U.S. patent application number 11/866540 was filed with the patent office on 2008-01-31 for network device configuration.
This patent application is currently assigned to YELLOWTUNA HOLDINGS LIMITED. Invention is credited to Christopher James Massam, Dennis Warren Monks.
Application Number | 20080028051 11/866540 |
Document ID | / |
Family ID | 32678115 |
Filed Date | 2008-01-31 |
United States Patent
Application |
20080028051 |
Kind Code |
A1 |
Massam; Christopher James ;
et al. |
January 31, 2008 |
NETWORK DEVICE CONFIGURATION
Abstract
A network device initially has no configuration data and is
permitted only to query a known network address. From this address
a server verifies the connection and authorizes another server to
download to the network device the necessary configuration to carry
out its purpose. This configuration may not be amended and is not
retained on power loss. Any updates are carried out by a complete
reload of configuration data.
Inventors: |
Massam; Christopher James;
(Auckland, NZ) ; Monks; Dennis Warren; (Auckland,
NZ) |
Correspondence
Address: |
BROOKS KUSHMAN P.C.
1000 TOWN CENTER
TWENTY-SECOND FLOOR
SOUTHFIELD
MI
48075
US
|
Assignee: |
YELLOWTUNA HOLDINGS LIMITED
UNIT 2, 36 WILLIAM PICKERING DRIVE ALBANY
AUCKLAND
NZ
1311
|
Family ID: |
32678115 |
Appl. No.: |
11/866540 |
Filed: |
October 3, 2007 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10540328 |
Jun 21, 2005 |
|
|
|
11866540 |
Oct 3, 2007 |
|
|
|
Current U.S.
Class: |
709/221 |
Current CPC
Class: |
H04L 67/34 20130101;
H04L 12/2898 20130101; H04L 41/0806 20130101; H04L 41/0856
20130101; H04L 69/329 20130101; H04L 63/0218 20130101; H04L 29/06
20130101 |
Class at
Publication: |
709/221 |
International
Class: |
G06F 15/177 20060101
G06F015/177 |
Foreign Application Data
Date |
Code |
Application Number |
Dec 24, 2002 |
NZ |
523378 |
Claims
1. A network device, comprising: operating software but no
configuration data allowing it to carry out its intended purpose,
the network device being remotely programmable with configuration
data as a whole but which network device or operating software has
no facility to allow any incremental change of configuration
data.
2. The network device as claimed in claim 1, wherein the device
configuration data is held in random access memory (RAM) and is
lost when no network device supply voltage is present.
3. The network device as claimed in claim 1, wherein the device
operating software contains a routine which on initialization
attempts to contact a remote verification authority to authorize
retrieval of configuration data from a configuration authority.
4. The network device as claimed in claim 3, wherein the device
software contains only the routine for contacting the remote
verification authority and receiving data from the remote
configuration authority.
5. The network device as claimed in claim 3, wherein the contact
with the remote verification authority is subject to
encryption.
6. The network device as claimed in claim 2, wherein the device
initially contains an input filter which will only receive
configuration data from a specified remote configuration authority
address.
7. The network device as claimed in claim 1, wherein the device is
a router which is integral with a modem.
8. The network device as claimed in claim 7, wherein the modem is
an asymmetric digital subscriber line (ADSL) modem.
9. A method of configuring a network device which loses its
configuration data on power loss, comprising: providing a network
device without user configuration data, providing within the
network device a routine which securely contacts a remote
verification authority; and downloading from a remote configuration
authority authorized by the remote verification authority the
entire configuration data.
10. The method as claimed in claim 9, wherein the network device is
a router.
11. The method as claimed in claim 10, wherein the router is part
of an ADSL modem.
12. The method as claimed in claim 9, wherein the network device is
capable of being configured only by remote download of the complete
configuration data.
13. The method as claimed in claim 9, wherein the network device
router which contacts the remote verification authority carries out
any information transfer using secure encryption.
14. The method as claimed in claim 13, wherein the secure
encryption employs a public key encryption method.
15. The method as claimed in claim 14, wherein the private key for
the network device is provided by a device temporarily connected to
the network device.
16. The method as claimed in claim 15, wherein the temporarily
connected device is a USB memory device.
17. The method as claimed in claim 13, wherein the secure
encryption employs an encryption method utilizing both a private
key and a public key.
18. The method as claimed in claim 9, wherein the configuration
data is also lost from the network device on any intrusion attempt.
Description
CROSS REFERENCE TO RELATED APPLICATION
[0001] This application is a continuation of U.S. application Ser.
No. 10/540,328, filed on Jun. 21, 2005.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] Technical Field This invention relates to connecting to the
internet via a data connection which connection is remotely
configurable as to access permissions. The connection may be via a
modem or via a direct network connection.
[0004] 2. Description of the Related Art
[0005] Connection of network devices to a network typically require
the attendance of a person on site to carry out the initial
configuration of the device. For example, connection of a users
business to the internet for access by internal parties may be by
ADSL (Asymmetric Digital Subscriber Line) or some other connection
protocol.
[0006] Such a connection is typically via an ADSL modem and may
include a router to route incoming data packets and a firewall to
stop attempts to intrude into the users data.
[0007] Typically the configuration of the router and firewall is
done on site and will need to be changed on site to cater for
variations over time in the users business. This involves a smaller
user in expense as it requires specialized IT personnel to come on
site to carry out the configuration.
[0008] Connections for higher volume users also typically include
routers and firewalls connected via a plurality of modems for
internet access. Currently these are mainly configured on site by
the users skilled personnel. It is known, once the initial
configuration is carried out, that the device may be remotely
connected to via the network and final configuration carried
out.
[0009] Typically such a network device will include an operating
system of some sort which will be accessible by using an external
name and password. Once the correct name and password is entered
the remote user may modify the device settings, including settings
for any router and firewall. This provides security problems, since
it is possible for someone with knowledge of the name and password
to alter the modem settings without authority.
[0010] It is therefore an object of the present invention to
provide a network device which does not require any on site
attendance for configuration of the network device but which is
secure or which will at least provide the public with a useful
choice.
[0011] It is known to provide remotely configured routers to avoid
attendance on site, for instance U.S. Pat. No. 6,012,088 shows one
such router, however such routers may provide a security problem in
that if access is gained to them from one of the networks the
router configuration can be changed, and may be changed in such a
manner as to compromise security.
[0012] It is therefore an object of the present invention to
provide an internet connection which does not require on site
attendance for configuration of router or firewall but which does
provide complete security of the configuration or which will at
least provide the public with a useful choice.
SUMMARY OF THE INVENTION
[0013] Accordingly, the invention may broadly be said to consist in
a network device having operating software but no configuration
data allowing it to carry out its intended purpose which network
device is remotely programmable with configuration data as a whole
but which network device or operating software has no facility to
allow any incremental change of configuration data.
[0014] Preferably the device configuration data is held in random
access memory (RAM) and is lost when no network device supply
voltage is present.
[0015] Preferably the device software contains a routine which on
initialization attempts to contact a remote verification authority
to authorize retrieval of configuration data from a configuration
authority.
[0016] Preferably the device software contains only the routine for
contacting the remote verification authority and receiving data
from the remote configuration authority.
[0017] Preferably the contact with the remote verification
authority is subject to encryption.
[0018] Preferably the device initially contains an input filter
which will only receive configuration data from a specified remote
configuration authority address.
[0019] Preferably the device is a router which is integral with a
modem.
[0020] Preferably the modem is an asymmetric digital subscriber
line (ADSL) modem.
[0021] Alternatively the invention may be said to lie in the method
of configuring a network device which loses its configuration data
on power loss comprising providing a network device without user
configuration data, providing within the network device a routine
which securely contacts a remote verification authority, and
downloading from a remote configuration authority authorized by the
remote verification authority the entire configuration data.
[0022] Preferably the network device is a router.
[0023] Preferably the router is part of an ADSL modem.
[0024] Preferably the network device is capable of being configured
only by remote download of the complete configuration data.
[0025] Preferably the network device routine which contacts the
remote verification authority carries out any information transfer
using secure encryption.
[0026] Preferably the secure encryption uses a public key
encryption method.
[0027] Preferably the private key for the network device is
provided by a device temporarily connected to the network
device.
[0028] Preferably the temporarily connected device is a USB memory
device.
[0029] Preferably the configuration data is also lost from the
network device on any intrusion attempt.
[0030] Alternatively the invention may be said to consist in a
method of providing communication between two network devices of
unknown network address wherein each device is required to download
its configuration parameters from a server at a known network
address each time the device is initialized, the devices allocated
network addresses are stored at server, the server may be queried
for the allocated network addresses of the two network devices, and
wherein communications can be initiated between the two network
addresses from this data.
[0031] Preferably the two network devices are routers.
[0032] Preferably the routers form part of ADSL modems.
[0033] The invention may also broadly be said to consist in the
parts, elements and features referred to or indicated in the
specification of the application, individually or collectively, and
any or all combinations of any two or more of the parts, elements
or features, and where specific integers are mentioned herein which
have known equivalents, such equivalents are incorporated herein as
if they were individually set forth.
BRIEF DESCRIPTION OF DRAWINGS
[0034] One preferred form of the invention will now be described
with reference to the accompanying drawings in which,
[0035] FIG. 1 shows a block diagram of one form of network
device.
[0036] FIG. 2 shows a flow diagram of the initial mediation
procedure which downloads to the network device.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0037] With reference to FIG. 1, the diagram shows a network device
consisting of an ADSL connection via a modem 101 to a firewall 102
and router 103 which distributes the data to devices such as PC's
104. The modem acts to convert packets from the firewall router
into a form suitable for carrying information over the internet.
The firewall 102 acts to restrict what information packets may be
transferred into the users system and the router 103 acts to
distribute packets to an internal user in accordance with the
packet address.
[0038] In practice the modem, firewall and router may be combined
into a single item of equipment with the configuration data held in
a common internal location.
[0039] According to the current invention the modem, or firewall or
router, has configuration information, which is internally held,
but this information is not capable of being changed by any routine
or subroutine held in the modem. The only way in which this
information can be altered is to download an updated configuration
from a remote authority. The only remote authority which the modem
recognizes are ones which are hard coded into the internal
software, and the only action the modem can take as regards
configuration is to contact the remote authority in a secure
manner. This action can occur either at power on or if an intrusion
is detected, or it can be triggered by a specific remote query.
[0040] Thus the modem may have instructions in read only memory
(ROM) which instruct it to call an address such as 203.17.209.32
upon initial power on, but to otherwise provide no routing of
incoming or outgoing data packets. Once the designated address is
called and a verification established for the network device from a
verification service a secure connection between the modem and the
address is set up, preferably by the exchange of encrypted
passwords through a secure sockets layer (SSL) and the modems'
required configuration is downloaded from a configuration server.
This provides the routing configuration required and leaves the
modem in a secure state.
[0041] The configuration may include any connection data and
passwords for connecting the modem to an internet service provider
(ISP), and the modem may automatically carry out the connection
once configured.
[0042] Where the connection between the modem and the server is
such that it does not support full public key encryption the
authentication for the modem may be provided by a removable key,
for instance a USB key.
[0043] Should an attempt be made to configure or reconfigure the
modem without using the correct encryption from the correct address
the modem initialization software is intended to be re-triggered,
resulting in a complete download of the required configuration.
[0044] FIG. 2 shows how the equipment on powering on at 201
searches for an internet connection at, and on detecting one sends
a particular data stream to the remote verification authority at
202,203 which detects the identity of the calling equipment, and
from this can look up the customers identity, the equipments
current state, and its desired state as required by the customer.
The remote authority then connects a configuration server and
initiates the procedure to securely update the equipment at 204
with the desired configuration changes and with the software
required to carry out the desired functions. The remote
configuration authority can then continue to receive operation
reports from the equipment at scheduled intervals.
[0045] In accordance with the present invention the modem, firewall
and router are normally provided as a single equipment item which
may also include a hub or switch. This item is installed on the
users premises, provided with a connection to the internet and
powered up. On detecting the internet connection the equipment
identifies itself to the remote verification authority, the only
action it is capable of taking.
[0046] The remote authority will detect the identification of the
calling equipment and validate this against a database of equipment
whose setups are stored. If the equipment ID is found the remote
authority may then, in secure mode, connect the calling equipment
to a configuration service and download to the equipment such
configuration details and software as will allow it to perform the
desired router/firewall functions.
[0047] Preferably the equipment configuration template is held by
the remote authority, who may either make changes in it or allow
the user to make changes in it via secure internet access. Such
changes may be downloaded to the equipment in the same manner as
the initial configuration data, though in most instances the remote
authority will send a code to the equipment which forces it to
reload the configuration.
[0048] The firewall and router may maintain the normal statistics
of packets passed, addresses sent to or received from, intrusion
attempts etc. and may, either on prompting or on schedule, send
these details to the configuration authority for storage and
possible analysis.
[0049] The firewall or router may be set up to pass information
through desired ports and may be set to configure these ports on
call. Thus if a client requires a VPN connection between two
locations which do not have a specific allocated IP address (as for
instance a small office served by an ADSL without a fixed address)
the client requests the VPN connection from the remote authority,
which will have stored the network address of any modem of the
inventive type. The remote authority then notifies the network
devices of the required connection and the devices then create the
VPN connection. Thus a VPN connection can be established between
two modems which did not initially know each others addresses.
[0050] While the invention is described in relation to an ADSL
modem the invention is equally as applicable to the configuration
of a PC, a router of any type, a mobile phone or PDA or other
similar equipment.
INDUSTRIAL APPLICABILITY
[0051] The invention is applicable to the guaranteeing of the
configuration of a network device, to prevent the compromising of
data passing through that device, or the extraction of data in an
unintended manner by that device.
[0052] Thus it can be seen that at least the preferred form of the
invention provides an item of equipment which can be remotely
configured for network device set up purposes.
* * * * *