[go: up one dir, main page]

WO2015147799A2 - Trusted controller-agent communication - Google Patents

Trusted controller-agent communication Download PDF

Info

Publication number
WO2015147799A2
WO2015147799A2 PCT/US2014/031695 US2014031695W WO2015147799A2 WO 2015147799 A2 WO2015147799 A2 WO 2015147799A2 US 2014031695 W US2014031695 W US 2014031695W WO 2015147799 A2 WO2015147799 A2 WO 2015147799A2
Authority
WO
WIPO (PCT)
Prior art keywords
agent
properties
controller
communication
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2014/031695
Other languages
French (fr)
Other versions
WO2015147799A3 (en
Inventor
Ted T. Nguyen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to PCT/US2014/031695 priority Critical patent/WO2015147799A2/en
Publication of WO2015147799A2 publication Critical patent/WO2015147799A2/en
Publication of WO2015147799A3 publication Critical patent/WO2015147799A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • Computing networks can include multiple computing devices such as servers, desktop PCs, laptops, and workstations, among other peripheral devices, (e.g., printers, facsimile devices, and scanners) networked together across a local area network (LAN) and/or wide area network (WAN).
  • a LAN and/or WAN uses clients and servers that have network-enabled operating systems such as Windows, Mac, Linux, and Unix.
  • Cloud computing can utilize a LAN and/or WAN to run programs and/or applications on a plurality of connected computing devices at the same time.
  • Figure 1 illustrates a diagram of an example of a system for trusted controller-agent communication according to the present disclosure.
  • Figure 2 illustrates a diagram of an example computing device according to the present disclosure.
  • Figure 3 is a diagram of an example of a cloud computing network according to the present disclosure.
  • Figure 4 is a process for trusted controller-agent communication according to the present disclosure.
  • Figure 5 is a flow chart of an example of a method for trusted controller-agent communication according to the present disclosure.
  • a computing network can utilize a plurality of computing resources to perform a number of functions.
  • a number of controllers e.g., network controllers, server, computing device, etc.
  • agents e.g., systems, localized instructions, agent systems, etc.
  • communication between the number of controllers and the number of agents can be performed via a secure communication link (e.g., HTTPS, SSL, secure layer 3 communication, etc.) to ensure that the communication is private (e.g., not accessible to other network devices, not accessible to other users, etc.) between the number of controllers and a corresponding agent.
  • a secure communication link e.g., HTTPS, SSL, secure layer 3 communication, etc.
  • a single controller When a single controller is communicating with a plurality of agents, it can be important to identify and verify that a correct agent is establishing the communication and that responses to the communication are sent to the correct agent. Verifying that the correct agent is establishing the
  • misconfigured or a duplicate agent can be sent information from the controller mistakenly if the properties of agent system are not verified by the controller.
  • the properties of the agent system can include, but is not limited to: an IP address, a MAC address, an OS version, an agent version, among other properties of the agent system.
  • the properties of the agent system can be sent from the agent and received by the controller.
  • the controller can then verify that the OS version and the agent version are compatible with the controller.
  • the controller can verify the agent via the IP address and/or the MAC address. For example, the controller can compare the IP address and/or the MAC address with acceptable IP addresses and/or acceptable MAC addresses to see if the address is active or inactive. If the address is active a determination can be made to reject the communication with the agent and if the address is inactive a determination can be made to accept the communication with the agent.
  • a unique identifier e.g., token universal unique identifier, token ID, etc.
  • Verifying the agent system properties ensures that the communication is with a correct agent system and prevents communication with an incorrect agent, thereby providing an additional layer of security via adding additional layer 4 security (e.g., Layer 4 protocol according to OSI).
  • Figures 1 and 2 illustrate examples of system 100 and computing device 214 according to the present disclosure.
  • Figure 1 illustrates a diagram of an example of a system 100 for trusted controller-agent communication according to the present disclosure.
  • the system 100 can include a database 104, trusted controller- agent communication system 102, and/or a number of engines 106, 108, 1 10, 1 12.
  • the trusted controller-agent communication system 102 can be in communication with the database 104 via a communication link, and can include the number of engines (e.g., request engine 106, verification engine 108, identification engine 1 10, and/or connection engine 1 12).
  • the trusted controller-agent communication system 102 can include additional or fewer engines that are illustrated to perform the various functions described herein.
  • the number of engines 106, 108, 1 10, 1 12 can include a combination of hardware and programming that is configured to perform a number of functions described herein (e.g., receive a communication request from an agent and to receive properties from the agent, compare the received properties with a table of properties associated with authorized agents, assign a unique identifier to the agent system if the properties of the agent are verified, establish communication between the agent and a controller, etc.).
  • the programming can include program instructions (e.g., software, firmware, etc.) stored in a memory resource (e.g., computer readable medium, machine readable medium, etc.) as well as hard-wired program (e.g., logic).
  • the request engine106 can include hardware and/or a combination of hardware and programming to receive a communication request from an agent (e.g., agent system) and to receive properties from the agent.
  • Requesting properties of the agent system can include requesting properties such as: an IP address assigned to the agent system, a MAC address assigned to the agent system, an operating system (OS) version of the agent system, an agent software version, and/or an existing agent identification.
  • OS operating system
  • the request engine can request the properties of the agent system via a layer 4 OSI protocol.
  • the verification engine 108 can include hardware and/or a combination of hardware and programming to compare the received properties with a table of properties associated with authorized agents. Verifying the properties of the agent system can include comparing the properties of the agent system to a table that includes authorized agent systems and corresponding properties of the authorized agent systems within a database (e.g., database 104).
  • the database 104 can include a table of supported properties.
  • the database 104 can include a table of operating systems (OS) that are supported by the controllers of a cloud computing network.
  • the database 104 can include a table of agent software versions that are supported by the controllers of the cloud computing network.
  • OS operating systems
  • the identification engine 1 10 can include hardware and/or a
  • the unique identifier can include a universal unique identifier (UUID) and/or a token ID.
  • UUID universal unique identifier
  • the unique identifier can be used to identify an agent system as an authorized agent system (e.g., correct agent for corresponding communication, etc.).
  • connection engine 1 12 can include hardware and/or a combination of hardware and programming to establish communication between the agent system and a controller.
  • the connection engine 1 12 can include hardware and/or a combination of hardware and programming to establish a secure communication connection (e.g., Hypertext Transfer Protocol Secure (HTTPS), etc.).
  • HTTPS Hypertext Transfer Protocol Secure
  • the secure communication can be a secure layer 3 OSI protocol.
  • Figure 2 illustrates a diagram of an example computing device 214 according to the present disclosure.
  • the computing device 214 can utilize software, hardware, firmware, and/or logic to perform a number of functions described herein.
  • the computing device 214 can be any combination of hardware and program instructions configured to share information.
  • the hardware for example, can include a processing resource 216 and/or a memory resource 220 (e.g., computer-readable medium (CRM), machine readable medium (MRM), database, etc.).
  • a processing resource 216 can include any number of processors capable of executing instructions stored by a memory resource 220. Processing resource 216 may be implemented in a single device or distributed across multiple devices.
  • the program instructions can include instructions stored on the memory resource 220 and executable by the processing resource 216 to implement a desired function (e.g., receive a communication request from an agent and to receive properties from the agent, compare the received properties with a table of properties associated with authorized agents, assign a unique identifier to the agent system if the properties of the agent are verified, establish communication between the agent and a controller, etc.).
  • a desired function e.g., receive a communication request from an agent and to receive properties from the agent, compare the received properties with a table of properties associated with authorized agents, assign a unique identifier to the agent system if the properties of the agent are verified, establish communication between the agent and a controller, etc.
  • the memory resource 220 can be in communication with a processing resource 216.
  • a memory resource 220 can include any number of memory components capable of storing instructions that can be executed by processing resource 216.
  • Such memory resource 220 can be a non-transitory CRM or MRM.
  • Memory resource 220 may be integrated in a single device or distributed across multiple devices. Further, memory resource 220 may be fully or partially integrated in the same device as processing resource 216 or it may be separate but accessible to that device and processing resource 216.
  • the computing device 214 may be implemented on a participant device, on a server device, on a collection of server devices, and/or a combination of the participant device and the server device.
  • the memory resource 220 can be in communication with the processing resource 216 via a communication link (e.g., a path) 218.
  • the communication link 218 can be local or remote to a machine (e.g., a computing device) associated with the processing resource 216.
  • Examples of a local communication link 218 can include an electronic bus internal to a machine (e.g., a computing device) where the memory resource 220 is one of volatile, non-volatile, fixed, and/or removable storage medium in communication with the processing resource 216 via the electronic bus.
  • a number of modules 222, 224, 226, 228 can include CRI that when executed by the processing resource 216 can perform a number of functions.
  • the number of modules 222, 224, 226, 228 can be sub-modules of other modules.
  • the verification module 224 and the identification module 226 can be sub- modules and/or contained within the same computing device.
  • the number of modules 222, 224, 226, 228 can comprise individual modules at separate and distinct locations (e.g., CRM, etc.).
  • Each of the number of modules 222, 224, 226, 228 can include instructions that when executed by the processing resource 216 can function as a corresponding engine as described herein.
  • the request module 222 can include instructions that when executed by the processing resource 216 can function as the request engine 106.
  • the connection module 228 can include instructions that when executed by the processing resource 216 can function as the connection engine 1 12.
  • FIG 3 is a diagram of an example of a cloud computing network 300 according to the present disclosure.
  • the cloud computing network 300 can include a number of controllers 332-1 , 332-N (e.g., network controllers, etc.)
  • the controllers 332-1 , 332-N can be communicatively coupled via communication pathways 336-1 , 336-2, 336-N to a number of agent systems 334-1 , 334-2, 334-N (e.g., agents, systems, computing systems, programmable instructions stored in memory, etc.).
  • agent systems 334-1 , 334-2, 334-N e.g., agents, systems, computing systems, programmable instructions stored in memory, etc.
  • An agent within each of the number of agent systems 334-1 , 334-2, 334-N can include computer readable instructions (e.g., code, software instructions) that can be stored in memory and executed by a processing resource in a network attached device (e.g., controller, agent system, computing device, etc.). That is, an agent A can be stored in memory on agent system A 334-1 . In some embodiments, the agent can be assigned an address (e.g., MAC address, IP address, etc.).
  • an address e.g., MAC address, IP address, etc.
  • Each agent system can include a number of properties such as: an IP address assigned to the agent system, a MAC address assigned to the agent system, an operating system (OS) version of the agent system, an agent software version, and/or an existing agent identification.
  • the properties of each agent system can be configured by a user.
  • the properties of multiple agent systems can be configured incorrectly.
  • the agent system can be misconfigured and/or configured with a duplicate configuration to a different agent system.
  • agent system 334-1 can be incorrectly configured with the same properties as agent system 334-2.
  • controller 332-1 may not be able to distinguish between agent system 334-1 and agent system 334-2. That is, the controller 332-1 could receive a communication request from agent system 334-1 via pathway 336-1 and incorrectly establish a communication session and/or send data
  • the controller 332-1 can establish a secure connection with the agent system 334-2 via a layer 3 OSI protocol, however the communication can still be compromised since it is being sent to the incorrect agent system.
  • a controller 332-1 , 332-N can verify the properties of an agent system 334-1 , 334-2, 334-N before establishing
  • Verifying the properties via a layer 4 OSI protocol of the agent system 334-1 , 334-2, 334-N can prevent communication with an incorrect agent system 334-1 , 334-2, 334-N. Verifying the properties of the agent system 334-1 , 334-2, 334-N can add an additional layer of security to the communication between controllers 332-1 , 332-N and agent systems 334-1 , 334-2, 334-N.
  • the communication can include security (e.g., secure connection) at the network layer (e.g., layer 3 OSI protocol) by utilizing a secure communication protocol (e.g., HTTPS, etc.), but additional security can be added to the transport layer (e.g., layer 4 OSI protocol) by verifying the properties of the agent system 334-1 , 334-2, 334-N to ensure that the communication is being sent to the correct agent system 334-1 , 334-2, 334-N.
  • security e.g., secure connection
  • the transport layer e.g., layer 4 OSI protocol
  • Figure 4 is a process 440 for trusted controller-agent communication according to the present disclosure.
  • the process 440 can be utilized to verify the properties of an agent system (e.g., agent system 334-1 , 334-2, 334-N as referenced in Figure 3) prior to establishing a communication session with the agent system.
  • the process 440 can ensure that communication is sent to a correct agent system and not additionally or alternatively sent to an incorrect agent system that is misconfigured and/or has a duplicate configuration with the correct agent system.
  • the process 440 can begin at box 442 where an agent (e.g., agent system) initiates communication with a controller.
  • agent e.g., agent system
  • the agent can initiate
  • the communication request can include a number of properties of the agent system.
  • the number of properties can include: an IP address assigned to the agent system, a MAC address assigned to the agent system, an operating system (OS) version of the agent system, an agent software version, and/or an existing agent identification.
  • OS operating system
  • the communication request does not include the number of properties of the agent system.
  • a request from the controller can be sent to the agent.
  • the agent can send the number of properties to the controller for verification.
  • a determination can be made by a controller to determine whether the operating system (OS) version is supported by the controller.
  • An operating system can include a collection of software modules that manage computer hardware. Examples of operating systems include, but are not limited to: Microsoft Windows®, iOS®, Linux®, among other operating systems for various devices.
  • the determination at box 444 can compare the operating system of the agent system to a table of acceptable and/or compatible operating systems. If the operating system of the agent system is not supported by the controller, the controller can reject the agent system communication at box 458. If the operating system of the agent system is supported by the controller, the controller can determine if the agent version is supported at box 446.
  • a determination can be made by a controller to determine whether the agent version of software stored in the agent system is supported by the controller.
  • a version of the software stored in the agent system can include a specified version, wherein only agents systems with the specified version of the software are allowed to establish communication sessions with a controller. That is, each agent system that is authorized to communicate with a number of controllers can include the same and/or a particular software version. If a determination is made by the controller that the agent version of the software is not a version of the software that is supported by the controller and/or that the agent version of the software is not an authorized version of the agent software, the controller can reject the agent communication at box 458. If a determination is made that the agent version of the software is supported by the controller and/or that the agent version of the software is an authorized version of the agent software, the process can move to box 448.
  • a determination can be made by the controller to determine if there is a current unique identifier and/or a current token ID associated with the agent system.
  • an agent system can include an existing token ID that can be used to verify that the agent is authorized to receive
  • the controller can verify the existing token ID to determine if the existing token ID is a valid token ID. If it is determined that the existing token ID is not a valid token ID, the controller can reject the agent communication 458. If however, it is determined that the existing token ID is a valid token ID the controller can establish communication with the agent at box 452.
  • the agent system does not include an existing token ID or does not include a currently valid token ID. If the agent system does not include an existing token ID the process 440 can move to box 454. At box 454 a determination can be made by the controller to determine a state of the agent system.
  • the state of the agent system can include whether or not the properties of the agent system currently exists within a table of authorized agent systems. For example, the properties of the agent system can be compared to a table of agent systems that are authorized to communicate with the controller, wherein the table includes corresponding properties for each agent system that is currently
  • the agent system can be designated as being active or inactive.
  • An active state can be designated when an agent system with the same properties is currently communicating with a controller within the cloud computing network. If an agent system is designated as active, a determination can be made that the agent system includes properties that are the same as a different agent system that is currently communicating with either the same and/or different controller within the cloud computing network. If a determination is made by the controller that the agent system is active and therefore has duplicate properties to a different agent system that has an established communication session, the controller can reject the agent communication.
  • Communication with an incorrect agent system can be prevented by rejecting communication with agent systems that include the same properties and/or misconfigured properties as a different agent system (e.g., duplicate properties, misconfigured properties, etc.). It can be determined by the controller that the agent system with the duplicate properties is misconfigured and attempts at communicating with the agent system comprising the misconfigured properties can lead to
  • a first agent system and a second agent system can be separate and distinct agent systems.
  • the first agent system and the second agent system comprise the same system properties as described herein, due to a misconfiguration.
  • the first agent system can be in a communication session with a first controller.
  • the second agent system can be
  • the communication session can be rejected at 458. It can be important to reject the communication session of the second agent system. For example, if the controller established the communication session, the controller may be unable to distinguish between the first agent system and the second agent system. Being unable to distinguish between agent systems can lead to communication packets (e.g., data packets, etc.) that are intended for the second agent system to be sent to the first agent system. In some cases, secure information that is meant for the second agent system can be sent to the first agent system causing secured information to be sent to an incorrect agent system.
  • communication packets e.g., data packets, etc.
  • the token ID can be requested by the controller via a representational state transfer (REST) communication interface over a secure socket layer (SSL) and the properties relating to the agent system are requested via an transport layer communication (e.g., layer 4 open systems interconnection (OSI) protocol).
  • a controller can determine if the properties of the agent are supported by the controller using a layer 4 open systems interconnection (OSI) protocol in a network. That is, a secure connection can be established utilizing a layer 3 OSI protocol (e.g., network layer, Layer 3 OSI protocol, etc.) and the properties of the agent can be verified utilizing a layer 4 OSI protocol (e.g., transport layer).
  • OSI layer 4 open systems interconnection
  • the controller can analyze and verify that the properties of the agent system are not the same as properties of a different agent system that is currently communicating with a controller of the cloud
  • various features of the properties can be transferred and/or received by the controller via a layer 3 OSI protocol, however, as described herein, one of skill in the art would appreciate that layer 3 OSI protocol may not allow for the verification of the agent system properties. That is, some properties of an agent system may be included in a header (e.g., supplemental data added to a beginning of a block of data and/or data packet, etc.), but the properties included in the header are not verified via a layer 4 OSI protocol. Thus, utilizing layer 3 OSI protocol to communicate some properties of the agent system is not sufficient to verify that the properties of the agent system are not the same as the properties of a different agent system that is currently in a communication session with a controller of the cloud computing network.
  • a unique identifier can be generated and assigned to the agent system.
  • a unique identifier e.g., universal unique ID (UUID), token ID, etc.
  • UUID universal unique ID
  • token ID can be utilized by the agent system to perform a number of transactions during a communication session.
  • the unique identifier can be generated and assigned to the agent system when it is determined that the agent is "trusted”. As described further herein, it can be determined that the agent is "trusted” by comparing the properties of the agent system to properties of other agent system currently communicating with controllers of the cloud computing network. If it is determined that the agent system is not active or inactive, it can be determined that the agent system is a trusted agent.
  • the process 440 can be utilized to verify that communication between a controller and an agent system is performed correctly and/or securely. That is, by verifying the properties of the agent system via a layer 4 OSI protocol it can be determined that a particular agent system from a plurality of agent systems is the intended agent system for a particular communication session. Communication between a controller and an intended agent system can be verified by rejecting communication sessions from agent systems that have active states based on the properties of the agent system. That is, communication being sent to an intended agent system can be verified by verifying that there is only one agent system with a particular set of system properties in communication with controllers of a cloud computing network.
  • FIG. 5 is a flow chart of an example of a method 560 for trusted controller-agent communication according to the present disclosure.
  • Trusted controller-agent communication can include verifying that there is only a single agent system that comprises a particular set of system properties. The verification of system properties can ensure that a message is not sent or a communication session is not established with an agent system that has a duplicate set of system properties as the intended agent system.
  • the method 560 can include determining if properties relating to an agent system are supported by a network controller. Determining if properties relating to an agent system are supported by the network controller can include determining if the operating system (OS) of the agent system is supported by the network controller.
  • OS operating system
  • determining if properties relating to an agent system are supported by the network controller can include determining if an agent version of the software is supported by the network controller. In addition, or alternatively, a determination can be made for other system properties of the agent system to determine if the agent system is active or inactive. As described herein, the agent system can be determined to be active when an agent system that includes the same system properties is currently in communication with a network controller within the cloud computing network. In addition, the agent system can be determined to be inactive when there is not an agent system that includes the same system properties currently in communication with a network controller within the cloud computing network.
  • the method 560 can include assigning a token ID to the agent system if the properties relating to the agent system are supported by the network controller and if a state of the agent system is determined to be inactive. Assigning a token ID can include assigning a universal unique identification (UUID) token ID or similar identification token that can be utilized by the agent system to ensure secure communication between the network controller and the agent system.
  • UUID universal unique identification
  • the method 560 can include verifying that the agent system includes a token ID.
  • the token ID can be verified by the controller before establishing communication with an agent system.
  • the token ID can be compared to a table of acceptable token IDs.
  • the method 560 can include establishing communication between the agent system and the network controller based on a verification of the assigned token ID.
  • the controller can establish a
  • the communication session can include a plurality of transactions.
  • the plurality of transactions can include data packets that are transferred between the network controller and the agent system.
  • the method 560 can provide additional security (e.g., layer 4 OSI security) to a network (e.g., cloud network) by verifying the system properties of the agent systems to verify that there are no misconfigured and/or duplicate agent systems that can establish a communication session with a controller.
  • additional security e.g., layer 4 OSI security
  • logic is an alternative or additional processing resource to perform a particular action and/or function, etc., described herein, which includes hardware, e.g., various forms of transistor logic, application specific integrated circuits (ASICs), etc., as opposed to computer executable instructions, e.g., software firmware, etc., stored in memory and executable by a processor.
  • ASICs application specific integrated circuits
  • a number of something can refer to one or more such things.
  • a number of widgets can refer to one or more widgets.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

In one implementation, a system for trusted controller-agent communication includes a request engine to receive a communication request from an agent and to receive properties from the agent. In addition, the system includes a verification engine to compare the received properties with a table of properties associated with authorized agents. In addition, the system includes an identification engine to assign a unique identifier to the agent if the properties of the agent are verified. Furthermore, the system includes a connection engine to establish communication between the agent and a controller.

Description

TRUSTED CONTROLLER-AGENT COMMUNICATION
Background
[0001] Computing networks can include multiple computing devices such as servers, desktop PCs, laptops, and workstations, among other peripheral devices, (e.g., printers, facsimile devices, and scanners) networked together across a local area network (LAN) and/or wide area network (WAN). A LAN and/or WAN uses clients and servers that have network-enabled operating systems such as Windows, Mac, Linux, and Unix. Cloud computing can utilize a LAN and/or WAN to run programs and/or applications on a plurality of connected computing devices at the same time.
Brief Description of the Drawings
[0002] Figure 1 illustrates a diagram of an example of a system for trusted controller-agent communication according to the present disclosure.
[0003] Figure 2 illustrates a diagram of an example computing device according to the present disclosure.
[0004] Figure 3 is a diagram of an example of a cloud computing network according to the present disclosure.
[0005] Figure 4 is a process for trusted controller-agent communication according to the present disclosure.
[0006] Figure 5 is a flow chart of an example of a method for trusted controller-agent communication according to the present disclosure.
Detailed Description
[0007] A computing network (e.g., cloud computing network, etc.) can utilize a plurality of computing resources to perform a number of functions. In various cloud computing networks a number of controllers (e.g., network controllers, server, computing device, etc.) can be utilized to designate tasks and/or communicate with agents (e.g., systems, localized instructions, agent systems, etc.). The
communication between the number of controllers and the number of agents can be performed via a secure communication link (e.g., HTTPS, SSL, secure layer 3 communication, etc.) to ensure that the communication is private (e.g., not accessible to other network devices, not accessible to other users, etc.) between the number of controllers and a corresponding agent.
[0008] In cloud computing networks a plurality of agents can be
communicating with a single controller. When a single controller is communicating with a plurality of agents, it can be important to identify and verify that a correct agent is establishing the communication and that responses to the communication are sent to the correct agent. Verifying that the correct agent is establishing the
communication and that the correct agent is receiving the communication can be crucial to the security of the communication. For example, an agent that is
misconfigured or a duplicate agent can be sent information from the controller mistakenly if the properties of agent system are not verified by the controller.
[0009] The properties of the agent system can include, but is not limited to: an IP address, a MAC address, an OS version, an agent version, among other properties of the agent system. The properties of the agent system can be sent from the agent and received by the controller. The controller can then verify that the OS version and the agent version are compatible with the controller. In addition, the controller can verify the agent via the IP address and/or the MAC address. For example, the controller can compare the IP address and/or the MAC address with acceptable IP addresses and/or acceptable MAC addresses to see if the address is active or inactive. If the address is active a determination can be made to reject the communication with the agent and if the address is inactive a determination can be made to accept the communication with the agent.
[0010] When the agent system is verified a unique identifier (e.g., token universal unique identifier, token ID, etc.) can be sent and/or assigned to the agent to confirm that communication between the agent and the controller is established. Verifying the agent system properties ensures that the communication is with a correct agent system and prevents communication with an incorrect agent, thereby providing an additional layer of security via adding additional layer 4 security (e.g., Layer 4 protocol according to OSI).
[0011] Figures 1 and 2 illustrate examples of system 100 and computing device 214 according to the present disclosure. Figure 1 illustrates a diagram of an example of a system 100 for trusted controller-agent communication according to the present disclosure. The system 100 can include a database 104, trusted controller- agent communication system 102, and/or a number of engines 106, 108, 1 10, 1 12. The trusted controller-agent communication system 102 can be in communication with the database 104 via a communication link, and can include the number of engines (e.g., request engine 106, verification engine 108, identification engine 1 10, and/or connection engine 1 12). The trusted controller-agent communication system 102 can include additional or fewer engines that are illustrated to perform the various functions described herein.
[0012] The number of engines 106, 108, 1 10, 1 12 can include a combination of hardware and programming that is configured to perform a number of functions described herein (e.g., receive a communication request from an agent and to receive properties from the agent, compare the received properties with a table of properties associated with authorized agents, assign a unique identifier to the agent system if the properties of the agent are verified, establish communication between the agent and a controller, etc.). The programming can include program instructions (e.g., software, firmware, etc.) stored in a memory resource (e.g., computer readable medium, machine readable medium, etc.) as well as hard-wired program (e.g., logic).
[0013] The request engine106 can include hardware and/or a combination of hardware and programming to receive a communication request from an agent (e.g., agent system) and to receive properties from the agent. Requesting properties of the agent system can include requesting properties such as: an IP address assigned to the agent system, a MAC address assigned to the agent system, an operating system (OS) version of the agent system, an agent software version, and/or an existing agent identification. As described further herein, the request engine can request the properties of the agent system via a layer 4 OSI protocol.
[0014] The verification engine 108 can include hardware and/or a combination of hardware and programming to compare the received properties with a table of properties associated with authorized agents. Verifying the properties of the agent system can include comparing the properties of the agent system to a table that includes authorized agent systems and corresponding properties of the authorized agent systems within a database (e.g., database 104). In some embodiments, the database 104 can include a table of supported properties. For example, the database 104 can include a table of operating systems (OS) that are supported by the controllers of a cloud computing network. In another example, the database 104 can include a table of agent software versions that are supported by the controllers of the cloud computing network.
[0015] The identification engine 1 10 can include hardware and/or a
combination of hardware and programming to assign a unique identifier to the agent if the properties of the agent are verified. The unique identifier can include a universal unique identifier (UUID) and/or a token ID. The unique identifier can be used to identify an agent system as an authorized agent system (e.g., correct agent for corresponding communication, etc.).
[0016] The connection engine 1 12 can include hardware and/or a combination of hardware and programming to establish communication between the agent system and a controller. The connection engine 1 12 can include hardware and/or a combination of hardware and programming to establish a secure communication connection (e.g., Hypertext Transfer Protocol Secure (HTTPS), etc.). As described herein, the secure communication can be a secure layer 3 OSI protocol.
[0017] Figure 2 illustrates a diagram of an example computing device 214 according to the present disclosure. The computing device 214 can utilize software, hardware, firmware, and/or logic to perform a number of functions described herein.
[0018] The computing device 214 can be any combination of hardware and program instructions configured to share information. The hardware, for example, can include a processing resource 216 and/or a memory resource 220 (e.g., computer-readable medium (CRM), machine readable medium (MRM), database, etc.). A processing resource 216, as used herein, can include any number of processors capable of executing instructions stored by a memory resource 220. Processing resource 216 may be implemented in a single device or distributed across multiple devices. The program instructions (e.g., computer readable instructions (CRI)) can include instructions stored on the memory resource 220 and executable by the processing resource 216 to implement a desired function (e.g., receive a communication request from an agent and to receive properties from the agent, compare the received properties with a table of properties associated with authorized agents, assign a unique identifier to the agent system if the properties of the agent are verified, establish communication between the agent and a controller, etc.).
[0019] The memory resource 220 can be in communication with a processing resource 216. A memory resource 220, as used herein, can include any number of memory components capable of storing instructions that can be executed by processing resource 216. Such memory resource 220 can be a non-transitory CRM or MRM. Memory resource 220 may be integrated in a single device or distributed across multiple devices. Further, memory resource 220 may be fully or partially integrated in the same device as processing resource 216 or it may be separate but accessible to that device and processing resource 216. Thus, it is noted that the computing device 214 may be implemented on a participant device, on a server device, on a collection of server devices, and/or a combination of the participant device and the server device.
[0020] The memory resource 220 can be in communication with the processing resource 216 via a communication link (e.g., a path) 218. The communication link 218 can be local or remote to a machine (e.g., a computing device) associated with the processing resource 216. Examples of a local communication link 218 can include an electronic bus internal to a machine (e.g., a computing device) where the memory resource 220 is one of volatile, non-volatile, fixed, and/or removable storage medium in communication with the processing resource 216 via the electronic bus.
[0021] A number of modules 222, 224, 226, 228 can include CRI that when executed by the processing resource 216 can perform a number of functions. The number of modules 222, 224, 226, 228 can be sub-modules of other modules. For example, the verification module 224 and the identification module 226 can be sub- modules and/or contained within the same computing device. In another example, the number of modules 222, 224, 226, 228 can comprise individual modules at separate and distinct locations (e.g., CRM, etc.).
[0022] Each of the number of modules 222, 224, 226, 228 can include instructions that when executed by the processing resource 216 can function as a corresponding engine as described herein. For example, the request module 222 can include instructions that when executed by the processing resource 216 can function as the request engine 106. In another example, the connection module 228 can include instructions that when executed by the processing resource 216 can function as the connection engine 1 12.
[0023] Figure 3 is a diagram of an example of a cloud computing network 300 according to the present disclosure. The cloud computing network 300 can include a number of controllers 332-1 , 332-N (e.g., network controllers, etc.) The controllers 332-1 , 332-N can be communicatively coupled via communication pathways 336-1 , 336-2, 336-N to a number of agent systems 334-1 , 334-2, 334-N (e.g., agents, systems, computing systems, programmable instructions stored in memory, etc.). An agent within each of the number of agent systems 334-1 , 334-2, 334-N can include computer readable instructions (e.g., code, software instructions) that can be stored in memory and executed by a processing resource in a network attached device (e.g., controller, agent system, computing device, etc.). That is, an agent A can be stored in memory on agent system A 334-1 . In some embodiments, the agent can be assigned an address (e.g., MAC address, IP address, etc.).
[0024] Each agent system can include a number of properties such as: an IP address assigned to the agent system, a MAC address assigned to the agent system, an operating system (OS) version of the agent system, an agent software version, and/or an existing agent identification. The properties of each agent system can be configured by a user.
[0025] In some cases, the properties of multiple agent systems can be configured incorrectly. For example, the agent system can be misconfigured and/or configured with a duplicate configuration to a different agent system. For example, agent system 334-1 can be incorrectly configured with the same properties as agent system 334-2. In this example, controller 332-1 may not be able to distinguish between agent system 334-1 and agent system 334-2. That is, the controller 332-1 could receive a communication request from agent system 334-1 via pathway 336-1 and incorrectly establish a communication session and/or send data
packets/information to the agent system 334-2 via pathway 336-2. In this example, the controller 332-1 can establish a secure connection with the agent system 334-2 via a layer 3 OSI protocol, however the communication can still be compromised since it is being sent to the incorrect agent system.
[0026] As described further herein, a controller 332-1 , 332-N can verify the properties of an agent system 334-1 , 334-2, 334-N before establishing
communication with the agent system 334-1 , 334-2, 334-N. Verifying the properties via a layer 4 OSI protocol of the agent system 334-1 , 334-2, 334-N can prevent communication with an incorrect agent system 334-1 , 334-2, 334-N. Verifying the properties of the agent system 334-1 , 334-2, 334-N can add an additional layer of security to the communication between controllers 332-1 , 332-N and agent systems 334-1 , 334-2, 334-N. That is, the communication can include security (e.g., secure connection) at the network layer (e.g., layer 3 OSI protocol) by utilizing a secure communication protocol (e.g., HTTPS, etc.), but additional security can be added to the transport layer (e.g., layer 4 OSI protocol) by verifying the properties of the agent system 334-1 , 334-2, 334-N to ensure that the communication is being sent to the correct agent system 334-1 , 334-2, 334-N.
[0027] Figure 4 is a process 440 for trusted controller-agent communication according to the present disclosure. The process 440 can be utilized to verify the properties of an agent system (e.g., agent system 334-1 , 334-2, 334-N as referenced in Figure 3) prior to establishing a communication session with the agent system. The process 440 can ensure that communication is sent to a correct agent system and not additionally or alternatively sent to an incorrect agent system that is misconfigured and/or has a duplicate configuration with the correct agent system.
[0028] The process 440 can begin at box 442 where an agent (e.g., agent system) initiates communication with a controller. The agent can initiate
communication with the controller by sending a message to the controller that includes a communication request. In some embodiments the communication request can include a number of properties of the agent system. For example, the number of properties can include: an IP address assigned to the agent system, a MAC address assigned to the agent system, an operating system (OS) version of the agent system, an agent software version, and/or an existing agent identification.
[0029] In certain embodiments, the communication request does not include the number of properties of the agent system. When the number of properties of the agent system are not included in the communication request a request from the controller can be sent to the agent. Upon receiving the request, the agent can send the number of properties to the controller for verification.
[0030] At box 444, a determination can be made by a controller to determine whether the operating system (OS) version is supported by the controller. An operating system can include a collection of software modules that manage computer hardware. Examples of operating systems include, but are not limited to: Microsoft Windows®, iOS®, Linux®, among other operating systems for various devices. The determination at box 444 can compare the operating system of the agent system to a table of acceptable and/or compatible operating systems. If the operating system of the agent system is not supported by the controller, the controller can reject the agent system communication at box 458. If the operating system of the agent system is supported by the controller, the controller can determine if the agent version is supported at box 446.
[0031] At box 446, a determination can be made by a controller to determine whether the agent version of software stored in the agent system is supported by the controller. In some embodiments, a version of the software stored in the agent system can include a specified version, wherein only agents systems with the specified version of the software are allowed to establish communication sessions with a controller. That is, each agent system that is authorized to communicate with a number of controllers can include the same and/or a particular software version. If a determination is made by the controller that the agent version of the software is not a version of the software that is supported by the controller and/or that the agent version of the software is not an authorized version of the agent software, the controller can reject the agent communication at box 458. If a determination is made that the agent version of the software is supported by the controller and/or that the agent version of the software is an authorized version of the agent software, the process can move to box 448.
[0032] At box 448, a determination can be made by the controller to determine if there is a current unique identifier and/or a current token ID associated with the agent system. In some embodiments, an agent system can include an existing token ID that can be used to verify that the agent is authorized to receive
communication from the controller at box 450. At box 450 the controller can verify the existing token ID to determine if the existing token ID is a valid token ID. If it is determined that the existing token ID is not a valid token ID, the controller can reject the agent communication 458. If however, it is determined that the existing token ID is a valid token ID the controller can establish communication with the agent at box 452.
[0033] In other embodiments, the agent system does not include an existing token ID or does not include a currently valid token ID. If the agent system does not include an existing token ID the process 440 can move to box 454. At box 454 a determination can be made by the controller to determine a state of the agent system. The state of the agent system can include whether or not the properties of the agent system currently exists within a table of authorized agent systems. For example, the properties of the agent system can be compared to a table of agent systems that are authorized to communicate with the controller, wherein the table includes corresponding properties for each agent system that is currently
communicating with a controller.
[0034] In some embodiments, the agent system can be designated as being active or inactive. An active state can be designated when an agent system with the same properties is currently communicating with a controller within the cloud computing network. If an agent system is designated as active, a determination can be made that the agent system includes properties that are the same as a different agent system that is currently communicating with either the same and/or different controller within the cloud computing network. If a determination is made by the controller that the agent system is active and therefore has duplicate properties to a different agent system that has an established communication session, the controller can reject the agent communication.
[0035] Communication with an incorrect agent system can be prevented by rejecting communication with agent systems that include the same properties and/or misconfigured properties as a different agent system (e.g., duplicate properties, misconfigured properties, etc.). It can be determined by the controller that the agent system with the duplicate properties is misconfigured and attempts at communicating with the agent system comprising the misconfigured properties can lead to
communication with an incorrect agent system.
[0036] In one example, a first agent system and a second agent system can be separate and distinct agent systems. In this example, the first agent system and the second agent system comprise the same system properties as described herein, due to a misconfiguration. The first agent system can be in a communication session with a first controller. In addition, the second agent system can be
attempting to establish a communication session with either the first controller, or a second controller within the cloud computing network. At this time the state of the second agent system would be active since the first agent system is currently in a communication session with a controller of the cloud computing network. Since the state of the second controller is active, the communication session can be rejected at 458. It can be important to reject the communication session of the second agent system. For example, if the controller established the communication session, the controller may be unable to distinguish between the first agent system and the second agent system. Being unable to distinguish between agent systems can lead to communication packets (e.g., data packets, etc.) that are intended for the second agent system to be sent to the first agent system. In some cases, secure information that is meant for the second agent system can be sent to the first agent system causing secured information to be sent to an incorrect agent system.
[0037] In addition, or alternatively, a determination can be made at box 454 that the agent system is not active. That is, a determination can be made at box 454 that the properties of the agent system are not duplicate properties of a different agent system that is currently communicating with the controller or a controller within the cloud computing network. If it is determined that the agent system is not active and/or is inactive, then the process 440 can move to box 456.
[0038] In some embodiments, the token ID can be requested by the controller via a representational state transfer (REST) communication interface over a secure socket layer (SSL) and the properties relating to the agent system are requested via an transport layer communication (e.g., layer 4 open systems interconnection (OSI) protocol). In certain embodiments, a controller can determine if the properties of the agent are supported by the controller using a layer 4 open systems interconnection (OSI) protocol in a network. That is, a secure connection can be established utilizing a layer 3 OSI protocol (e.g., network layer, Layer 3 OSI protocol, etc.) and the properties of the agent can be verified utilizing a layer 4 OSI protocol (e.g., transport layer).
[0039] By utilizing layer 4 OSI protocol, the controller can analyze and verify that the properties of the agent system are not the same as properties of a different agent system that is currently communicating with a controller of the cloud
computing network. In some embodiments, various features of the properties can be transferred and/or received by the controller via a layer 3 OSI protocol, however, as described herein, one of skill in the art would appreciate that layer 3 OSI protocol may not allow for the verification of the agent system properties. That is, some properties of an agent system may be included in a header (e.g., supplemental data added to a beginning of a block of data and/or data packet, etc.), but the properties included in the header are not verified via a layer 4 OSI protocol. Thus, utilizing layer 3 OSI protocol to communicate some properties of the agent system is not sufficient to verify that the properties of the agent system are not the same as the properties of a different agent system that is currently in a communication session with a controller of the cloud computing network.
[0040] At box 456 a unique identifier can be generated and assigned to the agent system. As described herein, a unique identifier (e.g., universal unique ID (UUID), token ID, etc.) can be generated and assigned to the agent system to establish the communication session at 452. That is, the unique identifier or token ID can be utilized by the agent system to perform a number of transactions during a communication session. The unique identifier can be generated and assigned to the agent system when it is determined that the agent is "trusted". As described further herein, it can be determined that the agent is "trusted" by comparing the properties of the agent system to properties of other agent system currently communicating with controllers of the cloud computing network. If it is determined that the agent system is not active or inactive, it can be determined that the agent system is a trusted agent.
[0041] As described herein, the process 440 can be utilized to verify that communication between a controller and an agent system is performed correctly and/or securely. That is, by verifying the properties of the agent system via a layer 4 OSI protocol it can be determined that a particular agent system from a plurality of agent systems is the intended agent system for a particular communication session. Communication between a controller and an intended agent system can be verified by rejecting communication sessions from agent systems that have active states based on the properties of the agent system. That is, communication being sent to an intended agent system can be verified by verifying that there is only one agent system with a particular set of system properties in communication with controllers of a cloud computing network.
[0042] Figure 5 is a flow chart of an example of a method 560 for trusted controller-agent communication according to the present disclosure. Trusted controller-agent communication can include verifying that there is only a single agent system that comprises a particular set of system properties. The verification of system properties can ensure that a message is not sent or a communication session is not established with an agent system that has a duplicate set of system properties as the intended agent system. [0043] At box 562 the method 560 can include determining if properties relating to an agent system are supported by a network controller. Determining if properties relating to an agent system are supported by the network controller can include determining if the operating system (OS) of the agent system is supported by the network controller. In addition, determining if properties relating to an agent system are supported by the network controller can include determining if an agent version of the software is supported by the network controller. In addition, or alternatively, a determination can be made for other system properties of the agent system to determine if the agent system is active or inactive. As described herein, the agent system can be determined to be active when an agent system that includes the same system properties is currently in communication with a network controller within the cloud computing network. In addition, the agent system can be determined to be inactive when there is not an agent system that includes the same system properties currently in communication with a network controller within the cloud computing network.
[0044] At box 564 the method 560 can include assigning a token ID to the agent system if the properties relating to the agent system are supported by the network controller and if a state of the agent system is determined to be inactive. Assigning a token ID can include assigning a universal unique identification (UUID) token ID or similar identification token that can be utilized by the agent system to ensure secure communication between the network controller and the agent system.
[0045] At box 566 the method 560 can include verifying that the agent system includes a token ID. As described herein, the token ID can be verified by the controller before establishing communication with an agent system. The token ID can be compared to a table of acceptable token IDs.
[0046] At box 568 the method 560 can include establishing communication between the agent system and the network controller based on a verification of the assigned token ID. As described herein, the controller can establish a
communication session with the agent system if the token ID is verified. The communication session can include a plurality of transactions. The plurality of transactions can include data packets that are transferred between the network controller and the agent system. The method 560 can provide additional security (e.g., layer 4 OSI security) to a network (e.g., cloud network) by verifying the system properties of the agent systems to verify that there are no misconfigured and/or duplicate agent systems that can establish a communication session with a controller.
[0047] As used herein, "logic" is an alternative or additional processing resource to perform a particular action and/or function, etc., described herein, which includes hardware, e.g., various forms of transistor logic, application specific integrated circuits (ASICs), etc., as opposed to computer executable instructions, e.g., software firmware, etc., stored in memory and executable by a processor. Further, as used herein, "a" or "a number of" something can refer to one or more such things. For example, "a number of widgets" can refer to one or more widgets.
[0048] The above specification, examples and data provide a description of the method and applications, and use of the system and method of the present disclosure. Since many examples can be made without departing from the spirit and scope of the system and method of the present disclosure, this specification merely sets forth some of the many possible embodiment configurations and
implementations.

Claims

What is claimed is:
1 . A system for trusted controller-agent communication, comprising:
a request engine to receive a communication request from an agent and to receive properties from the agent;
a verification engine to compare the received properties with a table of properties associated with authorized agents;
an identification engine to assign a unique identifier to the agent if the properties of the agent are verified; and
a connection engine to establish communication between the agent and a controller.
2. The system of claim 1 , wherein the received properties of the agent includes:
an IP address;
a MAC address;
an operating system (OS) version;
an agent software version; and
an existing agent identification.
3. The system of claim 2, including the verification engine to determine if the properties of the agent are supported by the controller using a layer 4 open systems interconnection (OSI) protocol in a network.
4. The system of claim 1 , including the verification engine to determine a state of the properties of the agent, wherein the state includes one of an active state and an inactive state.
5. The system of claim 4, wherein the properties of the agent includes the state of a MAC address of the agent.
6. The system of claim 4, including the verification engine to reject the
communication between the agent and the controller when the state is an active state, wherein the active state of the properties includes an existing utilization of the properties by a different agent.
7. The system of claim 4, including the identification engine to assign a unique identifier to the agent when the state is an inactive state, wherein the inactive state of the address includes no existing utilization of the properties by a different agent.
8. A non-transitory computer readable medium storing instructions executable by a processing resource to cause a controller to:
determine if properties of a first agent are supported by the controller;
determine if properties of the first agent include properties associated with a second agent that has an established communication session with the controller; assign a token ID to the first agent if the properties of the first agent are supported by the controller and if the properties of the first agent are not the same properties associated with the second agent; and
establish communication between the first agent and the controller based on a verification of the token ID.
9. The medium of claim 8, comprising instructions executable by the processing resource to determine a state of an address associated with the first agent.
10. The medium of claim 9, wherein the instructions are executable to reject communication between the first agent and the controller when the state of the address associated with the first agent is determined to be active, wherein the active state of the address includes a determination that the first agent includes the same address associated with the second agent.
1 1 . The medium of claim 8, wherein the instructions are executable to establish communication between the first agent and the controller only when the state of the address associated with the first agent is determined to be inactive, wherein the inactive state of the address includes a determination that the first agent includes a different address than the address associated with the second agent.
12. A method for trusted controller-agent communication, comprising: determining if properties relating to an agent are supported by a network controller;
assigning a token ID to the agent if the properties relating to the agent are supported by the network controller and if a state of the agent is determined to be inactive;
verifying that the agent includes a token ID; and
establishing communication between the agent and the network controller based on a verification of the assigned token ID.
13. The method of claim 12, comprising requesting properties relating to the agent, wherein the properties relating to the agent includes:
an IP address;
a MAC address;
an OS version;
an agent version; and
an existing token ID.
14. The method of claim 13, wherein the token ID is requested via a
representational state transfer (REST) communication interface over a secure socket layer (SSL) in a layer three communication and the properties relating to the agent are requested via a transport layer four communication.
15. The method of claim 12, comprising rejecting communication between the agent and the network controller when:
the properties relating to the agent are not supported by the network controller;
the state of the agent is determined to be active; or
the token ID is not verified.
PCT/US2014/031695 2014-03-25 2014-03-25 Trusted controller-agent communication Ceased WO2015147799A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2014/031695 WO2015147799A2 (en) 2014-03-25 2014-03-25 Trusted controller-agent communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/031695 WO2015147799A2 (en) 2014-03-25 2014-03-25 Trusted controller-agent communication

Publications (2)

Publication Number Publication Date
WO2015147799A2 true WO2015147799A2 (en) 2015-10-01
WO2015147799A3 WO2015147799A3 (en) 2016-05-06

Family

ID=54196531

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/031695 Ceased WO2015147799A2 (en) 2014-03-25 2014-03-25 Trusted controller-agent communication

Country Status (1)

Country Link
WO (1) WO2015147799A2 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685206B1 (en) * 2004-02-12 2010-03-23 Microsoft Corporation Authorization and access control service for distributed network resources
US20070255793A1 (en) * 2006-04-26 2007-11-01 Samsung Electronics Co., Ltd. Method for providing service between heterogeneous networks
US8117317B2 (en) * 2008-12-31 2012-02-14 Sap Ag Systems and methods for integrating local systems with cloud computing resources
US8290998B2 (en) * 2009-05-20 2012-10-16 Sap Ag Systems and methods for generating cloud computing landscapes
US8412945B2 (en) * 2011-08-09 2013-04-02 CloudPassage, Inc. Systems and methods for implementing security in a cloud computing environment

Also Published As

Publication number Publication date
WO2015147799A3 (en) 2016-05-06

Similar Documents

Publication Publication Date Title
US10057167B2 (en) Identifying end-stations on private networks
US9491261B1 (en) Remote messaging protocol
JP4965574B2 (en) Port sharing among multiple processes
US8381281B2 (en) Authenticating a remote host to a firewall
US20100088698A1 (en) Techniques for managing communication sessions
CN102035904A (en) Method for converting TCP network communication server into client
CN114995214A (en) Method, system, device, equipment and storage medium for remotely accessing application
JP2009508261A (en) Creating a secure interactive connection with a remote resource
EP2682892A1 (en) System and method for out-of- band application authentification
CN107592209A (en) A kind of multi-network card server automatically configures the method and system of IP address information
US11115266B2 (en) Priority based selection of time services
CN107566433A (en) A kind of cloud terminal logs in virtual desktop method and device
US11848824B2 (en) Distributed auto discovery service
CN106453349A (en) An account number login method and apparatus
US12542765B2 (en) Remote server isolation utilizing zero trust architecture
CN107645570A (en) Client loading method and device
CN104780230A (en) Method, system and cloud system for automatically obtaining cloud server IP address
CN113872933B (en) Method, system, device, equipment and storage medium for hiding source station
CN104092687A (en) BGP conversation establishing method and device
US20160248751A1 (en) Cm registration method and apparatus
WO2015147799A2 (en) Trusted controller-agent communication
US10530765B2 (en) Securing connections to unsecure internet resources
CN106304071B (en) A kind of network access verifying method, access authentication equipment and system
CN105959251B (en) method and device for preventing NAT from traversing authentication
US20150134843A1 (en) Method of establishing network connection and system thereof

Legal Events

Date Code Title Description
NENP Non-entry into the national phase in:

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14887269

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 14887269

Country of ref document: EP

Kind code of ref document: A2