Virtual network function management with deactivated virtual machines
US-2016335111-A1 · Nov 17, 2016 · US
Technologies for secure personalization of a security monitoring virtual network function
US2016373474A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016373474-A1 |
| Application number | US-201514866565-A |
| Country | US |
| Kind code | A1 |
| Filing date | Sep 25, 2015 |
| Priority date | Jun 16, 2015 |
| Publication date | Dec 22, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Technologies for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture include various security monitoring components, including a NFV security services controller, a VNF manager, and a security monitoring VNF. The security monitoring VNF is configured to receive provisioning data from the NFV security services controller and perform a mutually authenticated key exchange procedure using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and a VNF manager. The security monitoring VNF is further configured to receive personalization data from the VNF manager via the secure communication path and perform a personalization operation to configure one or more functions of the security monitoring VNF based on the personalization data. Other embodiments are described and claimed.
First claim
Opening claim text (preview).
1 . A security monitoring virtual network function (VNF) for performing security monitoring in a network functions virtualization (NFV) architecture, the security monitoring VNF comprising: one or more processors; and one or more memory devices having stored therein a plurality of instructions that, when executed by the one or more processors, cause the security monitoring VNF to: receive provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF; perform a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager; receive personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and perform a personalization operation to configure the security monitoring VNF based on the personalization data. 2 . The security monitoring VNF of claim 1 , wherein the plurality of instructions further cause the security monitoring VNF to: receive policy information from the VNF manager via the secure communication path; and perform a policy update operation to update a security policy of the security monitoring VNF. 3 . The security monitoring VNF of claim 2 , wherein the policy information includes at least one of a tenant specific security processing policy, a security traffic policy, a security group policy, and a network services processing policy. 4 . The security monitoring VNF of claim 1 , wherein to receive the provisioning data comprises to receive the provisioning data using an out-of-band communication. 5 . The security monitoring VNF of claim 1 , wherein the provisioning data includes a unique identifier of the security monitoring VNF, a unique identifier of a platform on which the security monitoring VNF is being run, and a security credential. 6 . The security monitoring VNF of claim 5 , wherein to perform the mutually authenticated key exchange procedure comprises to perform the mutually authenticated key exchange procedure using the security credential. 7 . The security monitoring VNF of claim 1 , wherein the plurality of instructions further cause the security monitoring VNF to transmit security monitoring information to the VNF manager via the secure communication path, wherein the security monitoring information includes at least one of logs, alerts, and statistics of the security monitoring VNF. 8 . The security monitoring VNF of claim 1 , wherein the personalization data includes at least one of secure configuration data, an initial set of parameters of the security monitoring VNF, metadata of the NFV architecture, connection information about other VNFs, vendor-specific information, performance data, workload traffic engineering data, and quality of service (QoS) parameters and policies. 9 . The security monitoring VNF of claim 1 , wherein the plurality of instructions further cause the security monitoring VNF to transmit a personalization operation status and a policy update operation status to the VNF manager, wherein the personalization operation status and the policy update operation status are usable by the NFV security services controller to determine whether to activate a network-wide security policy for network traffic monitored by the security monitoring VNF. 10 . One or more computer-readable storage media comprising a plurality of instructions stored thereon that in response to being executed cause a source endpoint node to: receive provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF; perform a mutually authenticated key exchange procedure with a VNF manager of the NFV architecture using at least a portion of the provisioning data to establish a secure communication path between the security monitoring VNF and the VNF manager; receive personalization data from the VNF manager via the secure communication path, wherein the personalization data includes data usable to configure one or more security functions of the security monitoring VNF; and perform a personalization operation to configure the security monitoring VNF based on the personalization data. 11 . The one or more computer-readable storage media of claim 10 , further comprising a plurality of instructions that in response to being executed cause the security monitoring VNF to: receive policy information from the VNF manager via the secure communication path; and perform a policy update operation to update a security policy of the security monitoring VNF. 12 . The one or more computer-readable storage media of claim 11 , wherein the policy information includes at least one of a tenant specific security processing policy, a security traffic policy, a security group policy, and a network services processing policy. 13 . The one or more computer-readable storage media of claim 10 , wherein to receive the provisioning data comprises to receive the provisioning data using an out-of-band communication. 14 . The one or more computer-readable storage media of claim 10 , wherein the provisioning data includes a unique identifier of the security monitoring VNF, a unique identifier of a platform on which the security monitoring VNF is being run, and a security credential. 15 . The one or more computer-readable storage media of claim 14 , wherein to perform the mutually authenticated key exchange procedure comprises to perform the mutually authenticated key exchange procedure using the security credential. 16 . The one or more computer-readable storage media of claim 10 , further comprising a plurality of instructions that in response to being executed cause the security monitoring VNF to transmit security monitoring information to the VNF manager via the secure communication path, wherein the security monitoring information includes at least one of logs, alerts, and statistics of the security monitoring VNF. 17 . The one or more computer-readable storage media of claim 10 , wherein the personalization data includes at least one of secure configuration data, an initial set of parameters of the security monitoring VNF, metadata of the NFV architecture, connection information about other VNFs, vendor-specific information, performance data, workload traffic engineering data, and quality of service (QoS) parameters and policies. 18 . The one or more computer-readable storage media of claim 10 , further comprising a plurality of instructions that in response to being executed cause the security monitoring VNF to transmit a personalization operation status and a policy update operation status to the VNF manager, wherein the personalization operation status and the policy update operation status are usable by the NFV security services controller to determine whether to activate a network-wide security policy for network traffic monitored by the security monitoring VNF. 19 . A method for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture, the method comprising: receiving, by the security monitoring VNF, provisioning data from an NFV security services controller of the NFV architecture in network communication with the security monitoring VNF; performing, by the security monitoring VNF,
Assignees
Inventors
Classifications
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
for key distribution, e.g. centrally by trusted party (cryptographic mechanisms or cryptographic arrangements for key distribution involving a central third party H04L9/0819) · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
involving the movement of software or configuration parameters (network booting or remote initial program loading [RIPL] G06F9/4416) · CPC title
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016373474A1 cover?
- Technologies for secure personalization of a security monitoring virtual network function (VNF) in a network functions virtualization (NFV) architecture include various security monitoring components, including a NFV security services controller, a VNF manager, and a security monitoring VNF. The security monitoring VNF is configured to receive provisioning data from the NFV security services co…
- Who is the assignee on this patent?
- Intel Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 22 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).