System And Methods For Transit Path Security Assured Network Slices
Abstract
Systems and methods of configuring, managing and ensuring security compliance of Virtual Network Slices that transit through physical networks, virtual networks (SDN), cloud networks, radio access networks, service provider networks, and enterprise networks are identified. The methods include user side security validation methods while attempting to use a network slice for a specific service, and security validation of physical or virtual networks and the associated transit network elements. The methods disclose enriching the Security Certificates with policy parameters and the associated procedures that transit elements are required to assure for security compliance. Additionally, methods for incorporating a mobile native security platform in Wireless Mobile Network (4G/5G) that supports generating X.509 Certificates enhanced with policy requirements, validating allowed/disallowed list of transit network vendor devices, virtual network appliances are identified.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method of constructing a transit network path map through a multi-provider, multi-domain network that includes each transit network element, its provenance and other device attributes, comprising:
interacting with a plurality of transit network operations management platforms to identify attributes of each virtual and/or physical device; and using these attributes to either:
construct a plurality of network paths to a plurality of destination endpoints to facilitate client orchestrated transit paths; or
construct one or more network paths based on required enterprise security and trust policies.
2 . The method of claim 1 , wherein the transit network path map includes geographical locations of devices, device types, and virtualization layers and provenance attributes of each virtual layer or application that transports or processes the packets.
3 . The method of claim 1 , wherein the provenance and device attributes are selected from the group consisting of device vendor name, manufacturing location, device name, device unique identifiers, hardware and software model numbers, version numbers, manufacturing location, country, region, device type and interface configuration and operational attributes.
4 . The method of claim 1 , wherein the provenance and device attributes are contained in an Enhanced Digital Certificate.
5 . The method of claim 1 , wherein the interacting with the plurality of transit network operations management platforms is performed using SNMP, ONAP, NETCONF and other network management protocols.
6 . The method of claim 1 , wherein the client orchestrated transit paths are constructed by allowing devices only from certain device vendors, models, manufacturing locations, countries, regions, device types and device operational and interface configuration attributes.
7 . The method of claim 1 , wherein the client orchestrated transit paths are constructed to achieve maximum bandwidth, to minimize data transfer times or to reduce latency.
8 . The method of claim 1 , wherein the client orchestrated transit paths are constructed by not allowing devices from certain vendors, models, manufacturing locations, countries, regions, device types, device operational and interface configuration attributes.
9 . The method of claim 1 , wherein the client orchestrated transit maps and the constructed network maps are constructed by selecting a type of network path in the transit network based on available transit network path segments and device operational and interface configuration attributes.
10 . The method of claim 1 , wherein the required enterprise security and trust policies are dependent on a Security Level of traffic that traverses the network path.
11 . The method of claim 1 , further comprising interacting with a plurality of network controllers in the transit network to set up forwarding paths to the plurality of destination network endpoints.
12 . The method of claim 1 , wherein the multi-provider, multi-domain network comprises one or more of enterprise networks, mobile networks, communications service provider networks, SDNs, Virtual Networks, and Cloud.
13 . A method of constructing network paths that ensure secure flow through a multi-domain network, comprising:
allowing only those interface ports in a first network device with multiple interface ports to forward packets based on whether the interface port connects to a second network device that is a trusted network device; and allowing the second network device to receive and process packets based on whether the first network device it is receiving packets from is trusted, thereby ensuring the flow is secure in each direction; wherein each network device is trusted based on the security and trust requirements of an enterprise for the data being exchanged.
14 . The method of claim 13 , wherein the each network device is determined to be a trusted network device based on an enhanced digital certificate associated with the network device.
15 . The method of claim 13 , wherein security and trust requirements vary based on flow path and flow direction, such that security requirements for east/west interfaces may differ from north/south interfaces for each flow direction.
16 . The method of claim 13 , wherein at least one network device comprises a router, switch or bridge.
17 . The method of claim 13 , wherein at least one network device comprises a transport protocol termination device selected from the group consisting of an application server, application client, application proxy, and application gateway.
18 . A method of minimizing round trips and latency while validating security and trust of enhanced Digital Certificates in multi-domain multi-provider networks comprising:
providing a plurality of network devices each with an enhanced digital certificate wherein the enhanced digital certificate comprises metadata regarding provenance and other device attributes of the network device; and opportunistically disposing one or more security platform components that support processing enhanced digital certificates within the multi-domain network based on analysis of certificate access interactions so as to reduce latency.
19 . The method of claim 18 , wherein the security platform components are disposed within a 5G RAN, a network operated by a service provider, or a cloud, or an SDN.
20 . The method of claim 18 , wherein the one or more security platform components assist in faster setup and operational use of a secure network slice.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.