+

WO2006009470A1 - Network device configuration - Google Patents

Network device configuration Download PDF

Info

Publication number
WO2006009470A1
WO2006009470A1 PCT/NZ2004/000162 NZ2004000162W WO2006009470A1 WO 2006009470 A1 WO2006009470 A1 WO 2006009470A1 NZ 2004000162 W NZ2004000162 W NZ 2004000162W WO 2006009470 A1 WO2006009470 A1 WO 2006009470A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
authority
configuration
configuration data
remote
Prior art date
Application number
PCT/NZ2004/000162
Other languages
French (fr)
Inventor
Dennis Warren Monks
Christopher James Massam
Original Assignee
Yellowtuna Holdings Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yellowtuna Holdings Ltd filed Critical Yellowtuna Holdings Ltd
Priority to PCT/NZ2004/000162 priority Critical patent/WO2006009470A1/en
Publication of WO2006009470A1 publication Critical patent/WO2006009470A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/18Negotiating wireless communication parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • H04L41/082Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/084Configuration by using pre-existing information, e.g. using templates or copying from other elements
    • H04L41/0843Configuration by using pre-existing information, e.g. using templates or copying from other elements based on generic templates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements

Definitions

  • This invention relates to connecting to the internet via a data connection which connection is remotely configurable as to access permissions.
  • the connection may be via a modem or via a direct network connection.
  • the device configuration data is held in random access memory (RAM) and is lost when no network device supply voltage is present.
  • the device software contains a routine which on initialisation attempts to contact a remote verification authority to authorise retrieval of configuration data from a configuration authority.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A network device initially has no configuration data and is permitted only to request data by an SMS message to a configuration authority from an embedded device. From a return message to the network device the necessary configuration is extracted for it to carry out its purpose. Any updates are preferably carried out by a complete reload of configuration data.

Description

Title
Network Device Configuration
Technical Field This invention relates to connecting to the internet via a data connection which connection is remotely configurable as to access permissions. The connection may be via a modem or via a direct network connection.
Background Art
Connection of network devices to a network typically require the attendance of a person on site to carry out the initial configuration of the device. For example, connection of a users business to the internet for access by internal parties may be by ADSL (Asymmetric Digital Subscriber Line) or some other connection protocol. Such a connection is typically via an ADSL modem and may include a router to route incoming data packets and a firewall to stop attempts to intrude into the users data. Typically the configuration of the router and firewall is done on site and will need to be changed on site to cater for variations over time in the users business. This involves a user in expense as it requires specialised IT personnel to carry out the configuration by actually accessing the machine.
Connections for higher volume users also typically include routers and firewalls connected via a plurality of modems for internet access, or a combination of router/firewall/modem. Currently these are mainly configured on site by the users skilled personnel. It is known, once the initial configuration is carried out, that the device may be remotely connected to via the network and final configuration carried out. Typically such a network device will include an operating system of some sort which will be accessible by using an external name and password. Once the correct name and password is entered the remote user may modify the device settings, including settings for any router and firewall. This provides security problems, since it is possible for someone with knowledge of the name and password to alter the modem settings without authority.
It is therefore an object of the present invention to provide a network device which does not require any on site attendance for configuration of the network device but which is secure or which will at least provide the public with a useful choice.
Prior Art
It is known to provide remotely configured routers to avoid attendance on site, for instance US patent US 6,012,088 shows one such router, however such routers may provide a security problem in that if access is gained to them from one of the networks the router configuration can be changed, and may be changed in such a manner as to compromise security.
It is therefore an object of the present invention to provide an internet connection which does not require on site attendance for configuration of router or firewall but which does provide complete security of the configuration or which will at least provide the public with a useful choice.
Disclosure of Invention
Accordingly, the invention may broadly be said to consist in a network device having operating software but no configuration data allowing it to carry out its intended purpose which network device is remotely programmable with configuration data, wherein the network device contains an embedded wireless messaging device and transfer of the configuration data is made via the wireless messaging device in the network device.
Preferably the device configuration data is held in random access memory (RAM) and is lost when no network device supply voltage is present. Preferably the device software contains a routine which on initialisation attempts to contact a remote verification authority to authorise retrieval of configuration data from a configuration authority.
Preferably the embedded wireless messaging device is a cellular telephone. Preferably the routine provides an SMS message via the embedded telephone to a telephone address at the remote verification authority.
Preferably the configuration data is received by the network device as an encrypted SMS message on the embedded cellular telephone from the configuration authority. Preferably the configuration data is received by a data connection to the embedded cellular telephone.
Preferably a supplementary hardware key which may be physically located in or adjacent the network device may be provided.
Preferably the device software contains only the routine for contacting the remote verification authority and receiving data from the remote configuration authority.
Preferably the contact with the remote verification authority is subject to encryption. Preferably the device is a router which is integral with a modem.
Preferably the modem is an asymmetric digital subscriber line (ADSL) modem or Ethernet connection device. In another embodiment the invention consists in a method of configuring a network device comprising providing a network device without user configuration data, providing within the network device a routine which securely contacts a remote verification authority, and downloading from a remote configuration authority authorised by the remote verification authority the entire configuration data wherein the verification authority is contacted by a wireless messaging device embedded in the network device, and the entire configuration data is downloaded via the wireless messaging device.
Preferably the contact and download are by SMS message. Preferably the contact is by SMS and the download by encrypted data transfer. Preferably the network device is a router.
Prefeably the router is part of an ADSL modem.
Preferably the network device is capable of being configured only by remote download of the complete configuration data. Preferably the configuration data is lost from the network device on any intrusion attempt.
The invention may also broadly be said to consist in the parts, elements and features referred to or indicated in the specification of the application, individually or collectively, and any or all combinations of any two or more of the parts, elements or features, and where specific integers are mentioned herein which have known equivalents, such equivalents are incorporated herein as if they were individually set forth.
Brief Description of Drawings
One preferred form of the invention will now be described with reference to the accompanying drawings in which,
FIGURE 1 shows a block diagram of one form of network device.
FIGURE 2 shows a flow diagram of the initial mediation procedure which downloads to the network device.
FIGURE 3 shows a flow diagram of the steps required when an encryption key or the configuration data must be separately supplied to the network device.
Detailed Description
With reference to Figure I5 the diagram shows a network device consisting of an ADSL connection via a modem 101 to a firewall 102 and router 103 which distributes the data to devices such as PC's 104. The modem acts to convert packets from the firewall router into a form suitable for carrying information over the internet. The firewall 102 acts to restrict what information packets may be transferred into the users system and the router 103 acts to distribute packets to an internal user in accordance with the packet address. In practice the modem, firewall and router may be combined into a single item of equipment with the configuration data held in a common internal location.
According to the current invention the modem, or firewall or router, has configuration information, which is internally held, but this information is not capable of being changed by any routine or subroutine held in the modem. The only way in which this information can be altered is to download an updated configuration from a remote authority. The only remote authority which the modem recognises are ones which are hard coded into the internal software, and the only action the modem can take as regards configuration is to contact the remote authority in a secure manner. This action can occur either at power on or if an intrusion is detected, or it can be triggered by a specific remote query.
Thus the modem may have instructions in read only memory (ROM) which instruct it to call an address such as 203.17.209.32 upon initial power on, but to otherwise provide no routing of incoming or outgoing data packets. Once the designated address is called and a verification established for the network device from a verification service a secure connection between the modem and the address is set up, preferably by the exchange of encrypted passwords through a secure sockets layer (SSL), and the modems' required configuration is downloaded from a configuration server. This provides the routing configuration required and leaves the modem in a secure state.
The configuration may include any connection data and passwords for connecting the modem to an internet service provider (ISP), and the modem may automatically carry out the connection once configured.
Where the connection between the modem and the server is such that it does not support full public key encryption the authentication for the modem may be provided by a removable key, for instance a USB key, which is provided separately from the equipment.
Other alternatives for transferring the required key or the configuration data include an embedded wireless messaging device, typically a cellular telephone, of a type having encryption and security, which may be rung by the configuring authority in reply to an initial programmed potentially insecure SMS query. Configuration for the device to connect to the Internet can be given in the form of an encrypted SMS message. The encryption is preferably particular to the one wireless messaging device and may be of the public key/private key type but any encryption form with a predicted high security level may be used. The decryption algorithm may be incorporated within the embedded messaging device or it may be held within the network device.
Alternatively, when the modem is first powered on the embedded cell phone may send an SMS message with a predetermined identification. The confirmation of identification is received by the configuring authority which then passes to the cellphone via an encrypted SMS message the data required for it to connect correctly to the internet configuration server. This may include the IP addresses, the setup of any VPN connections, and any other data required. The configuration is transplanted into the modem which is then capable of connecting via the internet. If the cellphone is data capable the transfer may be made directly rather than via SMS. Still other standard methods of relatively securely providing a key to a remote site may be used, for instance a smart card which destroys the key once read, or a two dimensional barcode with a reader which can provide an encrypted key,
Should an attempt be made to configure or reconfigure the modem without using the correct encryption from the correct address the modem initialisation software is intended to be re-triggered, resulting in a complete download of the required configuration.
Figure 2 shows how the equipment on powering on at 201 searches for an internet connection at, and on detecting one sends a particular data stream to the remote verification authority at 202, 203 which detects the identity of the calling equipment, and from this can look up the customers identity, the equipments current state, and its desired state as required by the customer. The remote authority then connects a configuration server and initiates the procedure to securely update the equipment at 204 with the desired configuration changes and with the software required to carry out the desired functions. The remote configuration authority can then continue to receive operation reports from the equipment at scheduled intervals. Where the encryption key must be passed to the network device other than via a secure network connection the preferred method requires the use of a cellphone embedded in the network device. As shown in Figure 3 the device initially queries at 301 the configuring authority over the network, providing its identification. Typically a phone call in response must occur within 60 seconds, or the system resets. In response to this query the authority forwards at 302 an SMS message to the cellphone number and at 304 the SMS message is decrypted either using a stored key or by using a key which is some combination of the calling and the called numbers. The decrypted message is then used at 305 as the key to set up a secure connection to the configuration authority. As an alternative the embedded cellphone may create an SMS message to the configuring authority on power on and may then be sent the configuration SMS message. As yet a further alternative a secure data connection may enable the direct download of the setup data through the cellphone, or the SMS message may contain the complete encrypted setup. The embedded cell phone may also be used to aid in trouble shooting the connection of the modem to the internet, in that in a diagnostic mode it may be dialled by a data connection directly from the configuration authority and used as a connection point to the modem and surrounding network.
While the description refers to the use of an embedded cell phone any other wireless device capable of transferring data in a secure manner may be used.
Other methods of providing a secure key to the network device require that the key is transferred in a manner not readily subject to interception. Such methods may include a smart card carrying a key which will be downloaded when correctly queried, a Bluetooth wireless device carrying data including a key, which may be brought into proximity with the network device.
In accordance with the present invention the modem, firewall and router are normally provided as a single equipment item which may also include a hub or switch. This item is installed on the users premises, provided with a connection to the internet and powered up. On detecting the internet connection the equipment identifies itself to the remote verification authority, the only action it is capable of taking. The remote authority will detect the identification of the calling equipment and validate this against a database of equipment whose setups are stored. If the equipment ID is found the remote authority may then, in secure mode, connect the calling equipment to a configuration service and download to the equipment such configuration details and software as will allow it to perform the desired router/firewall functions.
Preferably the equipment configuration template is held by the remote authority, who may either make changes in it or allow the user to make changes in it via secure internet access. Such changes may be downloaded to the equipment in the same manner as the initial configuration data, though in most instances the remote authority will send a code to the equipment which forces it to reload the configuration or the equipment will check with the remote authority on a regular basis for any configuration changes.
The firewall and router may maintain the normal statistics of packets passed, addresses sent to or received from, intrusion attempts etc. and may, either on prompting or on schedule, send these details to the configuration authority for storage and possible analysis.
The firewall or router may be set up to pass information through desired ports and may be set to configure these ports on call. While the invention is described in relation to an ADSL modem the invention is equally as applicable to the configuration of a PC, a router of any type, a mobile phone or PDA or other similar equipment.
Industrial Applicability
The invention is applicable to the guaranteeing of the configuration of a network device, to prevent the compromising of data passing through that device, or the extraction of data in an unintended manner by that device.
Thus it can be seen that at least the preferred form of the invention provides an item of equipment which can be remotely configured for network device set up purposes.

Claims

Claims
1. A network device having operating software but no configuration data allowing it to carry out its intended purpose which network device is remotely programmable with configuration data, wherein the network device contains an embedded wireless messaging device and transfer of the configuration data is made via the wireless messaging device in the network device.
2. A network device as claimed in claim 1 wherein the device configuration data is held in random access memory (RAM) and is lost when no network device supply voltage is present.
3. A network device as claimed in claim 1 wherein the device software contains a routine which on initialisation attempts to contact a remote verification authority to authorise retrieval of configuration data from a configuration authority.
4. A network device as claimed in claim 3 wherein the embedded wireless messaging device is a cellular telephone.
5. A network device as claimed in claim 4 wherein the routine provides an SMS message via the embedded telephone to a telephone address at the remote verification authority.
6. A network device as claimed in claim 4 wherein the configuration data is received by the network device as an encrypted SMS message on the embedded cellular telephone from the configuration authority.
7. A network device as claimed in claim 4 wherein the configuration data is received by a data connection to the embedded cellular telephone.
8. A network device as claimed in claim 4 wherein the device software contains only the routine for contacting the remote verification authority and receiving data from the remote configuration authority.
9. A network device as claimed in claim 3 wherein the contact with the remote verification authority is subject to encryption.
10. A network device as claimed in claim 1 wherein the device is a router which is integral with a modem.
11. A router as claimed in claim 10 wherein the modem is an asymmetric digital subscriber line (ADSL) modem or Ethernet connection device.
12. A method of configuring a network device comprising providing a network device without user configuration data, providing within the network device a routine which securely contacts a remote verification authority, and downloading from a remote configuration authority authorised by the remote verification authority the entire configuration data wherein the verification authority is contacted by a cellular telephone embedded in the network device, and the entire configuration data is downloaded via the cellular telephone.
13. A method as claimed in claim 12 wherein the contact and download are by SMS message.
14. A method as claimed in claim 12 wherein the contact is by SMS and the download by encrypted data transfer.
15. A method as claimed in claim 12 wherein the network device is a router.
16. A method as claimed in claim 15 wherein the router is part of an ADSL modem.
17. A method as claimed in claim 12 wherein the network device is capable of being configured only by remote download of the complete configuration data.
18. A method as claimed in claim 12 wherein once configured the network device may transmit traffic or other information to the remote authority on a scheduled basis.
19. A method as claimed in claim 12 wherein the configuration data is lost from the network device on any intrusion attempt.
PCT/NZ2004/000162 2004-07-23 2004-07-23 Network device configuration WO2006009470A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/NZ2004/000162 WO2006009470A1 (en) 2004-07-23 2004-07-23 Network device configuration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/NZ2004/000162 WO2006009470A1 (en) 2004-07-23 2004-07-23 Network device configuration

Publications (1)

Publication Number Publication Date
WO2006009470A1 true WO2006009470A1 (en) 2006-01-26

Family

ID=35785491

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NZ2004/000162 WO2006009470A1 (en) 2004-07-23 2004-07-23 Network device configuration

Country Status (1)

Country Link
WO (1) WO2006009470A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008056341A3 (en) * 2006-10-18 2009-01-15 Nortel Networks Ltd Method of configuring a node, related node and configuration server
CN112039688A (en) * 2014-04-24 2020-12-04 柏思科技有限公司 Method and system for configuring a system
JP7557558B2 (en) 2023-01-11 2024-09-27 ソフトバンク株式会社 Configuration system, management server and its configuration instruction program, router and its configuration execution program

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5297192A (en) * 1990-09-28 1994-03-22 At&T Bell Laboratories Method and apparatus for remotely programming a mobile data telephone set
WO2002056621A1 (en) * 2001-01-12 2002-07-18 Ubinetics Limited Downloading software for a remote data source to a communications device including segmentation, reassembly and selective retransmission
US20030177385A1 (en) * 2002-03-15 2003-09-18 Price James H. Reverse authentication key exchange

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5297192A (en) * 1990-09-28 1994-03-22 At&T Bell Laboratories Method and apparatus for remotely programming a mobile data telephone set
WO2002056621A1 (en) * 2001-01-12 2002-07-18 Ubinetics Limited Downloading software for a remote data source to a communications device including segmentation, reassembly and selective retransmission
US20030177385A1 (en) * 2002-03-15 2003-09-18 Price James H. Reverse authentication key exchange

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008056341A3 (en) * 2006-10-18 2009-01-15 Nortel Networks Ltd Method of configuring a node, related node and configuration server
CN112039688A (en) * 2014-04-24 2020-12-04 柏思科技有限公司 Method and system for configuring a system
CN112039688B (en) * 2014-04-24 2023-04-21 柏思科技有限公司 Method and system for configuring a system
JP7557558B2 (en) 2023-01-11 2024-09-27 ソフトバンク株式会社 Configuration system, management server and its configuration instruction program, router and its configuration execution program

Similar Documents

Publication Publication Date Title
US8443064B2 (en) Method for network device configuration
EP1994674B1 (en) Authenticating mobile network provider equipment
JP4390808B2 (en) Portable wireless terminal and security system thereof
EP2179560B1 (en) Wireless device authentication and security key management
US8561139B2 (en) Method and appartus for network security using a router based authentication
US8548429B2 (en) Cellular device security apparatus and method
EP1484892B1 (en) Method and system for lawful interception of packet switched network services
US8971209B2 (en) System to configure and manage routers through wireless communication
US20060190991A1 (en) System and method for decentralized trust-based service provisioning
EP2547051A1 (en) Confidential communication method using vpn, a system and program for the same, and memory media for program therefor
WO2011032989A1 (en) Mechanism to backup and restore the configuration of a communication device using a portable security device
WO2006009470A1 (en) Network device configuration
Saedy et al. Ad hoc M2M communications and security based on 4G cellular system
NZ534284A (en) Network device without configuration data and a method of configuring the network device from a remote verification authority upon start-up via an embedded wireless messaging device
Shemyak et al. Secure delivery of equipment identity from vendor to operator

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载