e.g., first host device 104 , FIG. 1 ) associated with the automation device, and in turn prevent unauthorized access to the network on which the automation device resides.
  • first facade 304 may include one or more destination addresses 402 (e.g., of one or both of remote host devices 104 or 106 , FIG. 1 ) and one or more destination ports 404 (e.g., TCP ports and/or TCP/UDP ports of one or both of remote host devices 104 or 106 , FIG. 1 ).
  • second facade 306 may include or otherwise specify one or more local access network communication characteristics of the network entity. That is, second facade 306 may indicate one or more local hosts, ports (e.g., destination port 406 at network entity 102 ), and/or protocols at network entity 102 ( FIG. 1 ) that may be used in accessing one or both of a native application at the network or one or more host devices (e.g., first host device 104 and/or second host device 106 , FIG. 1 ). For instance, second facade 306 may configure the one or more network access characteristics of network access system 120 ( FIGS. 1 and 3 ) in such a way so as to permit communication within the local access network according to the one or more local hosts, ports, and/or protocols.
  • network access system 120 FIGS. 1 and 3
  • first device controller 302 may include one or more additional facades.
  • first device controller 302 can optionally include third facade 408 , which may configure one or both of a remote access connection (e.g., with a remote host device) or a local access connection (e.g., at network entity 102 , FIGS. 1 and 3 ).
  • third facade can optionally be or otherwise include destination address 410 and/or destination port 412 .
  • first device controller 302 can optionally include fourth facade 414 , which may configure or enable a device-specific capability.
  • fourth facade may optionally be or otherwise include device capability characteristic 416 ,
  • the one or more facades of device controller may configure network access system 120 ( FIGS. 1 and 3 ) of network entity 102 ( FIGS. 1-3 ) to control communication between one or more automation devices associated with the device controller and a remote host device.
  • the one or more facades may configure one or more network access characteristics of network access system 120 ( FIGS. 1 and 3 ).
  • configuring network access system 120 includes adjusting (e.g., permitting, enabling, or restricting) outbound communication from the electronic device to the remote host device according to one or both of first facade 304 (e.g., remote server service) or second facade 306 (e,g., local access service).
  • first facade 304 e.g., remote server service
  • second facade 306 e,g., local access service
  • first facade 304 e.g., remote server service
  • second facade 306 e.g., local access service
  • network entity 102 ( FIGS. 1-3 ) and its applications to provide much higher network security.
  • a user may determine which automation devices should have Internet connectivity, and which should not. Such connectivity can also be configured to only work at a certain time or under certain circumstances.
  • network entity 102 ( FIGS. 1-3 ) can manage or control the automation device's access to specific remote host (cloud) services, the network entity 102 ( FIGS. 1-3 ) (e.g., via a runtime) can lock down devices when appropriate, thereby preventing outside or outbound communication.
  • the aforementioned may be beneficial when a security hole or other critical problem is reported with the given automation device.
  • an automation device may be initially provisioned with a service or software operating on a port that is unpublished or not supported by the vender.
  • Such ports may be weak points in security, allowing unauthorized access and use of the automation device.
  • network access system 120 FIGS. 1 and 3 ) may prevent unauthorized access on such unpublished ports.
  • network entity 102 ( FIGS. 1-3 ) is aware of (e.g., stores) the local ports (e.g., via facades) an automation device application uses in communicating with a remote host device
  • network entity 102 ( FIGS. 1-3 )
  • via network access system 120 ( FIGS. 1 and 3 ) (e.g., firewall) may limit which clients or remote host devices may communicate with automation device.
  • Such ability to limit or control communication may also be user configurable, providing the ability for a user to indicate who or what entity can control or configure a given automation device.
  • FIG. 5 illustrates a schematic diagram of a communication system 500 in accordance with some aspects of the present disclosure.
  • Communication network 500 may include network entity 102 , which facilitates communication between one or more automation devices 110 , 112 , and/or 114 , one or more electronic devices 116 and/or 530 , and/or one or more host devices 104 and 106 using or in accordance with network access entity 120 (e.g., firewall), and in some cases, via Internet 108 .
  • network access entity 120 e.g., firewall
  • Network entity 102 may be configured to prevent unauthorized access to one or more automation devices within the network (e.g., device LAN 520 ).
  • network access system 120 of network entity 102 prevents a rogue client or device from temporarily accessing the network and controlling, configuring, and/or loading malware on one orm ore automation devices.
  • network access system 120 of network entity 102 prevents malware or rogue configurations to control the automation device by an intruder remotely or tunnel network data outside the network.
  • network access system 120 of network entity 102 controls outbound communication to unauthorized host devices or servers on the Internet 108 .
  • network entity 102 may detect one or more automation devices 110 , 112 , and/or 114 .
  • network entity 102 may detect second automation device 112 , which may, in a non-limiting instance, take the form of a lighting device.
  • one or more services run on network entity 102 , in network entity's 102 runtime environment, which, through one or more stages, can detect when a new automation device arrives on the network.
  • one or more device controllers 302 , 308 , and/or 314 ( FIGS. 3 and 4 ) associated with the automation device (e.g., second automation device 112 ) may be selected based on the detection results.
  • network entity 102 may select second device controller 308 ( FIG. 3 ) associated with second automation device 112 based on detecting the same device within the network.
  • the detection of second automation device 112 may be an initial detection or a subsequent or reentry detection following an exit from network (e.g., device LAN 520 ).
  • selection of a corresponding device controller may be done so according to predetermined, pre-ran, or pre-executed detection result and subsequent association in a database at network entity 102 .
  • the one or more device controllers e.g., second automation device 112 Upon selecting one or more device controllers (e.g., second automation device 112 ) associated with the automation device (e.g., second automation device 112 ), the one or more device controllers (e.g., second automation device 112 ) including one or more communication services (e.g., facades) may be executed. Additionally, a secondary detection procedure may be performed upon execution of one or more device controllers (e.g., second automation device 112 ). For example, the secondary detection procedure includes querying the electronic device (e.g., second automation device 112 ) for one or more device capabilities (e.g., dimmable and/or switchable), a firmware version, communication services, and/or one or more service requests.
  • the electronic device e.g., second automation device 112
  • device capabilities e.g., dimmable and/or switchable
  • network entity 102 may be configured to implement one or more communication services or facades.
  • a runtime environment at network entity 102 may detect which one or more communication services or facades are implemented.
  • the runtime environment may also determine the type of device the device controller is to communicate with.
  • network entity 102 may authorize network access via one or more applications running within the runtime environment.
  • network entity 102 may be configured to execute the one or more communication services of the selected device controller.
  • the device controller e.g., second device controller 112
  • the execution can adjust the network access system 120 (e,g., firewall).
  • the second device controller 302 FIG. 3
  • it may execute at least two communication services for the second automation device 112 (e.g., lighting device) in order for it to securely connect with a respective remote host device (e.g., second host device 106 ), and thereby configuring network access system 120 .
  • network entity 102 may configure network access system 120 to adjust (e.g., permit) outbound communication from first automation device 110 to first host device 104 via communication channel or path 514 according to one or both of the remote server service or the local access service. Further, for example, network entity 102 may configure network access system 120 to adjust (e.g., permit) outbound communication from second automation device 112 to second host device 106 via communication channel or path 516 according to one or both of the remote server service or the local access service.
  • remote server service may request for or permit access for second automation device 112 to communicate with second host device 106 on certain or defined ports and/or destination addresses.
  • local access service may request for or permit access for trusted clients or device to communicate with second automation device 112 on certain ports of network entity 102 . As such, an unauthorized attempt by or via a rogue host device 550 via communication channel or path 518 may be prevented as inbound and/or outbound communication on a configured number of ports and/or destination addresses is permitted.
  • any one or more of the automation devices may be part of the network access system 120 configuration.
  • network entity 102 may segment or divide a network into two or more networks based on device capabilities or classifications, and allocate devices newly joined or detected accordingly. By segmenting the overall network, network entity 102 may shield certain devices (e.g., automation devices) from networks that may operate according to relatively less security (e.g., no use of device controllers).
  • devices e.g., automation devices
  • communication network 500 may include first local access network (LAN) 520 and second local access area network (LAN) 540 .
  • First LAN 520 may include first automation device 110 , second automation device 112 , and third automation device 114 .
  • Second LAN 540 may include first electronic device 116 and second electronic device 530 .
  • first LAN 520 may operate according to different security or network access parameters as compared to second LAN 540 .
  • network access system 120 of network entity 102 may be configured to monitor and control access to first LAN 520 differently (e.g., according to the aspects described herein) as compared to second LAN 540 .
  • first local access network 520 may operate or facilitate communication according to a first communication standard.
  • second local access network 540 may operate or facilitate communication according to a second communication standard.
  • the first communication standard may be the same as or different from the second communication standard.
  • first local access network 520 may include a low-powered wireless network such as, for example, a 6lowPAN network, a ZIGBEE network, a DASH7 network, and/or a BLUETOOTH network.
  • second local access network 540 may include a high-powered wireless network, such as an IEEE 802.11 network (Wi-Fi), a WiMAX network, and/or a cellular network (e.g., LTE).
  • Wi-Fi IEEE 802.11 network
  • WiMAX WiMAX
  • cellular network e.g., LTE
  • first local access network 520 and second local access area network 540 may include any suitable wired or wireless network.
  • FIGS. 6A and 6B are flow diagrams of method 600 for configuring a network access system in accordance with some aspects of the present disclosure.
  • method 600 may be performed at network entity 102 ( FIGS. 1-3 and 5 ) in accordance with one or more device controllers (e.g., FIGS. 3 and 4 ) and as part of a communication system 100 ( FIG. 1 ) and/or 500 ( FIG. 5 ).
  • Some operations in method 600 may be combined, the order of some operations may be changed, and some operations may be omitted.
  • method 600 may detect an electronic device associated with a first class of devices.
  • network entity 102 FIGS. 1-3 and 5
  • a first class of devices e.g., automation or Internet-of-things devices.
  • detecting the electronic device associated with the first class of devices at block 602 may include detecting based on a discovery service protocol. Further, at block 602 , method 600 may detect two or more electronic device associated with or part of the first class of devices. Additionally, in some aspects, the first class of devices is associated with a first local access network different from a second local access network providing access to a second class of devices.
  • method 600 may determine whether a set of device controllers includes a device controller associated with the electronic device. For instance, in response to detecting the electronic device associated with the first class of devices, network entity 102 ( FIGS. 1-3 and 5 ) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2 ) to determine whether a set of device controllers (e.g., device controllers 302 , 308 , and/or 314 , FIG. 3 ) includes a device controller (e.g., first device controller 302 , FIGS. 3 and 4 ) associated with the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ).
  • a device controller e.g., first device controller 302 , FIGS. 3 and 4
  • method 600 may optionally generate the device controller for the electronic device in accordance with a determination that the set of device controllers does not include the device controller associated with the electronic device.
  • the set of device controllers e.g., device controllers 302 , 308 , and/or 314 , FIG. 3
  • network entity 102 may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2 ) to generate the device controller (e.g., first device controller 302 , FIGS. 3 and 4 ) for the electronic device.
  • method 600 may select a device controller from a set of device controllers.
  • network entity 102 FIGS. 1-3 and 5
  • the device controller e.g., first device controller 302 , FIGS. 3 and 4
  • the electronic device e.g., one or more of automation devices 110 , 112 , and/or 114 ,
  • the device controller e.g., first device controller 302 , FIGS. 3 and 4
  • the electronic device e.g., one or more of automation devices 110 , 112 , and/or 114 , FIG. 1
  • a remote host device e.g., first host device 104 and/or second host device 106 , FIGS. 1 and 5 .
  • method 600 may optionally execute the device controller associated with the electronic device.
  • network entity 102 FIGS. 1-3 and 5
  • method 600 may optionally detect one or more communication characteristics.
  • network entity 102 FIGS. 1-3 and 5
  • detecting the one or more communication characteristics includes querying the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ) for one or more device capabilities, a firmware version, and/or one or more service requests.
  • method 600 may optionally determine whether to grant network access via the network entity.
  • network entity 102 FIGS. 1-3 and 5
  • the aforementioned determination may be made in response to detecting the electronic device (e.g., at block 602 ) or selecting device controller (e.g., first device controller 302 , FIGS.
  • the aforementioned determination may include determining, via an application module, whether to grant network access via the network entity 102 ( FIGS. 1-3 and 5 ).
  • determining whether to grant network access to the network entity 102 includes determining whether an identifier of the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ) matches a stored identifier at and/or known by the network entity 102 ( FIGS. 1-3 and 5 ). Further, based on determining that the identifier of the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ) does not match the stored identifier at the network entity 102 ( FIGS. 1-3 and 5 ), a device access indication may be sent to a user device (e.g., electronic device 116 , FIG. 1 and/or electronic device 530 , FIG. 5 ).
  • a user device e.g., electronic device 116 , FIG. 1 and/or electronic device 530 , FIG. 5 .
  • the network entity 102 may receive an access authorization indication from the user device.
  • the access authorization indication permits network access for the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ) at the network entity 102 ( FIGS. 1-3 and 5 ).
  • the identifier of the electronic device may be one or more of a mobile number, a telephone number, an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a serial number, an Integrated Circuit Card Identifier (ICCID), or a mobile equipment identifier (MEID).
  • IMEI International Mobile Equipment Identity
  • IMSI International Mobile Subscriber Identity
  • serial number a serial number
  • ICCID Integrated Circuit Card Identifier
  • MEID mobile equipment identifier
  • method 600 may optionally deny network access to the network entity based on receiving an access denial indication from the user device. Otherwise, at block 618 , method 600 may optionally provision the electronic device in response to receiving the access authorization indication.
  • network entity 102 FIGS. 1-3 and 5
  • method 600 may activate the one or more communication services.
  • network entity 102 FIGS. 1-3 and 5
  • the device controller e.g., first device controller 302 , FIGS. 3 and 4
  • the set of device controllers e.g., device controllers 302 , 308 , and/or 314 , FIG. 3 .
  • each of the one or more communication services implements a facade or pattern of usage (e.g., one or more facades 304 and 306 , FIGS. 3 and 4 ) that specifies one or more of a device capability characteristics (e.g., of one or more automation devices) or one or more network services (e.g., of one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ).
  • a device capability characteristics e.g., of one or more automation devices
  • one or more network services e.g., of one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 .
  • the one or more communication services or more specifically, the one or more network services include one or both of a remote server service (e.g., first facade 304 , FIGS.
  • a local access service e.g., second facade 306 , FIGS. 3 and 4 .
  • method 600 may configure a network access system at the network entity based on the one or more communication services.
  • network entity 102 FIGS. 1-3 and 5
  • network access characteristics e.g., one or more rules, parameters, and/or operational characteristics
  • configuring the network access system 120 includes adjusting (e.g., permitting) outbound communication from the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ) to the remote host device (e.g., first host device 104 and/or second host device 106 , FIGS. 1 and 5 ) according to one or both of the remote server (e.g., first facade 304 , FIGS. 3 and 4 ) service or the local access service (e.g., second facade 306 , FIGS. 3 and 4 ).
  • the electronic device e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5
  • the remote host device e.g., first host device 104 and/or second host device 106 , FIGS. 1 and 5
  • the remote server e.g., first facade 304 , FIGS. 3 and 4
  • the local access service e.g., second
  • configuring the network access system 120 includes adjusting a whitelist or blacklist to include or exclude, respectively, one or both of the remote server service (e.g., first facade 304 , FIGS. 3 and 4 ) or the local access service (e.g., second facade 306 , FIGS. 3 and 4 ).
  • a whitelist permits one or both of inbound or outbound communication between the electronic device (e.g., one or more of automation devices 110 , 112 , and/or 114 , FIGS. 1 and 5 ) and one or more remote host devices (e.g., first host device 104 and/or second host device 106 , FIGS. 1 and 5 ), whereas a blacklist prevents one or both of inbound or outbound communication between the electronic device and the one or more remote host devices.
  • configuring the network access system 120 includes restricting communication to one or more destination addresses of a remote host device (e.g., first host device 104 and/or second host device 106 , FIGS. 1 and 5 ) and/or on one or more outbound ports at the network entity 102 ( FIGS. 1-3 and 5 ) in response to activating the one or more communication services (e.g., one or more facades 304 and 306 , FIGS. 3 and 4 ).
  • a remote host device e.g., first host device 104 and/or second host device 106 , FIGS. 1 and 5
  • the network entity 102 FIGS. 1-3 and 5
  • the one or more communication services e.g., one or more facades 304 and 306 , FIGS. 3 and 4 .
  • configuring the network access system 120 ( FIGS. 1-3 and 5 ) at the network entity 102 ( FIGS. 1-3 and 5 ) includes configuring one or more network access characteristics (e.g., one or more rules, parameters, and/or operational characteristics) of the network access system from a first set of network access characteristics to a second set of network access characteristics based on the one or more communication services (e.g., one or more facades 304 and 306 , FIGS. 3 and 4 ).
  • network access characteristics e.g., one or more rules, parameters, and/or operational characteristics
  • configuring the network access system 120 ( FIGS. 1-3 and 5 ) at the network entity 102 ( FIGS. 1-3 and 5 ) includes a kernel module configured to modify a kernel according to the one or more communication services (e.g., one or more facades 304 and 306 , FIGS. 3 and 4 ).
  • method 600 may assign the electronic device associated with the first class of devices to the first local access network.
  • network entity 102 FIGS. 1-3 and 5
  • FIG. 7 illustrates a functional block diagram of a network entity in accordance with some some aspects of the present disclosure.
  • an electronic device 700 which may be the same as or similar to network entity 102 ( FIGS. 1-3 and 5 ) includes memory unit 702 , which may be configured to store data for retrieval, and processing unit 704 coupled to the memory unit 702 .
  • processing unit 704 includes detecting unit 708 , selecting unit 710 , activating unit 712 , configuring unit 714 , determining unit 716 , generating unit 718 , executing unit 720 , adjusting unit 722 , sending unit 724 , receiving unit 726 , assigning unit 730 , restricting unit 732 , and modifying unit 734 .
  • Processing unit 704 may be configured to detect (e.g., using or via detecting unit 708 ) an electronic device associated with a first class of devices; select (e.g., using or via selecting unit 710 ) a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the network entity and the electronic device according to one or more communication services; activate (e.g., using or via activating unit 712 ) the one or more communication services in response to selecting the device controller from the set of device controllers; and configure (e.g., using or via configuring unit 714 ) a network access system at the network entity based on the one or more communication services.
  • processing unit 704 may further be configured to determine (e.g., using or via determining unit 716 ) whether the set of device controllers includes the device controller associated with the electronic device; and generate (e.g., using or via generating unit 718 ) the device controller for the electronic device in accordance with a determination that the set of device controllers does not include the device controller associated with the electronic device, wherein to select the device controller, processing unit 704 may further be configured to select (e.g., using or via selecting unit 710 ) the device controller from the set of device controllers in accordance with a determination that the set of device controllers includes the device controller associated with the electronic device.
  • the processing unit 704 may further be configured to executing (e.g., using or via executing unit 720 ) at the network entity, the device controller associated with the electronic device.
  • processing unit 704 may further be configured to detect (e.g., using or via detecting unit 708 ) one or more communication characteristics in response to executing the device controller associated with the electronic device.
  • each of the one or more communication services implements a facade or pattern of usage that specifies one or more of a device capability characteristics or one or more network services.
  • the one or more communication services or the one or more network services include one or both of: a remote server service that specifies one or more remote hosts or ports of the remote host device; or a local access service that specifies one or more local access network communication characteristics of the network entity.
  • processing unit 704 may be further configured to adjust (e.g., using or via adjusting unit 722 ) outbound communication from the electronic device to the remote host device according to one or both of the remote server service or the local access service.
  • processing unit 704 may further be configured to adjust (e.g., using or via adjusting unit 722 ) a whitelist or blacklist to include or exclude one or both of the remote server service or the local access service.
  • processing unit 704 may further be configured to adjust (e.g., using or via adjusting unit 722 ) a blacklist to exclude one or both of the remote server service or the local access service.
  • processing unit 704 may further be configured to detect (e.g., using or via detecting unit 708 ) based on a discovery service protocol.
  • processing unit 704 may further be configured to determine (e.g., using or via determining unit 716 ) whether to grant network access via the network entity in response to detecting the electronic device.
  • processing unit 704 may further be configured to: determine (e.g., using or via determining unit 716 ) whether an identifier of the electronic device matches a stored identifier known by the network entity; send (e.g., using or via sending unit 724 ) a device access indication to a user device based on determining that the identifier of the electronic device does not match the stored identifier at the network entity; and receive (e.g., using or via receiving unit 726 ) an access authorization indication from the user device in response to sending the device access indication.
  • processing unit 704 may further be configured to provision (e.g., using or via provisioning unit 728 ) the electronic device in response to receiving the access authorization indication.
  • processing unit 704 may further be configured to assign (e.g., using or via assigning unit 730 ) the electronic device associated with the first class of devices to the first local access network.
  • processing unit 704 may further be configured to restrict (e.g., using or via restricting unit 732 ) communication on one or more outbound ports at the network entity in response to activating the one or more communication services.
  • processing unit 704 may further be configured to configure (e.g., using or via configuring unit 714 ) one or more network access characteristics of the network access system from a first set of network access characteristics to a second set of network access characteristics based on the one or more communication services.
  • processing unit 704 may further be configured to modify (e.g., using or via modifying unit 734 ) a kernel according to the one or more communication services.
  • the network entity is a router.
  • the electronic device is one of a lighting control device, a lighting device, a thermostat device, a shading device, a wearable electronic sensor, a security device, an image capturing device, a recording device, an appliance, voice command device, or an entertainment device.
  • the network access system is a network firewall.
  • the network access system is a network access point.
  • the network access system is an industrial gateway or commercial base station.
  • determining encompasses a wide variety of actions. For example, “determining” may include calculating, computing, processing, deriving, investigating, looking up (e.g., looking up in a table, a database or another data structure), and/or ascertaining. Also, “determining” may include receiving (e.g., receiving information), accessing (e.g., accessing data in a memory) and the like. Also, “determining” may include resolving, selecting, choosing, and/or establishing.

Abstract

Methods and apparatus for configuring a network access system include detecting, at a network entity, an electronic device associated with a first class of devices. The methods and apparatus further include selecting a device controller from a set of device controllers based at least in part on detecting the electronic device. In some aspects, the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services. In addition, the methods and apparatus include activating the one or more communication services in response to selecting the device controller from the set of device controllers. Additionally, the methods and apparatus include configuring one or more network access characteristics of a network access system at the network entity based on the one or more communication services.

Description

    BACKGROUND
  • The present disclosure generally relates to network communication, and more specifically to dynamically configuring a network access system.
  • In some communication systems, communication between one or more electronic devices may be facilitated using a network device such as, but not limited to a router. For example, a router may be a device that forwards data packets to various devices within a communication system employing one or more communication standards. In such communication systems, network security may be managed, at least in part, by a network access system such as, but not limited to, a firewall. For example, a firewall may monitor and control the incoming and outgoing network traffic. As such, a firewall may prevent unauthorized access to or from a communication system. However, firewalls may be static in operation and thus unable to provide a sufficient level of security to connected devices. Accordingly, it may be desirable to provide a device aware network access system that may be dynamically configurable.
    • SUMMARY
  • The following presents a simplified summary of one or more aspects in order to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated aspects, and is intended to neither identify key or critical elements of all aspects nor delineate the scope of any or all aspects. Its purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented below.
  • In some aspects, a method includes detecting, at a network entity, an electronic device associated with a first class of devices; selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activating the one or more communication services in response to selecting the device controller from the set of device controllers; and configuring a network access system at the network entity based on the one or more communication services.
  • In some aspects, a computer-readable storage medium comprising one or more programs for execution by one or more processors of an electronic device, the one or more programs including instructions which, when executed by the one or more processors, cause the electronic device to: detect an electronic device associated with a first class of devices; select a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activate the one or more communication services in response to selecting the device controller from the set of device controllers; and configure a network access system at the network entity based on the one or more communication services.
  • In some aspects, an electronic apparatus comprising: one or more processors; memory; and one or more programs stored in the memory, the one or more programs including instructions for: detecting an electronic device associated with a first class of devices; selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activating the one or more communication services in response to selecting the device controller from the set of device controllers; and configuring a network access system at the network entity based on the one or more communication services.
  • In some aspects, an electronic apparatus comprising: a memory unit; and a processing unit connected to the memory unit, wherein the processing unit is configured to: detect an electronic device associated with a first class of devices; select a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; activate the one or more communication services in response to selecting the device controller from the set of device controllers; and configure a network access system at the network entity based on the one or more communication services.
  • In some aspects, an electronic apparatus comprising: means for detecting an electronic device associated with a first class of devices; means for selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services; means for activating the one or more communication services in response to selecting the device controller from the set of device controllers; and means for configuring a network access system at the network entity based on the one or more communication services.
    • DESCRIPTION OF THE FIGURES
  • For a better understanding of the various described aspects, reference should be made to the description below, in conjunction with the following figures in which like reference numerals refer to corresponding parts throughout the figures.
  • FIG. 1 illustrates a schematic diagram of a communication system including a network entity and one or more electronic devices in accordance with some aspects of the present disclosure.
  • FIG. 2 illustrates a block diagram of a network entity in accordance with some aspects of the present disclosure.
  • FIG. 3 illustrates a network entity including one or more device controllers in accordance with some aspects of the present disclosure.
  • FIG. 4 illustrates an example of a device controller in accordance with some aspects of the present disclosure.
  • FIG. 5 illustrates a schematic diagram of a communication network in accordance with some aspects of the present disclosure.
  • FIGS. 6A and 6B are flow diagrams of a method of configuring a network access system in accordance with some aspects of the present disclosure.
  • FIG. 7 illustrates a functional block diagram of a network entity in accordance with some aspects of the present disclosure.
    •  DETAILED DESCRIPTION
  • Various aspects of the systems, apparatuses, and methods are described more fully hereinafter with reference to the accompanying figures. This disclosure may, however, be embodied in many different forms and should not be construed as limited to any specific structure or function presented throughout this disclosure. Rather, these aspects are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. Based on the teachings herein one skilled in the art should appreciate that the scope of the disclosure is intended to cover any aspect of the systems, apparatuses, and methods disclosed herein, whether implemented independently of, or combined with, any other aspect described herein. For example, an apparatus may be implemented or a method may be practiced using any number of the aspects set forth herein. In addition, the scope of the present aspects is intended to cover such an apparatus or method which is practiced using other structure, functionality, or structure and functionality in addition to or other than the various aspects set forth herein. It should be understood that any aspect disclosed herein may be embodied by one or more elements of a claim.
  • Although particular aspects are described herein, many variations and permutations of these aspects fall within the scope of the disclosure. Although some benefits and advantages of the aspects are mentioned, the scope of the disclosure is not intended to be limited to particular benefits, uses, or objectives. Rather, aspects of the disclosure are intended to be broadly applicable to different communication technologies, system configurations, networks, and transmission protocols, some of which are illustrated by way of example in the figures and in the following description of the aspects. The detailed description and figures are merely illustrative of the disclosure rather than limiting, the scope of the disclosure being defined by the appended claims and equivalents thereof.
  • The present aspects generally relate to configuring a network access system. Specifically, the present aspects may automatically and/or dynamically configure a network access system such as, but not limited to, a firewall at a network entity according to or based on one or more detected automation devices. For example, a network access system (e.g., firewall) of a network entity may be initially established or provisioned according a set of first electronic devices. As such, the network access system (e.g., firewall) may authorize access or block unauthorized access while permitting outward communication. Further, a second set of electronic devices classified as automation devices operating according to a set of communication parameters (e.g., rules or standards) different from the first set of electronic devices may be detected by the network entity. These automation devices in turn may transmit and receive data packets via network entity.
  • However, the network access system (e.g., firewall) permits or denies access to or from the automation devices based on same communication parameters used for the first set of electronic devices. Such an implementation may leave the network vulnerable as a number of different protocols or layers by which access to or from the network may be made via the automation device that is unaccounted for. With the network access system unable to establish or configure accordingly, unauthorized access may be made to the network.
  • For example, a network entity (e.g., router) may transmit and receive Internet Protocol (IP) data packets between one or more networks in accordance with one or more communication standards or protocols. A communications protocol may be a system of rules that allow two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. However, a network entity may not make determinations based on content of the data packet beyond the network or transport layer (e.g., layer 3 and 4 in the Open Systems Interconnection (OSI) network model). In some instances, a network entity may perform deep packet inspection to look at specific protocols for some signature representing a specific risk. For instance, a Simple Mail Transfer Protocol (SMTP) gateway may inspect or search for viruses in email traffic.
  • Nonetheless, monitoring and determining whether to permit access to a network may be specific to only a number of protocols. This is due in part to a development and maintaining of homogeneity in protocol structure and operation. Yet, automation devices may operate outside of the typical protocol structure. That is, automation devices may trigger a fading of protocol homogeneity and conversely to a more heterogeneous structure of additional protocols. Accordingly, a network access system (e.g., firewall) of a network entity (e.g., router) may expand its access monitoring and/or determinations to the additional protocols or layers.
  • In particular, communication with automation devices may involve protocols or layers above data packets at Layer 3. For example, some of these communication standards may include, but are not limited to, ZigBee, Bluetooth, Z-Wave, 6LoWPAN, and/or Thread. Some of the aforementioned communication protocols may operate according to or otherwise include an external computer or ‘hub’ to bridge them to the Internet along with a user application that works with that bridge. That is, their respective communication protocol does not operate solely according to or solely access the Internet Protocol. This may result in numerous hubs being established at a location (e.g., home or office) as automation devices are added. Furthermore, the security of each of these hubs may be separately controlled resulting in a disjointed automation device security policy lacking cohesion and uniformity.
  • Additionally, it may be desirable for a network access system (e.g., firewall) to monitor and control the incoming and outgoing network traffic based on the hardware and software characteristics of automation devices. For instance, automation devices may be designed and programmed with a distinct set of constraints than traditional “fatter” clients or devices on a network, such as smartphones, tablets and personal computers. Constraints such as comparatively less amounts of random access memory (RAM) and permanent storage like flash memory, limit the sophistication of the software on such a device. In turn, automation devices may be upgraded less often than larger electronic devices. As such, automation devices may be prone to having security holes, and hence more stringent network access (e.g., firewalling) control may be desirable.
  • Further, the existing network security patterns of a network access system do not work effectively with automation devices. As an example, a network access system of some network entities (e.g., router devices) may implement security according to Network Address Translation (NAT). NAT may conceal vulnerable laptops and PCs in the home behind a single address which allows outbound communications, but not inbound requests. However, in a network including one or more automation devices (e.g., sensor devices and/or controllable devices), these devices may desire access to and from the Internet, which NAT may prevent. Additionally, some network entities employing NAT may allow all or nearly all outbound data packets out of the network. As a result, in the event access to the network is obtained by an unauthorized entity, an automation device may send data to the unauthorized entity (e.g., server). That is, even in such a case where unauthorized access is obtained to the network, the automation device is nonetheless not prevented (e.g., via a firewall) from sending data to the unauthorized entity.
  • Accordingly, in some aspects, the present methods and apparatus may provide an efficient and effective solution, as compared to current solutions, to provide a network entity (e.g., router) having a network access system (e.g., firewall) that dynamically configures network access according to detected automated devices. Specifically, the present methods and apparatus may detect an electronic device associated with or belonging to a first class of devices (e.g., automation devices), and configure a network access system (e.g., firewall) at the network entity (e.g., router) based on the one or more communication services associated with a device controller.
  • Referring to FIG. 1, a schematic diagram of a communication system 100 is illustrated in accordance with some aspects of the present disclosure. Communication system 100 may include network entity 102, which may be configured to transmit and receive data packets to various devices within communication system 100 employing one or more communication standards (e.g., WiFi). In some aspects, communication system 100 may include one or more automation devices (e.g., first automation device 110, second automation device 114, and third automation device 114), as well as electronic device 116. In some aspects, an automation device may be a device embedded with electronics, software, sensors, and/or network connectivity, which may enable the device to collect and exchange data. As such, one or more automation devices 110, 112, and/or 114 and/or electronic device 116 may connect to network entity 102 via a compliant wireless link or connection to obtain general connectivity to Internet 108 or to other wide area networks.
  • Further, communication system 100 includes first host device 104 and second host device 106, each of which may be configured to store and communicate data with corresponding automation devices 110, 112, 114, and/or electronic device 116. For example, first host device 104 may include data specific to or otherwise associated with first automation device 110. In some aspects, first host device 104 and second host device 106 may be accessed via Internet 108 to provide device-specific data or information to automation devices 110, 112, 114, and/or electronic device 116.
  • In an example, first automation device 110 may communicate with corresponding first host device 104 (e.g., via network entity 102 and Internet 108) to transmit and receive data specific to the operation and usage of first automation device 110. As such, a first hub or network may be established including first automation device 110 and first host device 104. Additionally, communication with a corresponding host device may be done so according to one or more communication standards or protocols. For instance, the first hub or network may communicate according to a first communication standard or protocol (e.g., Bluetooth).
  • Similarly, second automation device 112 and/or third automation device 114 may communicate with corresponding second host device 106 (e.g., via network entity 102 and Internet 108) to transmit and receive data specific to the operation and usage of second automation device 112 and/or third automation device 114. As a result, a second hub or network may be established. Further, the second hub or network may communicate according to a second communication standard or protocol (e.g., ZigBee), which may be the same as or distinct from the first communication standard or protocol. In some aspects, first host device 104 and second host device 106 may each be one or more servers.
  • Communication system 100 may also include network access system 120, which may be configured to monitor and control incoming and outgoing network traffic based on one or more security parameters. In some aspects, network access system 120 may be or otherwise include a firewall. For example, network access system 120 may prevent unauthorized access to or from a private network of or at network entity 102. In some aspects, network access system 120 may be embodied within, performed at or by, or includes one or both of hardware or software. In some aspects, network access system 120 may be a network firewall, a network access point, and/or an industrial gateway or commercial base station.
  • In some aspects, an automation device (e.g., automation devices 110, 112, and/or 114) may be a device associated with or otherwise referred to as an Internet-of-Things device. For example, an automation device may be or otherwise include, but not limited to, a device (e.g., sensor and/or controller) used, for instance, in lighting systems, power control systems, Heating, Ventilation, and Air Conditioning (HVAC) systems, thermostats, security systems (e.g., cameras, motion detectors, and/or locks), garage doors, water systems (e.g., sprinklers, filtration, and/or pumps), a shading device, a wearable electronic sensor, a security device, an image capturing device, a recording device, an appliance, voice command device, or an entertainment device.
  • In some aspects, network entity 102 may be an access point configured to permit one or more automation devices and/or electronic devices to connect to a network (e.g., WLAN) using one or more communication standards (e.g., WiFi). The access point may connect, be part of, or otherwise include a router, which may be configured to forward or route data packets from one end or device (e.g., automation devices 110, 112, 114 and/or electronic device 116) to another end or device (e.g., first host device 104 and/or second host device 106). That is, in some aspects, the access point may be an integral component of the router. Further, for instance, the one or more communication standards may include, but are not limited to, 6lowPAN, ZIGBEE, DASH7, BLUETOOTH, IEEE 802.11 (WiFi), WiMAX, and/or a cellular standard (e.g., LTE). In some aspects, electronic device 116 and/or automation devices 110, 112, and/or 114 may also be used as an access point. Further, in some aspects, the access point may serve as a hub or base station for the network and a wireless device serves as a user of the network (e.g., WLAN).
  • In some aspects, electronic device 116 may include, be implemented as, or known as an access terminal (“AT”), a subscriber station, a subscriber unit, a mobile station, a remote station, a remote terminal, a user terminal, a user agent, a user device, user equipment, or some other terminology. In some implementations an access terminal may comprise a cellular telephone, a cordless telephone, a Session Initiation Protocol (“SIP”) phone, a wireless local loop (“WLL”) station, a personal digital assistant (“PDA”), a handheld device having wireless connection capability, or some other suitable processing device connected to a wireless modem. Accordingly, one or more aspects disclosed herein may be incorporated into a phone (e.g., a cellular phone or smartphone), a computer (e.g., a laptop), a portable communication device, a headset, a portable computing device (e.g., a personal data assistant), an entertainment device (e.g., a music or video device, or a satellite radio), a gaming device or system, a global positioning system device, or any other suitable device that is configured to communicate via a wireless medium.
  • In some aspects, communication system 100 may include or otherwise be part of a sensor network, hone sensor network, wireless sensor network, environmental sensor network, traffic sensor network, and/or surveillance sensor network.
  • FIG. 2 illustrates a block diagram of a design of network entity 102. At network entity 102, transmit (TX) data and control processor 210 may receive traffic data from a data source and/or control information from a controller/processor 202. Processor 202 may process (e.g., format, encode, decode, and/or symbol map) the traffic data and control information and provide modulation symbols. Modulator (MOD) 206 may process the modulation symbols and provide output chips/data. Transmitter (TMTR) 214 may process (e.g., convert to analog, amplify, filter, and upconvert) the output data and generate a downlink signal, which may be transmitted via one or more antennas 220 a or 220 b.
  • Processor 404 may include or be a component of a processing system implemented with one or more processors. The one or more processors may be implemented with any combination of general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • On the uplink, one or more automation devices 110, 112, and/or 114 (FIG. 1) and/or electronic device 116 (FIG. 1), may transmit data to network entity 102. At network entity 102, the uplink data or signals from the one or more automation devices 110, 112, and/or 114 (FIG. 1) and/or electronic device 116 (FIG. 1), may be received by one or more antennas 220 a or 220 b, conditioned by receiver 216, demodulated by a demodulator 208, and processed by RX data and control processor 212 to recover the data and control information sent by the one or more automation devices 110, 112, and/or 114 (FIG. 1) and/or electronic device 116 (FIG. 1). In some aspects, the processing for uplink transmission may be similar to or different from the processing for downlink transmission.
  • Controllers/processors 202 may direct the operation at network entity 102. Memories 222 may store data and program codes for the network entity 102. Scheduler 230 may schedule the one or more automation devices 110, 112, and/or 114 (FIG. 1) and/or electronic device 116 (FIG. 1), for downlink and/or uplink transmission and may provide assignments of system resources.
  • Although a number of separate components are illustrated in FIG. 2, those of skill in the art will recognize that one or more of the components may be combined or commonly implemented. Further, each of the components illustrated in FIG. 2 may be implemented using a plurality of separate elements.
  • In some aspects, memory 222 may be or otherwise take the form of one or more computer-readable storage mediums. The computer-readable storage mediums may be tangible and non-transitory. The memory may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state memory devices. A corresponding memory controller may control access to memory by other components of network entity 102 and/or one or more modules and/or components of network entity 102. Executable instructions for performing these functions are, optionally, included in a transitory computer-readable storage medium or other computer program product configured for execution by one or more processors.
  • Further, memory 222 of network entity 102 and/or each one of the modules and/or components of network entity 102 may be a non-transitory computer-readable storage medium, for storing computer-executable instructions, which, when executed by one or more computer processors, for example, can cause the computer processors to perform the techniques described herein. The computer executable instructions can also be stored and/or transported within any non-transitory computer readable storage medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. In some aspects, a “non-transitory computer-readable storage medium” may be any medium that can tangibly contain or store computer-executable instructions for use by or in connection with the instruction execution system, apparatus, or device. The non-transitory computer-readable storage medium can include, but is not limited to, magnetic, optical, and/or semiconductor storages. Examples of such storage include magnetic disks, optical discs based on CD, DVD, or Blu-ray technologies, as well as persistent solid-state memory such as flash, solid-state drives, and the like.
  • FIG. 3 illustrates network entity 102 including one or more device controllers in accordance with some aspects of the present disclosure. As shown in FIG. 3, network entity 102 may communicate with one or more automation devices (e.g., first automation device 320, second automation device 330, and/or third automation device 340). In some aspects, one or more of first automation device 320, second automation device 330, and/or third automation device 340 may be the same as or similar to automation devices 110, 112, and/or 114 (FIG. 1).
  • For instance, network entity 102 may be configured to receive, generate, and/or store one or more device controllers (e.g., first device controller 302, second device controller 308, and/or third device controller 314) associated with respective automation devices. Specifically, the one or more device controllers 302, 308, and/or 314 of network entity 102 enable network entity 102 to dynamically configure network access system 120 (e.g., firewall) so as to prevent unauthorized access to the network on which the devices reside. In particular, a device controller may be instantiated for an automation device on a network. Further, a device controller may permit controlling and/or listening to an automation device's capabilities. The device controller can also contain security parameters, services, and/or rules for an automation device.
  • For example, the one or more device controllers 302, 308, and/or 314 may configure network access system 120 to manage communication between one or more automation devices 320, 330, and/or 340 and respective host devices (e.g., first host device 104 and/or second host device 106, FIG. 1) based on defined parameters and/or rules in order to securely connect and communicate with the respective host device (e.g., first host device 104 and/or second host device 106, FIG. 1). In some aspects, the defined parameters and/or rules may be one or more communication services, or more specifically, one or more facades.
  • In particular, one or more device controllers 302, 308, 314 may manage operation between network entity 102 and the one or more devices (e.g., first device 320, second device 330, and/or third device 340) according to one or more communication services. Further, the one or more communication services may each be a facade or pattern of usage that specifies one or more of a device capability characteristics or one or more network services (e.g., ports, services, and/or network addresses).
  • For example, a device capability characteristic may include a representation of a defined device operation. In some non-limiting aspects, an automation device in the form of a programmable light switch device may include, a dimmable characteristic permitting or at least indicating that the automation device is capable of dimming, a switchable characteristic permitting or at least indicating that the automation device is capable of switching ON and OFF, and/or a has Wattage characteristic that permits or at least indicates the wattage by which automation device operates Alternatively, further aspects of the one or more network services are described herein with respect to FIG. 4. Thus, each device controller may include one or more facades that, upon execution or activation of a device controller, configures one or more network access characteristics (e.g., rules, parameters, definition, communication capability/operation) of network access system 120 (e.g., firewall).
  • For example, in some aspects, configuring the one or more network access characteristics of network access system 120 upon execution or activation of a respective device controller (e.g., and in turn, one or more facades) includes network entity 102 may adjust a whitelist or blacklist to include or exclude, respectively, one or both of the remote server service or the local access service. In some aspects, configuring the one or more network access characteristics includes restricting communication on one or more outbound ports at network entity 102.
  • Further, in some aspects, configuring the one or more network access characteristics of network access system 120 includes configuring or adjusting a first set of network access characteristics to a second set of network access characteristics based on the facades. For example, a first set of network access characteristics may be a first set of communication parameters (e.g., one or more ports, addresses, protocols) by which network access system 120 may permit one or more automation devices 320, 330, and/or 340 to operate or communicate thereto. However, the first set of communication parameters, which in some aspects, may be a port or address, may be adjusted to define or obtain a second set of network access characteristics based on the facades.
  • In some aspects, first device controller 302, which may include first facade 304 and optionally second facade 306, may be associated with or otherwise correspond to first automation device 320. Further, second device controller 308, which may include third facade 310 and optionally fourth facade 312. Additionally, an optional third device controller 314 may include fifth facade 316 and optionally sixth facade 318. In some aspects, first facade 304, second facade 306, third facade 310, fourth facade 312, fifth facade 316, and/or sixth facade 318 may each be or otherwise include one of a device capability characteristic or a network service.
  • FIG. 4 illustrates an example of first device controller 302 in accordance with some aspects of the present disclosure. It should be understood that although first device controller 302 is shown, the aspects described herein with respect to FIG. 4 are not limited to first device controller 302. First device controller 302 may include first facade 304 and second facade 306 each including one or more communication services, and more specifically, one or more network services. In particular, first facade 304 and/or second facade 306 of device controller 302 includes or specifies one or both of a remote server service (e.g., cloud network service) of a respective automation device, and/or one or more local access service (e.g., firewall) parameters of a local application in the local access network. However, first device controller 302 may also include one or more additional facades, each of which may be one of a device capability characteristic or a network service.
  • In some aspects, first facade 304 may include or otherwise indicate one or more remote server services that specifies one or more hosts and/or ports of or used in accessing one or more remote host devices (e.g., first host device 104 and/or second host device 106, FIG. 1)). For example, the one or more remote host devices may be a cloud based service at a remote server associated with an automation device for which first device controller 302 enables secure communication between the aforementioned server and automation device.
  • Specifically, first facade 304 may include or otherwise indicate one or more remote access parameters or rules which, when implemented by network entity 102, may configure one or more network access characteristics of network access system 120 (FIGS. 1 and 3) to enable or otherwise permit secure connection to a specified remote host device (e.g., first host device 104, FIG. 1) associated with the automation device, and in turn prevent unauthorized access to the network on which the automation device resides. In some aspects, first facade 304 may include one or more destination addresses 402 (e.g., of one or both of remote host devices 104 or 106, FIG. 1) and one or more destination ports 404 (e.g., TCP ports and/or TCP/UDP ports of one or both of remote host devices 104 or 106, FIG. 1).
  • In some aspects, second facade 306 may include or otherwise specify one or more local access network communication characteristics of the network entity. That is, second facade 306 may indicate one or more local hosts, ports (e.g., destination port 406 at network entity 102), and/or protocols at network entity 102 (FIG. 1) that may be used in accessing one or both of a native application at the network or one or more host devices (e.g., first host device 104 and/or second host device 106, FIG. 1). For instance, second facade 306 may configure the one or more network access characteristics of network access system 120 (FIGS. 1 and 3) in such a way so as to permit communication within the local access network according to the one or more local hosts, ports, and/or protocols.
  • Further, first device controller 302 may include one or more additional facades. For instance, first device controller 302 can optionally include third facade 408, which may configure one or both of a remote access connection (e.g., with a remote host device) or a local access connection (e.g., at network entity 102, FIGS. 1 and 3). In particular, third facade can optionally be or otherwise include destination address 410 and/or destination port 412. Additionally, first device controller 302 can optionally include fourth facade 414, which may configure or enable a device-specific capability. Specifically, fourth facade may optionally be or otherwise include device capability characteristic 416,
  • As such, the one or more facades of device controller may configure network access system 120 (FIGS. 1 and 3) of network entity 102 (FIGS. 1-3) to control communication between one or more automation devices associated with the device controller and a remote host device. In particular, the one or more facades may configure one or more network access characteristics of network access system 120 (FIGS. 1 and 3). For example, configuring network access system 120 (FIGS. 1 and 3) includes adjusting (e.g., permitting, enabling, or restricting) outbound communication from the electronic device to the remote host device according to one or both of first facade 304 (e.g., remote server service) or second facade 306 (e,g., local access service). For instance, configuring network access system 120 (FIGS. 1 and 3) includes adjusting (e.g., permitting, enabling, or restricting) inbound communication from the remote host device to the electronic device according to one or both of first facade 304 (e.g., remote server service) or second facade 306 (e,g., local access service).
  • As such, the ability to specify network specifications by individual automation device, via one or more device controllers, allows network entity 102 (FIGS. 1-3) and its applications to provide much higher network security. For example, with respect to user configurability, a user may determine which automation devices should have Internet connectivity, and which should not. Such connectivity can also be configured to only work at a certain time or under certain circumstances. Further, with regard to lock down capabilities, as network entity 102 (FIGS. 1-3) can manage or control the automation device's access to specific remote host (cloud) services, the network entity 102 (FIGS. 1-3) (e.g., via a runtime) can lock down devices when appropriate, thereby preventing outside or outbound communication. The aforementioned may be beneficial when a security hole or other critical problem is reported with the given automation device.
  • Additionally, access to unpublished services may be prevented. For instance, in some cases, an automation device may be initially provisioned with a service or software operating on a port that is unpublished or not supported by the vender. Such ports may be weak points in security, allowing unauthorized access and use of the automation device. Accordingly, network access system 120 (FIGS. 1 and 3) may prevent unauthorized access on such unpublished ports.
  • Moreover, as network entity 102 (FIGS. 1-3) is aware of (e.g., stores) the local ports (e.g., via facades) an automation device application uses in communicating with a remote host device, network entity 102 (FIGS. 1-3), via network access system 120 (FIGS. 1 and 3) (e.g., firewall) may limit which clients or remote host devices may communicate with automation device. Such ability to limit or control communication may also be user configurable, providing the ability for a user to indicate who or what entity can control or configure a given automation device.
  • FIG. 5 illustrates a schematic diagram of a communication system 500 in accordance with some aspects of the present disclosure. Communication network 500 may include network entity 102, which facilitates communication between one or more automation devices 110, 112, and/or 114, one or more electronic devices 116 and/or 530, and/or one or more host devices 104 and 106 using or in accordance with network access entity 120 (e.g., firewall), and in some cases, via Internet 108.
  • Network entity 102 may be configured to prevent unauthorized access to one or more automation devices within the network (e.g., device LAN 520). In particular, network access system 120 of network entity 102 prevents a rogue client or device from temporarily accessing the network and controlling, configuring, and/or loading malware on one orm ore automation devices. Further, network access system 120 of network entity 102 prevents malware or rogue configurations to control the automation device by an intruder remotely or tunnel network data outside the network. Additionally, network access system 120 of network entity 102 controls outbound communication to unauthorized host devices or servers on the Internet 108.
  • Specifically, upon entering within range of a radio frequency field of network entity 102 (e.g., router), network entity 102 may detect one or more automation devices 110, 112, and/or 114. For example, network entity 102 may detect second automation device 112, which may, in a non-limiting instance, take the form of a lighting device. In some aspects, one or more services run on network entity 102, in network entity's 102 runtime environment, which, through one or more stages, can detect when a new automation device arrives on the network.
  • Further, one or more device controllers 302, 308, and/or 314 (FIGS. 3 and 4) associated with the automation device (e.g., second automation device 112) may be selected based on the detection results. For example, network entity 102 may select second device controller 308 (FIG. 3) associated with second automation device 112 based on detecting the same device within the network. The detection of second automation device 112 may be an initial detection or a subsequent or reentry detection following an exit from network (e.g., device LAN 520). In some aspects, selection of a corresponding device controller may be done so according to predetermined, pre-ran, or pre-executed detection result and subsequent association in a database at network entity 102.
  • Upon selecting one or more device controllers (e.g., second automation device 112) associated with the automation device (e.g., second automation device 112), the one or more device controllers (e.g., second automation device 112) including one or more communication services (e.g., facades) may be executed. Additionally, a secondary detection procedure may be performed upon execution of one or more device controllers (e.g., second automation device 112). For example, the secondary detection procedure includes querying the electronic device (e.g., second automation device 112) for one or more device capabilities (e.g., dimmable and/or switchable), a firmware version, communication services, and/or one or more service requests.
  • Further, network entity 102 (e.g., router) may be configured to implement one or more communication services or facades. In some aspects, a runtime environment at network entity 102 may detect which one or more communication services or facades are implemented. In addition, the runtime environment may also determine the type of device the device controller is to communicate with. Moreover, for instance, network entity 102 may authorize network access via one or more applications running within the runtime environment.
  • Following network authorization, network entity 102 may be configured to execute the one or more communication services of the selected device controller. In some aspects, when the device controller (e.g., second device controller 112) for the selected automation device implements a communication service or facade with network access and/or control capabilities, the execution can adjust the network access system 120 (e,g., firewall). Specifically, once the second device controller 302 (FIG. 3) is instantiated, it may execute at least two communication services for the second automation device 112 (e.g., lighting device) in order for it to securely connect with a respective remote host device (e.g., second host device 106), and thereby configuring network access system 120.
  • For instance, network entity 102 may configure network access system 120 to adjust (e.g., permit) outbound communication from first automation device 110 to first host device 104 via communication channel or path 514 according to one or both of the remote server service or the local access service. Further, for example, network entity 102 may configure network access system 120 to adjust (e.g., permit) outbound communication from second automation device 112 to second host device 106 via communication channel or path 516 according to one or both of the remote server service or the local access service.
  • In some aspects, remote server service may request for or permit access for second automation device 112 to communicate with second host device 106 on certain or defined ports and/or destination addresses. Additionally, in some aspects, local access service may request for or permit access for trusted clients or device to communicate with second automation device 112 on certain ports of network entity 102. As such, an unauthorized attempt by or via a rogue host device 550 via communication channel or path 518 may be prevented as inbound and/or outbound communication on a configured number of ports and/or destination addresses is permitted.
  • Although the foregoing description has been made with reference to the second automation device 112, it should be understood that any one or more of the automation devices may be part of the network access system 120 configuration.
  • In addition, network entity 102 may segment or divide a network into two or more networks based on device capabilities or classifications, and allocate devices newly joined or detected accordingly. By segmenting the overall network, network entity 102 may shield certain devices (e.g., automation devices) from networks that may operate according to relatively less security (e.g., no use of device controllers).
  • For example, communication network 500 may include first local access network (LAN) 520 and second local access area network (LAN) 540. First LAN 520 may include first automation device 110, second automation device 112, and third automation device 114. Second LAN 540 may include first electronic device 116 and second electronic device 530. As such, first LAN 520 may operate according to different security or network access parameters as compared to second LAN 540. Accordingly, network access system 120 of network entity 102 may be configured to monitor and control access to first LAN 520 differently (e.g., according to the aspects described herein) as compared to second LAN 540.
  • In some aspects, first local access network 520 may operate or facilitate communication according to a first communication standard. Similarly, second local access network 540 may operate or facilitate communication according to a second communication standard. In some aspects, the first communication standard may be the same as or different from the second communication standard.
  • Specifically, first local access network 520 may include a low-powered wireless network such as, for example, a 6lowPAN network, a ZIGBEE network, a DASH7 network, and/or a BLUETOOTH network. Further, second local access network 540 may include a high-powered wireless network, such as an IEEE 802.11 network (Wi-Fi), a WiMAX network, and/or a cellular network (e.g., LTE). In some aspects, however, first local access network 520 and second local access area network 540 may include any suitable wired or wireless network.
  • FIGS. 6A and 6B are flow diagrams of method 600 for configuring a network access system in accordance with some aspects of the present disclosure. In some aspects, method 600 may be performed at network entity 102 (FIGS. 1-3 and 5) in accordance with one or more device controllers (e.g., FIGS. 3 and 4) and as part of a communication system 100 (FIG. 1) and/or 500 (FIG. 5). Some operations in method 600 may be combined, the order of some operations may be changed, and some operations may be omitted.
  • At block 602, method 600 may detect an electronic device associated with a first class of devices. For example, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to detect an electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) associated with a first class of devices (e.g., automation or Internet-of-things devices).
  • In some aspects, detecting the electronic device associated with the first class of devices at block 602 may include detecting based on a discovery service protocol. Further, at block 602, method 600 may detect two or more electronic device associated with or part of the first class of devices. Additionally, in some aspects, the first class of devices is associated with a first local access network different from a second local access network providing access to a second class of devices.
  • At block 604, method 600 may determine whether a set of device controllers includes a device controller associated with the electronic device. For instance, in response to detecting the electronic device associated with the first class of devices, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to determine whether a set of device controllers (e.g., device controllers 302, 308, and/or 314, FIG. 3) includes a device controller (e.g., first device controller 302, FIGS. 3 and 4) associated with the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5).
  • In some aspects, at block 606, method 600 may optionally generate the device controller for the electronic device in accordance with a determination that the set of device controllers does not include the device controller associated with the electronic device. For example, in accordance with a determination that the set of device controllers (e.g., device controllers 302, 308, and/or 314, FIG. 3) does not include the device controller associated with the electronic device (e.g., one or more of automation devices 110, 112, and/or 114), network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to generate the device controller (e.g., first device controller 302, FIGS. 3 and 4) for the electronic device.
  • Otherwise, method 600, at block 608 may select a device controller from a set of device controllers. For instance, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to select a device controller from a set of device controllers (e.g., device controllers 302, 308, and/or 314, FIG. 3) in accordance with a determination that the set of device controllers includes the device controller (e.g., first device controller 302, FIGS. 3 and 4) associated with the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) and/or based at least in part on detecting the electronic device.
  • In some aspects, the device controller (e.g., first device controller 302, FIGS. 3 and 4) is associated with the electronic device and manages communication between the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIG. 1) and a remote host device (e.g., first host device 104 and/or second host device 106, FIGS. 1 and 5).
  • At block 610, method 600 may optionally execute the device controller associated with the electronic device. For example, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to execute the device controller (e.g., first device controller 302, FIGS. 3 and 4) associated with the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5).
  • At block 612, method 600 may optionally detect one or more communication characteristics. For example, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to detect one or more communication characteristics in response to executing the device controller (e.g., first device controller 302, FIGS. 3 and 4) associated with the electronic device. In some aspects, detecting the one or more communication characteristics includes querying the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) for one or more device capabilities, a firmware version, and/or one or more service requests.
  • At block 614, method 600 may optionally determine whether to grant network access via the network entity. For instance, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to determine whether to grant network access via network entity 102 (FIGS. 1-3 and 5) to electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5). In some aspects, the aforementioned determination may be made in response to detecting the electronic device (e.g., at block 602) or selecting device controller (e.g., first device controller 302, FIGS. 3 and 4) from the set of device controllers (e.g., at block 608). Further, for example, the aforementioned determination may include determining, via an application module, whether to grant network access via the network entity 102 (FIGS. 1-3 and 5).
  • In some aspects, determining whether to grant network access to the network entity 102 (FIGS. 1-3 and 5) includes determining whether an identifier of the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) matches a stored identifier at and/or known by the network entity 102 (FIGS. 1-3 and 5). Further, based on determining that the identifier of the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) does not match the stored identifier at the network entity 102 (FIGS. 1-3 and 5), a device access indication may be sent to a user device (e.g., electronic device 116, FIG. 1 and/or electronic device 530, FIG. 5).
  • Additionally, in response to sending the device access indication to the user device (e.g., electronic device 116, FIG. 1 and/or electronic device 530, FIG. 5), the network entity 102 (FIGS. 1-3 and 5) may receive an access authorization indication from the user device. In some aspects, the access authorization indication permits network access for the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) at the network entity 102 (FIGS. 1-3 and 5). In some aspects, the identifier of the electronic device may be one or more of a mobile number, a telephone number, an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), a serial number, an Integrated Circuit Card Identifier (ICCID), or a mobile equipment identifier (MEID).
  • In some aspects, at block 616, method 600 may optionally deny network access to the network entity based on receiving an access denial indication from the user device. Otherwise, at block 618, method 600 may optionally provision the electronic device in response to receiving the access authorization indication. For example, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to provision the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) in response to receiving the access authorization indication.
  • Further, at block 620, method 600 may activate the one or more communication services. For instance, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to activate the one or more communication services (e.g., one or more facades 304 and 306, FIGS. 3 and 4), for example, in response to selecting the device controller (e.g., first device controller 302, FIGS. 3 and 4) from the set of device controllers (e.g., device controllers 302, 308, and/or 314, FIG. 3).
  • In some aspects, each of the one or more communication services implements a facade or pattern of usage (e.g., one or more facades 304 and 306, FIGS. 3 and 4) that specifies one or more of a device capability characteristics (e.g., of one or more automation devices) or one or more network services (e.g., of one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5). For example, the one or more communication services, or more specifically, the one or more network services include one or both of a remote server service (e.g., first facade 304, FIGS. 3 and 4) that specifies one or more remote hosts or ports of the remote host device and/or a local access service (e.g., second facade 306, FIGS. 3 and 4) that specifies one or more local access network communication characteristics of the network entity 102 (FIGS. 1-3 and 5).
  • At block 622, method 600 may configure a network access system at the network entity based on the one or more communication services. For example, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to configure one or more network access characteristics (e.g., one or more rules, parameters, and/or operational characteristics) of a network access system 120 (FIGS. 1-3 and 5) at the network entity 102 (FIGS. 1-3 and 5) based on the one or more communication services (e.g., one or more facades 304 and 306, FIGS. 3 and 4).
  • In some aspects, configuring the network access system 120 (FIGS. 1-3 and 5) includes adjusting (e.g., permitting) outbound communication from the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) to the remote host device (e.g., first host device 104 and/or second host device 106, FIGS. 1 and 5) according to one or both of the remote server (e.g., first facade 304, FIGS. 3 and 4) service or the local access service (e.g., second facade 306, FIGS. 3 and 4).
  • Further, in some aspects, configuring the network access system 120 (FIGS. 1-3 and 5) includes adjusting a whitelist or blacklist to include or exclude, respectively, one or both of the remote server service (e.g., first facade 304, FIGS. 3 and 4) or the local access service (e.g., second facade 306, FIGS. 3 and 4). For instance, a whitelist permits one or both of inbound or outbound communication between the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) and one or more remote host devices (e.g., first host device 104 and/or second host device 106, FIGS. 1 and 5), whereas a blacklist prevents one or both of inbound or outbound communication between the electronic device and the one or more remote host devices.
  • Additionally, in some aspects, configuring the network access system 120 (FIGS. 1-3 and 5) includes restricting communication to one or more destination addresses of a remote host device (e.g., first host device 104 and/or second host device 106, FIGS. 1 and 5) and/or on one or more outbound ports at the network entity 102 (FIGS. 1-3 and 5) in response to activating the one or more communication services (e.g., one or more facades 304 and 306, FIGS. 3 and 4).
  • In some aspects, configuring the network access system 120 (FIGS. 1-3 and 5) at the network entity 102 (FIGS. 1-3 and 5) includes configuring one or more network access characteristics (e.g., one or more rules, parameters, and/or operational characteristics) of the network access system from a first set of network access characteristics to a second set of network access characteristics based on the one or more communication services (e.g., one or more facades 304 and 306, FIGS. 3 and 4).
  • In some aspects, configuring the network access system 120 (FIGS. 1-3 and 5) at the network entity 102 (FIGS. 1-3 and 5) includes a kernel module configured to modify a kernel according to the one or more communication services (e.g., one or more facades 304 and 306, FIGS. 3 and 4).
  • At block 624, method 600 may assign the electronic device associated with the first class of devices to the first local access network. For instance, network entity 102 (FIGS. 1-3 and 5) may be configured to execute one or more components, subcomponents, and/or modules (e.g., of FIG. 2) to assign the electronic device (e.g., one or more of automation devices 110, 112, and/or 114, FIGS. 1 and 5) associated with the first class of devices to the first local access network (e.g., device LAN 520, FIG. 5).
  • FIG. 7 illustrates a functional block diagram of a network entity in accordance with some some aspects of the present disclosure. As shown in FIG. 7, an electronic device 700, which may be the same as or similar to network entity 102 (FIGS. 1-3 and 5) includes memory unit 702, which may be configured to store data for retrieval, and processing unit 704 coupled to the memory unit 702. In some aspects, processing unit 704 includes detecting unit 708, selecting unit 710, activating unit 712, configuring unit 714, determining unit 716, generating unit 718, executing unit 720, adjusting unit 722, sending unit 724, receiving unit 726, assigning unit 730, restricting unit 732, and modifying unit 734.
  • Processing unit 704 may be configured to detect (e.g., using or via detecting unit 708) an electronic device associated with a first class of devices; select (e.g., using or via selecting unit 710) a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the network entity and the electronic device according to one or more communication services; activate (e.g., using or via activating unit 712) the one or more communication services in response to selecting the device controller from the set of device controllers; and configure (e.g., using or via configuring unit 714) a network access system at the network entity based on the one or more communication services.
  • In some aspects, processing unit 704 may further be configured to determine (e.g., using or via determining unit 716) whether the set of device controllers includes the device controller associated with the electronic device; and generate (e.g., using or via generating unit 718) the device controller for the electronic device in accordance with a determination that the set of device controllers does not include the device controller associated with the electronic device, wherein to select the device controller, processing unit 704 may further be configured to select (e.g., using or via selecting unit 710) the device controller from the set of device controllers in accordance with a determination that the set of device controllers includes the device controller associated with the electronic device.
  • In some aspects, to select the device controller from the set of device controllers, the processing unit 704 may further be configured to executing (e.g., using or via executing unit 720) at the network entity, the device controller associated with the electronic device.
  • In some aspects, processing unit 704 may further be configured to detect (e.g., using or via detecting unit 708) one or more communication characteristics in response to executing the device controller associated with the electronic device.
  • In some aspects, each of the one or more communication services implements a facade or pattern of usage that specifies one or more of a device capability characteristics or one or more network services.
  • In some aspects, the one or more communication services or the one or more network services include one or both of: a remote server service that specifies one or more remote hosts or ports of the remote host device; or a local access service that specifies one or more local access network communication characteristics of the network entity.
  • In some aspects, to configure the network access system, processing unit 704 may be further configured to adjust (e.g., using or via adjusting unit 722) outbound communication from the electronic device to the remote host device according to one or both of the remote server service or the local access service.
  • In some aspects, to configure the network access system, processing unit 704 may further be configured to adjust (e.g., using or via adjusting unit 722) a whitelist or blacklist to include or exclude one or both of the remote server service or the local access service.
  • In some aspects, to configure the network access system, processing unit 704 may further be configured to adjust (e.g., using or via adjusting unit 722) a blacklist to exclude one or both of the remote server service or the local access service.
  • In some aspects, to detect the electronic device associated with the first class of devices, processing unit 704 may further be configured to detect (e.g., using or via detecting unit 708) based on a discovery service protocol.
  • In some aspects, processing unit 704 may further be configured to determine (e.g., using or via determining unit 716) whether to grant network access via the network entity in response to detecting the electronic device.
  • In some aspects, to determine whether to grant network access to the network entity, processing unit 704 may further be configured to: determine (e.g., using or via determining unit 716) whether an identifier of the electronic device matches a stored identifier known by the network entity; send (e.g., using or via sending unit 724) a device access indication to a user device based on determining that the identifier of the electronic device does not match the stored identifier at the network entity; and receive (e.g., using or via receiving unit 726) an access authorization indication from the user device in response to sending the device access indication.
  • In some aspects, processing unit 704 may further be configured to provision (e.g., using or via provisioning unit 728) the electronic device in response to receiving the access authorization indication.
  • In some aspects, the first class of devices is associated with a first local access network different from a second local access network providing access to a second class of devices, processing unit 704 may further be configured to assign (e.g., using or via assigning unit 730) the electronic device associated with the first class of devices to the first local access network.
  • In some aspects, to configure the network access system, processing unit 704 may further be configured to restrict (e.g., using or via restricting unit 732) communication on one or more outbound ports at the network entity in response to activating the one or more communication services.
  • In some aspects, to configure the network access system at the network entity, processing unit 704 may further be configured to configure (e.g., using or via configuring unit 714) one or more network access characteristics of the network access system from a first set of network access characteristics to a second set of network access characteristics based on the one or more communication services.
  • In some aspects, to configure the network access system at the network entity, processing unit 704 may further be configured to modify (e.g., using or via modifying unit 734) a kernel according to the one or more communication services.
  • In some aspects, the network entity is a router. In some aspects, the electronic device is one of a lighting control device, a lighting device, a thermostat device, a shading device, a wearable electronic sensor, a security device, an image capturing device, a recording device, an appliance, voice command device, or an entertainment device. In some aspects, the network access system is a network firewall. In some aspects, the network access system is a network access point. In some aspects, the network access system is an industrial gateway or commercial base station.
  • As used herein, the term “determining” encompasses a wide variety of actions. For example, “determining” may include calculating, computing, processing, deriving, investigating, looking up (e.g., looking up in a table, a database or another data structure), and/or ascertaining. Also, “determining” may include receiving (e.g., receiving information), accessing (e.g., accessing data in a memory) and the like. Also, “determining” may include resolving, selecting, choosing, and/or establishing.
  • It should be understood that the claims are not limited to the precise configuration and components illustrated above. Various modifications, changes and variations may be made in the arrangement, operation and details of the methods and apparatus described above without departing from the scope of the claims. While the foregoing is directed to aspects of the present disclosure, other and further aspects of the disclosure may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.

Claims (23)

What is claimed is:
1. A method, comprising:
detecting, at a network entity, an electronic device associated with a first class of devices;
selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services;
activating the one or more communication services in response to selecting the device controller from the set of device controllers; and
configuring a network access system at the network entity based on the one or more communication services.
2. The method of claim 1, wherein the one or more communication services include one or both of:
a remote server service that specifies one or more remote hosts or ports of the remote host device; or
a local access service that specifies one or more local access network communication characteristics of the network entity.
3. The method of claim 2, wherein configuring the network access system includes adjusting outbound communication from the electronic device to the remote host device according to one or both of the remote server service or the local access service.
4. The method of claim 2, wherein configuring the network access system includes adjusting a whitelist to include one or both of the remote server service or the local access service.
5. The method of claim 2, wherein configuring the network access system includes adjusting a blacklist to exclude one or both of the remote server service or the local access service.
6. The method of claim 1, further comprising:
determining whether the set of device controllers includes the device controller associated with the electronic device; and
generating the device controller for the electronic device in accordance with a determination that the set of device controllers does not include the device controller associated with the electronic device,
wherein selecting the device controller includes selecting the device controller from the set of device controllers in accordance with a determination that the set of device controllers includes the device controller associated with the electronic device.
7. The method of claim 1, wherein selecting the device controller from the set of device controllers includes executing, at the network entity, the device controller associated with the electronic device.
8. The method of claim 7, further comprising detecting one or more communication characteristics in response to executing the device controller associated with the electronic device.
9. The method of claim 1, wherein detecting the electronic device associated with the first class of devices includes detecting based on a discovery service protocol.
10. The method of claim 1, further comprising determining, via an application module, whether to grant network access via the network entity in response to detecting the electronic device.
11. The method of claim 10, wherein determining whether to grant network access to the network entity includes:
determining whether an identifier of the electronic device matches a stored identifier known by the network entity;
sending a device access indication to a user device based on determining that the identifier of the electronic device does not match the stored identifier at the network entity; and
receiving an access authorization indication from the user device in response to sending the device access indication.
12. The method of claim 11, further comprising provisioning the electronic device in response to receiving the access authorization indication.
13. The method of claim 1, wherein the first class of devices is associated with a first local access network different from a second local access network providing access to a second class of devices, the method further comprising assigning the electronic device associated with the first class of devices to the first local access network.
14. The method of claim 1, wherein configuring the network access system includes restricting communication on one or more outbound ports at the network entity in response to activating the one or more communication services.
15. The method of claim 1, wherein configuring the network access system at the network entity includes configuring one or more network access characteristics of the network access system from a first set of network access characteristics to a second set of network access characteristics based on the one or more communication services.
16. The method of claim 1, wherein configuring the network access system at the network entity includes a kernel module configured to modify a kernel according to the one or more communication services.
17. The method of claim 1, wherein the network entity is a router.
18. The method of claim 1, wherein the electronic device is one of a lighting control device, a thermostat device, a shading device, a wearable electronic sensor, a security device, an image capturing device, a recording device, an appliance, voice command device, or an entertainment device.
19. The method of claim 1, wherein the network access system is a network firewall.
20. The method of claim 1, wherein the network access system is a network access point.
21. The method of claim 1, wherein the network access system is an industrial gateway or a commercial base station.
22. A computer-readable storage medium comprising one or more programs for execution by one or more processors of an electronic device, the one or more programs including instructions which, when executed by the one or more processors, cause the electronic device to:
detect an electronic device associated with a first class of devices;
select a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services;
activate the one or more communication services in response to selecting the device controller from the set of device controllers; and
configure a network access system at the network entity based on the one or more communication services.
23. An electronic apparatus comprising:
one or more processors;
memory; and
one or more programs stored in the memory, the one or more programs including instructions for:
detecting an electronic device associated with a first class of devices;
selecting a device controller from a set of device controllers based at least in part on detecting the electronic device, wherein the device controller is associated with the electronic device and manages communication between the electronic device and a remote host device according to one or more communication services;
activating the one or more communication services in response to selecting the device controller from the set of device controllers; and
configuring a network access system at the network entity based on the one or more communication services.
US16/783,903 2015-12-16 2020-02-06 Network access system configuration Abandoned US20200322215A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/783,903 US20200322215A1 (en) 2015-12-16 2020-02-06 Network access system configuration

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/970,802 US10581672B2 (en) 2015-12-16 2015-12-16 Network access system configuration
US16/783,903 US20200322215A1 (en) 2015-12-16 2020-02-06 Network access system configuration

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/970,802 Continuation US10581672B2 (en) 2015-12-16 2015-12-16 Network access system configuration

Publications (1)

Publication Number Publication Date
US20200322215A1 true US20200322215A1 (en) 2020-10-08

Family

ID=59065330

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/970,802 Expired - Fee Related US10581672B2 (en) 2015-12-16 2015-12-16 Network access system configuration
US16/783,903 Abandoned US20200322215A1 (en) 2015-12-16 2020-02-06 Network access system configuration

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/970,802 Expired - Fee Related US10581672B2 (en) 2015-12-16 2015-12-16 Network access system configuration

Country Status (1)

Country Link
US (2) US10581672B2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10778775B2 (en) * 2016-10-25 2020-09-15 Cisco Technology, Inc. Control of network connected devices
US10756965B2 (en) * 2018-05-31 2020-08-25 Verizon Patent And Licensing Inc. System and method for managing devices in a local network
CN116582362B (en) * 2023-07-11 2023-09-26 建信金融科技有限责任公司 Network access control method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9825966B2 (en) * 2014-12-18 2017-11-21 Intel Corporation System platform for context-based configuration of communication channels

Also Published As

Publication number Publication date
US10581672B2 (en) 2020-03-03
US20170181056A1 (en) 2017-06-22

Similar Documents

Publication Publication Date Title
US11303727B2 (en) Method and system for routing user data traffic from an edge device to a network entity
US11140172B2 (en) Method for automatically applying access control policies based on device types of networked computing devices
US20230148301A1 (en) Systems and methods for micro network segmentation
TWI757827B (en) Method and apparatus for handling non-integrity protected reject messages in non-public networks
US20200322215A1 (en) Network access system configuration
EP2859755B1 (en) Unified networking system and device for heterogeneous mobile environments
KR20180069737A (en) Enabling communications between devices
US20150040194A1 (en) Monitoring of smart mobile devices in the wireless access networks
WO2018057110A1 (en) MITIGATING AN INTERNET OF THINGS (IoT) WORM
KR20170013298A (en) Improved assignment and distribution of network configuration parameters to devices
US20170013452A1 (en) Network re-convergence point
US11546150B2 (en) Secure scalable link key distribution using bootsrapping
US20140282905A1 (en) System and method for the automated containment of an unauthorized access point in a computing network
US20150365828A1 (en) Communication terminal, communication method, program, communication system, and information processing apparatus
US20220210649A1 (en) Systems and method for micro network segmentation
WO2021041965A1 (en) Autonomous policy enforcement point configuration for role based access control
US20190372973A1 (en) Device onboarding with automatic ipsk provisioning in wireless networks
US20230198939A1 (en) System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device
US20210367926A1 (en) Methods and Apparatus for Operating and Managing a Constrained Device within a Network
US11533335B2 (en) Fast internetwork reconnaissance engine
US9661083B1 (en) Efficient notification protocol through firewalls
US9686311B2 (en) Interdicting undesired service
US20220353297A1 (en) Method and system for distributed policy-based security for connected devices
US20230413353A1 (en) Inter-plmn user plane integration
JP2023506566A (en) Performing security negotiations on network configuration

Legal Events

Date Code Title Description
AS Assignment

Owner name: WIGWAG INC., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEMPHILL, THOMAS E.;REEL/FRAME:051908/0679

Effective date: 20151214

STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

AS Assignment

Owner name: ARM CLOUD TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WIGWAG INC.;REEL/FRAME:054462/0049

Effective date: 20201001

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCV Information on status: appeal procedure

Free format text: NOTICE OF APPEAL FILED

STCV Information on status: appeal procedure

Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER

STCV Information on status: appeal procedure

Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: TC RETURN OF APPEAL

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION