US20230095354A1 - Methods and systems of a software data diode-tcp proxy with udp across a wan - Google Patents
Methods and systems of a software data diode-tcp proxy with udp across a wan Download PDFInfo
- Publication number
- US20230095354A1 US20230095354A1 US17/807,669 US202217807669A US2023095354A1 US 20230095354 A1 US20230095354 A1 US 20230095354A1 US 202217807669 A US202217807669 A US 202217807669A US 2023095354 A1 US2023095354 A1 US 2023095354A1
- Authority
- US
- United States
- Prior art keywords
- wan
- point
- data diode
- protocol
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 238000004891 communication Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 description 53
- 238000007726 management method Methods 0.000 description 12
- 230000005012 migration Effects 0.000 description 8
- 238000013508 migration Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 239000004744 fabric Substances 0.000 description 3
- 238000013519 translation Methods 0.000 description 3
- 238000013075 data extraction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000009428 plumbing Methods 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 239000011230 binding agent Substances 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013349 risk mitigation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/563—Data redirection of data network streams
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/164—Adaptation or special uses of UDP protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/168—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] specially adapted for link layer protocols, e.g. asynchronous transfer mode [ATM], synchronous optical network [SONET] or point-to-point protocol [PPP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- This application relates generally to computer networking, and more specifically to a system, article of manufacture and method for implementing a software data diode-TCP proxy with UDP across a WAN.
- Machines are used in everyday manufacturing, building automation and industrial automation tasks. For security reasons, access to these machines may be restricted to local physical access (e.g. air-gapped). There is a need to reduce costs of machine operations. A model of choice is to do so remotely either via Internet or Private WAN Network. Security by isolation may be prohibitively expensive for this class of application.
- Traditional IT-Based remote connectivity technologies such as VPN and agent-based solutions have been designed for office and date center and site-to-site environments and does not operationally scale to be developed and managed in a distributed non—IT enabled environments.
- the control plane overhead on maintaining the Privacy and Authentication aspects of the security is so expensive that largely that is left unmanaged—leading to loss of date plane security to inadequate management
- data diodes are generally hardware devices used in the industrial environment to restrict and guarantee flow of information one way. Typically, this is used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices.
- Applications are often being hosted in the cloud and similar semantics is currently not available across the WAN/Internet when devices connect to the remote applications.
- a computerized method for implementing a software data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising.
- the method includes the step of providing a WAN data diode using a uni-directional semantics protocol.
- the method includes the step of providing a set of data diode proxies in either end of a point-to-point WAN link.
- the method includes the step of providing a symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link.
- the method includes the step of employing a uni-directional protocol in the WAN communication.
- the method includes the step of, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
- FIG. 1 illustrates an example process for implementing a hybrid-cloud OT network, according to some embodiments.
- FIG. 2 illustrates an example process for implementing OT-Proxies, according to some example embodiments.
- FIG. 3 illustrates an example process for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments.
- FIG. 4 illustrates an example process for implementing an automated centralized firewall for industrial IOT wan fabric, according to some embodiments.
- FIG. 5 illustrates an example process for implementing application migration across the wan, according to some embodiments.
- FIG. 6 illustrates an example process for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments.
- the schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
- Data diode can be a network appliance or device that allows data to travel in only one direction.
- DNAT Destination network address translation
- Edge device is a device which provides an entry point into differently managed enterprise or service provider core networks, such as, inter alia: such as an enterprise IT network or Service Provider Core network. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks or connections between OT and Enterprise IT networks.
- enterprise or service provider core networks such as, inter alia: such as an enterprise IT network or Service Provider Core network. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks or connections between OT and Enterprise IT networks.
- IIoT Industrial Internet of Things
- IoT Internet of things
- IoT Internet of things
- Key management refers to management of cryptographic keys in a cryptosystem. This can include dealing with the generation, exchange, storage, use, crypto-shredding (e.g. destruction) and replacement of keys. It can include cryptographic protocol design, key servers, user procedures, and/or other relevant protocols.
- Operational Technology includes the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices.
- Operational Technology (OT) Proxies are boundary devices which implement and enforces the necessary protocol translation and security semantics needed for interconnected OT network elements (devices and applications) to talk to each other, often through and over a different network—such as an Enterprise IT network or third-party carrier and service provider networks.
- Proxy authentication can serve as access-control. Proxy authentication can provide a mechanism that blocks requests for content until a valid access-permission credentials to the proxy is provided.
- Remote procedure call is when a computer program causes a procedure (e.g. subroutine) to execute in a different address space (e.g. on another computer on a shared network), which is coded as if it were a normal (e.g. local) procedure call, without the programmer explicitly coding the details for the remote interaction.
- a procedure e.g. subroutine
- a different address space e.g. on another computer on a shared network
- Stream is a sequence of data elements made available over time.
- Transmission Control Protocol is one of the main protocols of the Internet protocol suite. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.
- Tunneling protocol can be a communications protocol that allows for the movement of data from one network to another. It can involve allowing a private network communication to be sent across a public network.
- UDP User Datagram Protocol
- IP Internet Protocol
- FIG. 1 illustrates an example process 100 for implementing a hybrid-cloud OT network, according to some embodiments.
- process 100 provides a hybrid-cloud OT network that can scale to n-number segmented communication channels (e.g. hundreds of thousands of segmented communication channels, etc.).
- process 100 can provide dynamic communication channels for hybrid-cloud OT network. These communication channels are not necessarily always-on.
- process 100 can implement geographic distribution of the hybrid-cloud OT network. For example, the hybrid-cloud OT network can be distributed to the geographic locations of machines, applications and humans.
- process 100 can implement auditable access control for hybrid-cloud OT network. This can be done for security and compliance.
- the hybrid-cloud OT network minimal operational overhead.
- Process 100 can connect OT networks in one location to those in other locations (e.g. a factory floor, building, public cloud, private data center, etc.
- Machine Access Firewall Comprehensive Access Control for Mission Critical Industrial Machines by Humans and Applications
- OT-Proxies can be implemented. OT-Proxies provide a scalable solution and utilize a converged firewall. OT-Proxies can be used to connect people, applications and machines in a secure, controlled and auditable manner in a distributed, micro-network, multi-tenanted environment. OT-Proxies can be implemented in brownfield networks and/or device environments with no additional forklift upgrade of the already functional end devices and applications. In addition, OT-Proxies can increase operational efficiency of a system where the privacy and authentication aspects of security for the system are covered automatically.
- Example of OT technologies include, inter alia: converting one type of network (e.g. a serial network to ethernet) to another, converting Modbus based messages to time series based JSON messages, enforcing that only specific protocols are allowed and rest are blocked etc.
- network e.g. a serial network to ethernet
- Modbus based messages to time series based JSON messages
- FIG. 2 illustrates an example process 200 for implementing machine identify firewall, according to some example embodiments.
- process 200 can implement a bi-directional RPC-style channels within a uni-directional HTTPS tunnel. This model can be used for both locale and remote connectivity. Tunnel end points are at each application and with which to connect in a peer-to-peer format. Peer-to-peer communication channels lends itself well to both segmented and scalable implementation.
- process 200 can implement a proxy authentication and stream-binder on behalf of entities which cannot embed a native-tunnel endpoints.
- the proxy end points convert one authentication format to another and bridges one communication path to the next. This can be used for an implementation in brownfield environments (e.g. an asset base of millions of machines, legacy applications, etc.).
- process 200 can implement key management infrastructure for security key management. This can eliminate IT department's overhead associated with it.
- process 200 can implement a stream firewall.
- the stream firewall provides access control on a segmented per-stream basis (e.g. a human access stream, an application stream for each end device, etc.).
- data diodes are hardware devices used in an industrial environment to restrict and guarantee flow of information one way.
- data diodes can be used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices.
- Applications can be hosted in a cloud-computing platform and similar semantics may not be available across a WAN/Internet when devices connect to the remote applications.
- FIG. 3 illustrates an example process 300 for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments.
- process 300 can implement a WAN data diode with uni-directional semantics.
- process 300 can provide symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN.
- a semantic network can be a knowledge base that represents semantic relations between concepts in a network (e.g. in terms of a diode semantic, a secure proxy semantic, etc.).
- process 300 can implement this through data diode proxies in either end of the point to point WAN link.
- a point-to-point WAN link can provide basic network connectivity between two sites, for example.
- the proxies at both ends communicate with each other across the WAN via an encapsulating Uni-directional protocol.
- Bi-directional protocols such as TCP is inherently is bi-directional (e.g. with Acks flowing the other direction).
- the WAN communication employ a uni-directional protocol in step 308 .
- An example uni-directional protocol can include UDP.
- Process 300 can pack/unpack the data formats into the uni-directional protocol encapsulation.
- the data diode proxies terminate data channels on either end and/or transport requisite information across the WAN over this pre-agreed upon uni-directional protocol.
- This change in carrier can be used to eliminate direct communication between the two ends (e.g. a device end and application end) and thereby enforcing both a diode semantic and a secure proxy semantic (e.g. including additional encryption).
- FIG. 4 illustrates an example process 400 for implementing an automatic centralized firewall for industrial IOT WAN fabric, according to some embodiments.
- Process 400 can provide a centralized cloud-managed auto-learning micro-network firewalls for large scale WAN distributed machine and application networks.
- process 400 provides that the automatic centralized firewall strictly operates in a white-listed manner.
- process 400 automatically discovers various subnet end points and their network address ranges for each network.
- process 400 creates flow rules at both ends of the network. This can be from the machine network end and from the remote access networks.
- process 400 implements a bookended firewall.
- Process 400 can eliminate DDOS of the WAN fabric while providing appropriate access control to machines and applications.
- Process 400 can have a low rollout and low deployment costs.
- Process 400 can be implemented with COTS hardware.
- Process 400 can centralize control and distributes enforcement.
- Process 400 can provide both firewall and DDOS protection at the same time.
- FIG. 5 illustrates an example process 500 for implementing application migration across the wan, according to some embodiments.
- Process 500 provides a mechanism for secure application migration.
- Process 500 can leverage the same channels used to migrate data securely.
- Process 500 can automatically reuse cloud-based applications at an edge device and vice versa.
- Process 500 can implement application migration in an industrial context.
- process 500 can migrate Windows®-based applications from a factory floor to a central DC/Cloud platform.
- process 500 can migrate cloud-native microservices applications to edge device.
- Process 500 does not mandate changes/rewrite of the applications.
- Process 500 does not implement invasive changes to network planning or configuration.
- Process 500 can provide OT-Proxies integrated with edge compute system to facilitate migration of applications across the WAN.
- Process 500 can facilitate the management and operations of such applications is the separation of the infrastructure layer from the Application runtime.
- Process 500 provides a multi-tenant management such that the data scientist can own and manage the application without having to take on additional ownership and management overhead of the infrastructure in the factory floor (e.g. can be left to the network and security teams, etc.).
- FIG. 6 illustrates an example process 600 for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments (e.g. discovery and mutual Static Network Address Translation (SHA1)/GNAT).
- process 600 can discover a subnet addressing across two networks.
- process 600 can automatically configure representational address to plumb machines to central applications.
- Process 600 provides a scalable deployment model for IPv4 based large scale building networks.
- Process 600 can represent remote networks differently.
- Process 600 can prevent/reduce cost of forklift upgrade to IPv6 for scale.
- Late binding labels for rapid deployment at scale can be implemented. This can be done by decoupling actual resources from configuration schemas to allow for late bind deployments.
- Per machine independent keys for data plane and management plane can be implemented.
- Edge strategy can be implemented to solve this problem in locations where physical device security is solved as opposed to per device keys.
- Machine management can be decoupled from data acquisition. There can be complete separation of the operation plane and data plane.
- OT-Proxies for IIoT can be provided as a secure model for onboarding air-gapped brownfield assets to the Internet/WAN.
- the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
- the machine-readable medium can be a non-transitory form of machine-readable medium.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Disclosed herein are various systems, apparatuses, software, and methods relating to data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) providing a WAN data diode using a uni-directional semantics protocol, providing a set of data diode proxies in either end of a point-to-point WAN link, providing a symmetric key encryption semantics to extend the WAN data diode securely across a WAN that is specified, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link, employing a unidirectional protocol in communication transmitted using the WAN and, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
Description
- This application is a continuation of U.S. application Ser. No. 16/876,115, titled METHODS AND SYSTEMS OF A SOFTWARE DATA DIODE-TCP PROXY WITH UDP ACROSS A WAN, and filed 18 May 2020, which is a continuation of U.S. Application No. 1685525, titled METHODS AND SYSTEMS OF A MACHINE ACCESS FIREWALL filed on 22 Apr. 2020. U.S. Application No. 1685525 claims priority to U.S. Provisional Application No. 62/837,038, titled METHODS AND SYSTEMS OF A HYBRID-CLOUD OT NETWORK filed on 22 Apr. 2019. These applications are incorporated by reference in their entirety.
- This application relates generally to computer networking, and more specifically to a system, article of manufacture and method for implementing a software data diode-TCP proxy with UDP across a WAN.
- Machines are used in everyday manufacturing, building automation and industrial automation tasks. For security reasons, access to these machines may be restricted to local physical access (e.g. air-gapped). There is a need to reduce costs of machine operations. A model of choice is to do so remotely either via Internet or Private WAN Network. Security by isolation may be prohibitively expensive for this class of application. Traditional IT-Based remote connectivity technologies such as VPN and agent-based solutions have been designed for office and date center and site-to-site environments and does not operationally scale to be developed and managed in a distributed non—IT enabled environments. The control plane overhead on maintaining the Privacy and Authentication aspects of the security is so expensive that largely that is left unmanaged—leading to loss of date plane security to inadequate management
- Moreover; data diodes are generally hardware devices used in the industrial environment to restrict and guarantee flow of information one way. Typically, this is used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices. Applications are often being hosted in the cloud and similar semantics is currently not available across the WAN/Internet when devices connect to the remote applications.
- In one aspect, a computerized method for implementing a software data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising. The method includes the step of providing a WAN data diode using a uni-directional semantics protocol. The method includes the step of providing a set of data diode proxies in either end of a point-to-point WAN link. The method includes the step of providing a symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link. The method includes the step of employing a uni-directional protocol in the WAN communication. The method includes the step of, with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
-
FIG. 1 illustrates an example process for implementing a hybrid-cloud OT network, according to some embodiments. -
FIG. 2 illustrates an example process for implementing OT-Proxies, according to some example embodiments. -
FIG. 3 illustrates an example process for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments. -
FIG. 4 illustrates an example process for implementing an automated centralized firewall for industrial IOT wan fabric, according to some embodiments. -
FIG. 5 illustrates an example process for implementing application migration across the wan, according to some embodiments. -
FIG. 6 illustrates an example process for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments. - The Figures described above are a representative set and are not an exhaustive with respect to embodying the invention.
- Disclosed are a system, method, and article of manufacture of a software data diode-TCP proxy with UDP across a WAN. the following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.
- Reference throughout this specification to “one embodiment,” “an embodiment,” ‘one example,’ or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
- Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art can recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
- The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
- Example definitions for some embodiments are now provided.
- Data diode can be a network appliance or device that allows data to travel in only one direction.
- Destination network address translation (DNAT) is a technique for transparently changing the destination IP address of an end route packet and performing the inverse function for any replies. Any router situated between two endpoints can perform this transformation of the packet.
- Edge device is a device which provides an entry point into differently managed enterprise or service provider core networks, such as, inter alia: such as an enterprise IT network or Service Provider Core network. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks or connections between OT and Enterprise IT networks.
- Industrial Internet of Things (IIoT) refers to interconnected sensors, instruments, and other devices networked together with computers' industrial applications, including, but not limited to, manufacturing and energy management. This connectivity enables data collection, exchange and analysis, potentially facilitating improvements in productivity and efficiency as well as other economic benefits.
- Internet of things (IoT) extends Internet connectivity into physical devices and various objects. Embedded with electronics, Internet connectivity, and other forms of hardware (e.g. sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled.
- Key management refers to management of cryptographic keys in a cryptosystem. This can include dealing with the generation, exchange, storage, use, crypto-shredding (e.g. destruction) and replacement of keys. It can include cryptographic protocol design, key servers, user procedures, and/or other relevant protocols.
- Operational Technology (OT) includes the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices.
- Operational Technology (OT) Proxies are boundary devices which implement and enforces the necessary protocol translation and security semantics needed for interconnected OT network elements (devices and applications) to talk to each other, often through and over a different network—such as an Enterprise IT network or third-party carrier and service provider networks.
- Proxy authentication can serve as access-control. Proxy authentication can provide a mechanism that blocks requests for content until a valid access-permission credentials to the proxy is provided.
- Remote procedure call (RPC) is when a computer program causes a procedure (e.g. subroutine) to execute in a different address space (e.g. on another computer on a shared network), which is coded as if it were a normal (e.g. local) procedure call, without the programmer explicitly coding the details for the remote interaction.
- Stream is a sequence of data elements made available over time.
- Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network.
- Tunneling protocol can be a communications protocol that allows for the movement of data from one network to another. It can involve allowing a private network communication to be sent across a public network.
- User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite used by computer applications to send messages (e.g. datagrams) to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths.
-
FIG. 1 illustrates anexample process 100 for implementing a hybrid-cloud OT network, according to some embodiments. Instep 102,process 100 provides a hybrid-cloud OT network that can scale to n-number segmented communication channels (e.g. hundreds of thousands of segmented communication channels, etc.). Instep 104,process 100 can provide dynamic communication channels for hybrid-cloud OT network. These communication channels are not necessarily always-on. Instep 106,process 100 can implement geographic distribution of the hybrid-cloud OT network. For example, the hybrid-cloud OT network can be distributed to the geographic locations of machines, applications and humans. Instep 108,process 100 can implement auditable access control for hybrid-cloud OT network. This can be done for security and compliance. The hybrid-cloud OT network minimal operational overhead.Process 100 can connect OT networks in one location to those in other locations (e.g. a factory floor, building, public cloud, private data center, etc. - Machine Access Firewall: Comprehensive Access Control for Mission Critical Industrial Machines by Humans and Applications
- It is noted that OT-Proxies can be implemented. OT-Proxies provide a scalable solution and utilize a converged firewall. OT-Proxies can be used to connect people, applications and machines in a secure, controlled and auditable manner in a distributed, micro-network, multi-tenanted environment. OT-Proxies can be implemented in brownfield networks and/or device environments with no additional forklift upgrade of the already functional end devices and applications. In addition, OT-Proxies can increase operational efficiency of a system where the privacy and authentication aspects of security for the system are covered automatically.
- Example of OT technologies include, inter alia: converting one type of network (e.g. a serial network to ethernet) to another, converting Modbus based messages to time series based JSON messages, enforcing that only specific protocols are allowed and rest are blocked etc.
-
FIG. 2 illustrates anexample process 200 for implementing machine identify firewall, according to some example embodiments. Instep 202,process 200 can implement a bi-directional RPC-style channels within a uni-directional HTTPS tunnel. This model can be used for both locale and remote connectivity. Tunnel end points are at each application and with which to connect in a peer-to-peer format. Peer-to-peer communication channels lends itself well to both segmented and scalable implementation. - In
step 204,process 200 can implement a proxy authentication and stream-binder on behalf of entities which cannot embed a native-tunnel endpoints. The proxy end points convert one authentication format to another and bridges one communication path to the next. This can be used for an implementation in brownfield environments (e.g. an asset base of millions of machines, legacy applications, etc.). - In
step 206,process 200 can implement key management infrastructure for security key management. This can eliminate IT department's overhead associated with it. - In
step 208,process 200 can implement a stream firewall. The stream firewall provides access control on a segmented per-stream basis (e.g. a human access stream, an application stream for each end device, etc.). - Software Data Diode—TCP Proxy with UDP Across the WAN—Extending Conceptual Data Diodes Across the Internet
- It is noted that data diodes are hardware devices used in an industrial environment to restrict and guarantee flow of information one way. For example, data diodes can be used for data extraction from critical infrastructure devices while eliminating the risk of malware traversing in the opposite direction into those devices. Applications can be hosted in a cloud-computing platform and similar semantics may not be available across a WAN/Internet when devices connect to the remote applications.
-
FIG. 3 illustrates anexample process 300 for implementing a WAN data diode with the same uni-directional semantics, according to some embodiments. Instep 302,process 300 can implement a WAN data diode with uni-directional semantics. Instep 304,process 300 can provide symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN. A semantic network can be a knowledge base that represents semantic relations between concepts in a network (e.g. in terms of a diode semantic, a secure proxy semantic, etc.). - In
step 306,process 300 can implement this through data diode proxies in either end of the point to point WAN link. A point-to-point WAN link can provide basic network connectivity between two sites, for example. The proxies at both ends communicate with each other across the WAN via an encapsulating Uni-directional protocol. Bi-directional protocols such as TCP is inherently is bi-directional (e.g. with Acks flowing the other direction). In order to eliminate any back channel, the WAN communication employ a uni-directional protocol instep 308. An example uni-directional protocol can include UDP.Process 300 can pack/unpack the data formats into the uni-directional protocol encapsulation. - In
step 310, the data diode proxies terminate data channels on either end and/or transport requisite information across the WAN over this pre-agreed upon uni-directional protocol. This change in carrier can be used to eliminate direct communication between the two ends (e.g. a device end and application end) and thereby enforcing both a diode semantic and a secure proxy semantic (e.g. including additional encryption). - Automatic Centralized Firewall for Industrial IOT WAN Fabric
-
FIG. 4 illustrates anexample process 400 for implementing an automatic centralized firewall for industrial IOT WAN fabric, according to some embodiments.Process 400 can provide a centralized cloud-managed auto-learning micro-network firewalls for large scale WAN distributed machine and application networks. Instep 402,process 400 provides that the automatic centralized firewall strictly operates in a white-listed manner. Instep 404,process 400 automatically discovers various subnet end points and their network address ranges for each network. Instep 406,process 400 creates flow rules at both ends of the network. This can be from the machine network end and from the remote access networks. Instep 408,process 400 implements a bookended firewall.Process 400 can eliminate DDOS of the WAN fabric while providing appropriate access control to machines and applications.Process 400 can have a low rollout and low deployment costs.Process 400 can be implemented with COTS hardware.Process 400 can centralize control and distributes enforcement.Process 400 can provide both firewall and DDOS protection at the same time. - Application Migration Across the WAN
-
FIG. 5 illustrates anexample process 500 for implementing application migration across the wan, according to some embodiments.Process 500 provides a mechanism for secure application migration.Process 500 can leverage the same channels used to migrate data securely.Process 500 can automatically reuse cloud-based applications at an edge device and vice versa.Process 500 can implement application migration in an industrial context. Instep 502,process 500 can migrate Windows®-based applications from a factory floor to a central DC/Cloud platform. Instep 504,process 500 can migrate cloud-native microservices applications to edge device.Process 500 does not mandate changes/rewrite of the applications.Process 500 does not implement invasive changes to network planning or configuration.Process 500 can provide OT-Proxies integrated with edge compute system to facilitate migration of applications across the WAN. - It is noted that application migration across the WAN (e.g. from factory to Cloud and vice versa) can be enforced without changes to management and ownership of the application.
Process 500 can facilitate the management and operations of such applications is the separation of the infrastructure layer from the Application runtime.Process 500 provides a multi-tenant management such that the data scientist can own and manage the application without having to take on additional ownership and management overhead of the infrastructure in the factory floor (e.g. can be left to the network and security teams, etc.). - Additional Methods and Systems
-
FIG. 6 illustrates anexample process 600 for zero touch plumbing of independent private networks for scalable hub and spoke IIoT deployments (e.g. discovery and mutual Static Network Address Translation (SHA1)/GNAT). Instep 602,process 600 can discover a subnet addressing across two networks. Instep 604,process 600 can automatically configure representational address to plumb machines to central applications.Process 600 provides a scalable deployment model for IPv4 based large scale building networks.Process 600 can represent remote networks differently.Process 600 can prevent/reduce cost of forklift upgrade to IPv6 for scale. - Late binding labels for rapid deployment at scale can be implemented. This can be done by decoupling actual resources from configuration schemas to allow for late bind deployments.
- Per machine independent keys for data plane and management plane can be implemented. Edge strategy can be implemented to solve this problem in locations where physical device security is solved as opposed to per device keys. Machine management can be decoupled from data acquisition. There can be complete separation of the operation plane and data plane.
- Risk mitigation and incremental migration of automation services to a cloud-platform can be provided. Single-click network sharing across disparate organizations/third parties and machine interfaces can be extended across untrusted networks. OT-Proxies for IIoT can be provided as a secure model for onboarding air-gapped brownfield assets to the Internet/WAN.
- Although the present embodiments have been described with reference to specific example embodiments, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices, modules, etc. described herein can be enabled and operated using hardware circuitry, firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine-readable medium).
- In addition, it can be appreciated that the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. In some embodiments, the machine-readable medium can be a non-transitory form of machine-readable medium.
Claims (2)
1. A computerized method for implementing a software data diode-TCP proxy with a User Datagram Protocol (UDP) across a wide area network (WAN) comprising:
providing a WAN data diode using a uni-directional semantics protocol;
providing a set of data diode proxies in either end of a point-to-point WAN link;
providing a symmetric key encryption semantics to extend the WAN data diode securely across a specified WAN, wherein the symmetric key encryption semantics are implemented through the set of data diode proxies on either end of the point-to-point WAN link;
employing a uni-directional protocol in the WAN communication; and
with data diode proxies, terminating one or more data channels on either end of the point-to-point WAN link or transporting a requisite information across the WAN over the uni-directional protocol.
2.-16. (canceled)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/807,669 US20230095354A1 (en) | 2019-04-22 | 2022-06-17 | Methods and systems of a software data diode-tcp proxy with udp across a wan |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201962837038P | 2019-04-22 | 2019-04-22 | |
US16/855,223 US20210044564A1 (en) | 2019-04-22 | 2020-04-22 | Methods and systems of a machine access firewall |
US16/876,115 US11394812B2 (en) | 2019-04-22 | 2020-05-18 | Methods and systems of a software data diode-TCP proxy with UDP across a WAN |
US17/807,669 US20230095354A1 (en) | 2019-04-22 | 2022-06-17 | Methods and systems of a software data diode-tcp proxy with udp across a wan |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/876,115 Continuation US11394812B2 (en) | 2019-04-22 | 2020-05-18 | Methods and systems of a software data diode-TCP proxy with UDP across a WAN |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230095354A1 true US20230095354A1 (en) | 2023-03-30 |
Family
ID=74869939
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/876,115 Active US11394812B2 (en) | 2019-04-22 | 2020-05-18 | Methods and systems of a software data diode-TCP proxy with UDP across a WAN |
US17/807,669 Abandoned US20230095354A1 (en) | 2019-04-22 | 2022-06-17 | Methods and systems of a software data diode-tcp proxy with udp across a wan |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/876,115 Active US11394812B2 (en) | 2019-04-22 | 2020-05-18 | Methods and systems of a software data diode-TCP proxy with UDP across a WAN |
Country Status (1)
Country | Link |
---|---|
US (2) | US11394812B2 (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060195592A1 (en) * | 2005-02-28 | 2006-08-31 | Alcatel | HTTP use for bidirectional communication |
US20100290476A1 (en) * | 2009-05-18 | 2010-11-18 | Tresys Technology, Llc | One-Way Router |
US20150264056A1 (en) * | 2014-03-17 | 2015-09-17 | Saudi Arabian Oil Company | Systems, methods, and computer medium to securely transfer business transactional data between networks having different levels of network protection using barcode technology with data diode network security appliance |
US20170374027A1 (en) * | 2014-01-30 | 2017-12-28 | Sierra Nevada Corporation | Bi-directional data security for control systems |
US20190327086A1 (en) * | 2018-04-24 | 2019-10-24 | Bartosz Slowik | Reciprocal data mirror system and method of data security |
US20200033839A1 (en) * | 2017-03-31 | 2020-01-30 | Abb Schweiz Ag | Rule-based communicating of equipment data from an industrial system to an analysis system using uni-directional interfaces |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020112181A1 (en) * | 2000-12-12 | 2002-08-15 | Smith Mark Elwin | Multilevel secure network access system |
US7486695B1 (en) | 2003-12-22 | 2009-02-03 | Sun Microsystems, Inc. | Method and apparatus for data communication tunneling channels |
US7603696B2 (en) | 2005-06-10 | 2009-10-13 | Intel Corporation | Hybrid distributed firewall apparatus, systems, and methods |
US20070022289A1 (en) | 2005-07-20 | 2007-01-25 | Mci, Inc. | Method and system for providing secure credential storage to support interdomain traversal |
US20100027563A1 (en) | 2008-07-31 | 2010-02-04 | Microsoft Corporation | Evolution codes (opportunistic erasure coding) platform |
US10177933B2 (en) | 2014-02-05 | 2019-01-08 | Apple Inc. | Controller networks for an accessory management system |
US9392053B2 (en) | 2014-02-21 | 2016-07-12 | Dell Products L.P. | Generic transcoding service with library attachment |
US11343226B2 (en) | 2016-02-26 | 2022-05-24 | Cable Television Laboratories, Inc. | Systems and methods for micro network segmentation |
US10243926B2 (en) | 2016-04-08 | 2019-03-26 | Cisco Technology, Inc. | Configuring firewalls for an industrial automation network |
ES2699202T3 (en) | 2016-09-06 | 2019-02-07 | Siemens Ag | Data processing system for data acquisition from a network of devices using remote platform gateways and method to operate a data processing system for data acquisition from a device network by remote platform gateways |
US10270745B2 (en) | 2016-10-24 | 2019-04-23 | Fisher-Rosemount Systems, Inc. | Securely transporting data across a data diode for secured process control communications |
US11258681B2 (en) | 2016-12-16 | 2022-02-22 | Nicira, Inc. | Application assessment and visibility for micro-segmentation of a network deployment |
US10038671B2 (en) | 2016-12-31 | 2018-07-31 | Fortinet, Inc. | Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows |
US20190394170A1 (en) | 2017-02-27 | 2019-12-26 | Alireza Shameli-Sendi | Firewall rule set composition and decomposition |
US10785190B2 (en) | 2017-12-13 | 2020-09-22 | Adaptiv Networks Inc. | System, apparatus and method for providing a unified firewall manager |
WO2019123447A1 (en) | 2017-12-24 | 2019-06-27 | Arilou Information Security Technologies Ltd. | System and method for tunnel-based malware detection |
US20190260831A1 (en) | 2018-02-22 | 2019-08-22 | General Electric Company | Distributed integrated fabric |
US11057433B2 (en) | 2018-08-01 | 2021-07-06 | Jpmorgan Chase Bank, N.A. | System for and method of determining data connections between software applications |
US20210084012A1 (en) * | 2019-04-22 | 2021-03-18 | Ronald David Victor | Methods and systems of an automatic centralized firewall for industrial iot wan fabric |
-
2020
- 2020-05-18 US US16/876,115 patent/US11394812B2/en active Active
-
2022
- 2022-06-17 US US17/807,669 patent/US20230095354A1/en not_active Abandoned
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060195592A1 (en) * | 2005-02-28 | 2006-08-31 | Alcatel | HTTP use for bidirectional communication |
US20100290476A1 (en) * | 2009-05-18 | 2010-11-18 | Tresys Technology, Llc | One-Way Router |
US20170374027A1 (en) * | 2014-01-30 | 2017-12-28 | Sierra Nevada Corporation | Bi-directional data security for control systems |
US20150264056A1 (en) * | 2014-03-17 | 2015-09-17 | Saudi Arabian Oil Company | Systems, methods, and computer medium to securely transfer business transactional data between networks having different levels of network protection using barcode technology with data diode network security appliance |
US20200033839A1 (en) * | 2017-03-31 | 2020-01-30 | Abb Schweiz Ag | Rule-based communicating of equipment data from an industrial system to an analysis system using uni-directional interfaces |
US20190327086A1 (en) * | 2018-04-24 | 2019-10-24 | Bartosz Slowik | Reciprocal data mirror system and method of data security |
Also Published As
Publication number | Publication date |
---|---|
US11394812B2 (en) | 2022-07-19 |
US20210084124A1 (en) | 2021-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3522485B1 (en) | Application-aware firewall policy enforcement by data center controller | |
US10887220B2 (en) | Application identifier in service function chain metadata | |
EP3700132B1 (en) | Supporting compilation and extensibility on unified graph-based intent models | |
CN107409089B (en) | Method implemented in network engine and virtual network function controller | |
US10171590B2 (en) | Accessing enterprise communication systems from external networks | |
US20150049631A1 (en) | Topology aware provisioning in a software-defined networking environment | |
US20230254221A1 (en) | Model driven intent policy conflict detection and resolution through graph analysis | |
US11611474B2 (en) | Edge controller with network performance parameter support | |
JP5679343B2 (en) | Cloud system, gateway device, communication control method, and communication control program | |
US11178041B1 (en) | Service chaining with physical network functions and virtualized network functions | |
US11153228B1 (en) | Synchronizing device resources for element management systems | |
EP3952212B1 (en) | Using a programmable resource dependency mathematical model to perform root cause analysis | |
US20210084012A1 (en) | Methods and systems of an automatic centralized firewall for industrial iot wan fabric | |
EP3817293B1 (en) | Bulk discovery of devices behind a network address translation device | |
US20210044564A1 (en) | Methods and systems of a machine access firewall | |
US20240022537A1 (en) | Edge device for source identification using source identifier | |
US20230095354A1 (en) | Methods and systems of a software data diode-tcp proxy with udp across a wan | |
Nimkar et al. | Towards full network virtualization in horizontal IaaS federation: security issues | |
KR20170006950A (en) | Network flattening system based on sdn and method thereof | |
US11700181B2 (en) | Topology compiler for network management system | |
Lee et al. | Network Working Group I. Bryskin Internet-Draft Individual Intended status: Informational X. Liu Expires: September 10, 2020 Volta Networks | |
Rozanak et al. | I2NSF BOF S. Hares Internet-Draft Huawei Intended status: Standards Track H. Moskowitz Expires: December 7, 2015 HTT Consulting |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
AS | Assignment |
Owner name: CANTOR FITZGERALD SECURITIES, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:VIEW, INC.;REEL/FRAME:065266/0810 Effective date: 20231016 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |