(12)
`
`United States Patent
`Carley
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,325,140 B2
`Jan. 29, 2008
`
`USOO7325 140B2
`
`(54) SECURE MANAGEMENT ACCESS
`CONTROL FOR COMPUTERS, EMBEDDED
`AND CARD EMBODIMENT
`
`(75) Inventor: Jeffrey Alan Carley, Colorado Springs,
`CO (US)
`(73) Assignee: Engedi Technologies, Inc., Virginia
`Beach, VA (US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 257 days.
`
`(*) Notice:
`
`(21) Appl. No.: 10/969,561
`
`(22) Filed:
`(65)
`
`Oct. 20, 2004
`Prior Publication Data
`US 2005/0086494 A1
`Apr. 21, 2005
`O
`O
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 10/461,827,
`filed on Jun. 13, 2003.
`(60) Provisional application No. 60/512,777, filed on Oct.
`21, 2003.
`(51) Int. Cl
`we
`(2006.01)
`H04L 9/00
`713/182: 726/2: 726/3
`52) U.S. C
`(52) U.S. Cl. "70022. 709,224. 700,217
`58) Field of Classification Search s
`713/1s2.
`(58) Field of Classification Search ................
`s
`726/23: 709/223-224, 217, 219; 370/335;
`455/3.03
`See application file for complete search history.
`References Cited
`
`(56)
`
`U.S. PATENT DOCUMENTS
`
`5,689,566 A 11/1997 Nguyen
`
`
`
`Remote Administrator
`
`5,968,176 A * 10/1999 Nessett et al. ................ T26/11
`6,335,927 B1
`1, 2002 Elliott
`6,560,222 B1
`5/2003 Pounds
`6,894,994 B1* 5/2005 Grob et al. ................. 370,335
`2002/0001302 A1
`1/2002 Pickett
`2002fOO64149 A1
`5, 2002 Elliott
`2003/0093563 A1
`5/2003 Young
`
`OTHER PUBLICATIONS
`Harikrishnan, Hari; Advanced security for data, voice, and video
`access ideal for Small offices and teleworkers; Introducing Cisco
`836 and SOHO 96 Secure Broadband Routers, Cisco.com; Mar.
`2003; pp. 1-14.
`Hardware you need FAST: Symbiat (online); Copyright 2002: pp.
`1-2.
`
`* cited by examiner
`Primary Examiner T. B. Truong
`(74) Attorney, Agent, or Firm—John H. Thomas, P.C.
`
`(57)
`
`ABSTRACT
`
`A computer network management system for remotely man
`aging a network device. The system includes a secure
`management access controller which is in direct communi
`cation with the network device. The secure management
`access controller provides access for remotely and securely
`managing a network. The secure management access con
`troller further separates management communications from
`user communications to ensure the security of the manage
`ment communications. The system further includes network
`and power monitoring and notification systems. The system
`further provides authentication and authorization capabili
`ties for security purposes.
`
`16 Claims, 32 Drawing Sheets
`
`ss Control
`erver-1
`
`4
`Network
`Management
`
`Network Operations
`Center Network
`
`NP. i.
`server .
`
`Firewal
`
`DNS
`Server
`
`Secured Network
`
`SMACC
`
`WN Turne
`
`Out-of-Bard Network
`f
`Secondary Network
`
`-Bardata Network
`
`Lenovo
`Ex. 1002 - Page 1
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 1 of 32
`
`US 7,325,140 B2
`
`
`
`User Data Interface
`
`System Controller
`
`Fig. 1
`
`Lenovo
`Ex. 1002 - Page 2
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 2 of 32
`
`US 7,325,140 B2
`
`
`
`Optional UPS
`
`Circuit 1
`
`Power Supply
`
`
`
`
`
`Circuit 2
`
`User Data
`interface
`
`Controller
`
`Fig. 2
`
`Lenovo
`Ex. 1002 - Page 3
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 3 of 32
`
`US 7,325,140 B2
`
`Virtual Management interface (VM)
`
`
`
`
`
`
`
`SMACC Network Enabled
`Management Interface
`
`Local Console
`
`
`
`Fig. 3
`
`Lenovo
`Ex. 1002 - Page 4
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 4 of 32
`
`US 7,325,140 B2
`
`Remote Administrator
`
`Out-of-Band Network
`o
`Secondary Network
`
`SNACC
`interface
`
`Network
`Management
`Station
`
`Network Operations
`Center Network
`
`
`
`
`
`
`
`
`
`
`
`
`
`Secured Network
`
`
`
`n-Band Data Network
`
`Fig. 4
`
`Lenovo
`Ex. 1002 - Page 5
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet S of 32
`
`US 7,325,140 B2
`
`Remote Administrator
`
`Network
`Management
`
`Statics
`
`W
`
`Network Operations
`Center Network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Out-of-Band Network
`O
`Secondary Network
`
`WPN Turne
`
`WPN The
`
`Secured Network
`
`
`
`n-Band Data Network
`
`Fig. 5
`
`Lenovo
`Ex. 1002 - Page 6
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 6 of 32
`
`US 7,325,140 B2
`
`Packet Filtering for packets received on VMI of SMACC interfaces
`
`acket fro
`allowed
`Source?
`
`
`
`Log and discard
`
`
`
`
`
`
`
`
`
`Packet
`destination
`managed
`device?
`
`
`
`Process
`management
`request
`
`Fig. 6
`
`Lenovo
`Ex. 1002 - Page 7
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 7 of 32
`
`US 7,325,140 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`Start Services
`Connection
`
`
`
`available Over
`Current
`Qnnection?
`
`Last
`Connection in
`CQnfigured li
`
`Make next
`Connection Current
`Connection
`
`
`
`Establish
`Connection to
`Service over
`Current Connection
`
`
`
`Log failure to
`Connect to Service
`
`Fig. 7
`
`Lenovo
`Ex. 1002 - Page 8
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 8 of 32
`
`US 7,325,140 B2
`
`Start Service LOSS
`
`Connection to
`SRAM Service lost
`
`Make next
`Connection Current
`
`available Over
`Current
`Qnnectio
`
`Entire list
`attampted?
`
`Establish
`Connection to
`Service over
`Current Connection
`
`
`
`Wait configured
`amount of time
`
`End
`
`Fig. 8
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Lenovo
`Ex. 1002 - Page 9
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 9 of 32
`
`US 7,325,140 B2
`
`
`
`Flash
`
`NVRAM
`
`SMACC CPU Bus
`
`
`
`Analog Line
`
`Fig. 9
`
`Lenovo
`Ex. 1002 - Page 10
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 10 of 32
`
`US 7,325,140 B2
`
`Flash
`
`NVRAM
`
`RAM
`
`UART
`
`
`
`
`
`SMACC CPUBUS
`
`Ethernet
`
`Ethernet
`Connection
`
`Fig. 10
`
`Lenovo
`Ex. 1002 - Page 11
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 11 of 32
`
`US 7,325,140 B2
`
`Cell Tower
`
`Flash
`
`NVRAM
`
`RAM
`
`
`
`SMACC CPUBUS
`
`Packet
`Cellular
`
`Fig. 11
`
`Lenovo
`Ex. 1002 - Page 12
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 12 of 32
`
`US 7,325,140 B2
`
`NVRAM
`
`SMACC Slot
`
`
`
`SMACC CPU Bus
`
`
`
`PC
`Interface
`
`SMACC
`Interface
`Card
`
`Fig. 12
`
`Lenovo
`Ex. 1002 - Page 13
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 13 of 32
`
`US 7,325,140 B2
`
`UART
`
`SMACC
`Interface
`Logic
`
`
`
`SMACC
`Interface
`Logic
`
`Flash
`
`NVRAM
`
`RAM
`
`SMACC CPU Bus
`
`SMACC
`
`System
`PC
`Bus
`
`System
`CPU
`BuS
`
`Fig. 13
`
`Lenovo
`Ex. 1002 - Page 14
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 14 of 32
`
`US 7,325,140 B2
`
`
`
`UART
`
`UART
`
`Boot ROM
`
`Flash
`
`NVRAM
`
`SMACC
`
`CPU
`
`CPU
`Bus
`
`System Controller
`
`Fig. 14
`
`Lenovo
`Ex. 1002 - Page 15
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 15 Of 32
`
`US 7,325,140 B2
`
`
`
`Telephone
`Line
`-48V
`
`Out
`
`R1
`
`Fig. 15
`
`Lenovo
`Ex. 1002 - Page 16
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 16 of 32
`
`US 7,325,140 B2
`
`Initialize dial tone
`timer
`
`Wait for dial tone
`test timer to pop.
`
`Take line off hook.
`
`
`
`
`
`
`
`
`
`
`ls dial tone
`detected?
`
`Reset dial tone
`test timer.
`
`Send Alert to
`Management
`Center
`
`Fig. 16
`
`Lenovo
`Ex. 1002 - Page 17
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 17 Of 32
`
`US 7,325,140 B2
`
`NWR
`
`SMACC Bus
`
`UART
`
`
`
`SMACC
`
`Power Supply
`
`S
`
`yS
`to
`Userbata -- B
`Interface
`US
`
`CPU
`
`System
`Controller
`
`Circuit
`
`Fig. 17
`
`Lenovo
`Ex. 1002 - Page 18
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 18 of 32
`
`US 7,325,140 B2
`
`
`
`SMACC CPUBUS
`
`PC Card Interface
`
`Fig. 18
`
`Lenovo
`Ex. 1002 - Page 19
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 19 Of 32
`
`US 7,325,140 B2
`
`
`
`CPU
`
`Boot ROM
`
`System
`Controller
`
`Flash
`
`NVRAM
`
`Fig. 19
`
`Lenovo
`Ex. 1002 - Page 20
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 20 of 32
`
`US 7,325,140 B2
`
`Flash
`
`SMACC Bus
`
`SMACC
`
`CPU
`
`UART
`
`UART
`
`
`
`
`
`
`
`
`
`User Data Interface
`
`Boot ROM
`
`User Data Interface
`
`Proxy Management
`interface
`
`Sys
`Bus
`
`CPU
`Bus
`
`System Controller
`
`Flash
`
`Fig. 20
`
`Lenovo
`Ex. 1002 - Page 21
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 21 of 32
`
`US 7,325,140 B2
`
`
`
`Virtual Management
`Interface (VMI)
`
`User Data Interface
`
`User Data Interface
`User Interface configured as a
`Proxy Management Interface
`
`SMACC Network Enabled
`Management interface
`
`Local Console
`
`Fig. 21
`
`Lenovo
`Ex. 1002 - Page 22
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 22 of 32
`
`US 7,325,140 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Remote Administrator
`
`8
`Network
`is
`Management s
`Statio
`
`Network Operations
`Center Network
`
`a Na
`
`Firewal
`
`(s.3
`
`imaged
`
`f
`
`dedicated
`Management Console
`Segment
`
`
`
`Out-of-Band Network
`O
`Secondary Network
`
`WPNTurne
`
`Sise
`
`WPN turne
`
`Secured Network
`
`In-Band Data Network
`
`Fig. 22
`
`Lenovo
`Ex. 1002 - Page 23
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 23 of 32
`
`US 7,325,140 B2
`
`
`
`SMACC CPU BuS
`
`Ethernet
`
`PC Card Interface
`
`Fig. 23
`
`Lenovo
`Ex. 1002 - Page 24
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 24 of 32
`
`US 7,325,140 B2
`
`
`
`Cell Tower
`
`SMACC CPUBUS
`
`Packet Cellular
`
`PC Card Interface
`
`Fig. 24
`
`Lenovo
`Ex. 1002 - Page 25
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 25 of 32
`
`US 7,325,140 B2
`
`
`
`SMACC CPU BuS
`
`Analog Modem
`
`PC Card Interface
`
`Fig. 25
`
`Lenovo
`Ex. 1002 - Page 26
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 26 of 32
`
`US 7,325,140 B2
`
`SMACC
`Interface
`Logic
`
`SMACC
`Interface
`Logic
`
`S
`M A
`C
`C
`
`S
`M A
`C
`C
`
`Flash
`
`NVRAM
`
`RAM
`
`
`
`SMACC CPUBUS
`
`SMACC
`
`PC Card interface
`
`Fig. 26
`
`Lenovo
`Ex. 1002 - Page 27
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 27 Of 32
`
`US 7,325,140 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`NVRAM
`
`RAM
`
`
`
`SMACC
`Interface
`Logic
`
`SMACC CPU Bus
`
`
`
`Proxy
`Management
`Proxy
`Management
`Interface
`
`
`
`PC Card Interface
`
`Fig. 27
`
`Lenovo
`Ex. 1002 - Page 28
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 28 of 32
`
`US 7,325,140 B2
`
`SMACC Bus
`
`
`
`
`
`Bus Controller
`
`SMACC Processor
`
`System PCI Bus
`
`Fig. 28
`
`Lenovo
`Ex. 1002 - Page 29
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 29 Of 32
`
`US 7,325,140 B2
`
`SMACC Bus
`
`
`
`
`
`Bus Controller
`
`
`
`SMACC processor
`
`System CPU Bus
`
`Fig. 29
`
`Lenovo
`Ex. 1002 - Page 30
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 30 of 32
`
`US 7,325,140 B2
`
`SMACC CPU Bus
`
`
`
`UART
`
`SMACC
`Interface
`Logic
`
`Fig. 30
`
`Lenovo
`Ex. 1002 - Page 31
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 31 of 32
`
`US 7,325,140 B2
`
`
`
`Device Power
`Switch turned On.
`
`Power up SMACC
`Circuit.
`
`Power up main
`processor
`
`Fig. 31
`
`Lenovo
`Ex. 1002 - Page 32
`
`

`

`U.S. Patent
`
`Jan. 29, 2008
`
`Sheet 32 of 32
`
`US 7,325,140 B2
`
`incoming Call
`
`
`
`Call pass Call
`filter?
`
`Answer Call
`
`Fast Hangup
`
`Fig. 32
`
`Lenovo
`Ex. 1002 - Page 33
`
`

`

`US 7,325,140 B2
`
`1.
`SECURE MANAGEMENT ACCESS
`CONTROL FOR COMPUTERS, EMBEDDED
`AND CARD EMBODIMIENT
`
`CROSS REFERENCE TO RELATED
`APPLICATIONS
`
`The present application is a continuation in part based on
`U.S. patent application Ser. No. 10/461,827, filed Jun. 13,
`2003. The present application claims priority from U.S.
`Provisional Application Ser. No. 60/512,777, filed Oct. 21,
`2003. The present invention is related to the invention
`described in co-owned, co-pending patent application Ser.
`No. 10/461,820 filed on Jun. 13, 2003, incorporated herein
`by reference.
`
`10
`
`15
`
`TECHNICAL FIELD OF THE INVENTION
`
`The present invention relates in general to methods and
`apparatus used in managing devices or systems in a com
`munication network and more particularly to methods and
`apparatus for remote management of these devices or sys
`tems in a secure manner.
`
`BACKGROUND OF THE INVENTION
`
`25
`
`2
`The struggle to find a workable compromise between the
`utility of remote management of devices and the need to
`maintain the security of the devices can clearly be seen in
`“The Router Security Configuration Guide” published by the
`National Security Agency. On page 49 of the guide it is
`recommended that a terminal (or computer) be a stand-alone
`device protected from unauthorized access. This goes back
`to requiring physical access to the network element in order
`to access the console or management port. On page 47 the
`guide also states, "Permitting direct dial-in to any vital piece
`of network infrastructure is potentially very risky .
`.
`.
`.
`In-band management methods often depend to one degree or
`another on the security of the network the element is a part
`of to protect the management traffic. While this MIGHT
`provide a reasonable level of protection from external
`attacks (initiated from outside the network), it generally will
`not provide a sufficient level of protection from an internal
`attack (initiated from inside a network). To help reduce the
`Vulnerability to internal attack, the “The Router Security
`Configuration Guide” has recommendation using a dedi
`cated network or at least dedicated network segments for
`remote network administration of routers. Building out a
`dedicated network for management would be quite expen
`sive for most networks.
`There are definite advantages to having an out-of-band
`remote management connection to network elements that
`utilize connectivity that is diverse from the primary network
`connection. One of the primary purposes of the remote
`management connection is to assist the remote administrator
`or technician in troubleshooting network problems. With
`in-band management, if a network problem has hindered
`connectivity to a network element, management connectiv
`ity to that element could be lost when it is needed the most.
`An out-of-band management Solution is more likely to allow
`the administrator or technician to still remotely access the
`network element to troubleshoot and resolve the network
`problem in a timely manner. Also, the out-of-band manage
`ment connection providing connectivity to the console or
`management port of an element might be available for the
`initial configuration of the device whereas an in-band man
`agement connection might not be available for initial con
`figuration. It is also possible that some functions can only be
`performed using the console or management port of the
`element. An example of this would be Password Recovery
`on a Cisco router. While a dedicated and secure out-of-band
`network would be the most preferable solution for out-of
`band management from a security standpoint, the cost of
`such a solution is generally prohibitive. While some form of
`public shared network, such as the Public Switched Tele
`phone Network (PSTN) or an Integrated Services Digital
`Network (ISDN) provides the most cost effective solution
`for a diverse out-of-band connection, the security of Such
`Solutions is a major concern.
`The most straightforward means of providing out-of-band
`connectivity to a network element is to place a modem on
`the console port of a networking element connecting it to the
`PSTN. However, any perimeter security for the network
`Such as firewalls and access-lists has just been completely
`bypassed, providing a Vulnerable point for intruders to
`attack. If an attacker knows or can determine the phone
`number of the modem then the only security is the logon
`protection on the networking element itself. War dialers will
`generally find phone numbers connected to modems.
`It is important to realize that most protocols used for
`assisting in the remote management of network elements do
`not provide for the confidentiality or integrity of the infor
`mation being transmitted between the remote administrator
`
`30
`
`35
`
`40
`
`45
`
`In distributed computer networks the vast majority of the
`networking elements are not in the same geographic location
`or easily accessible by the skilled technicians or network
`administrators typically responsible for normal maintenance
`of the elements. Not only do these technicians and admin
`istrators require regular access to the network elements for
`maintenance, but they also need timely access to the network
`elements when problems arise in order to perform trouble
`shooting and resolving problems. The more quickly a net
`work administrator can access the elements in the network
`for troubleshooting the shorter the mean-time-to-repair
`(MTTR) an outage in the network.
`In general, it is not practical to require physical access to
`the systems for general maintenance or troubleshooting and
`repair. The costs would be prohibitive, both in time and
`personal, to require a skilled technician to be dispatched for
`every required activity on a system. This has driven a strong
`requirement to provide for remote management of network
`elements and servers. A number of means have been devel
`oped to provide for remote management of these systems.
`Remote management of the elements can be provided in
`band (the remote administrator communicates with the sys
`tem using the same network as the user data for the managed
`system) or out-of-band (the remote administrator commu
`50
`nicates with the system using a means other than the network
`utilized by the user data of the managed system). Typically,
`when out-of-band remote management is utilized, the
`administrator is connecting to a console or management port
`on the system.
`However, the security of the network elements and serv
`ers is a concern when remote management is allowed. For a
`system to be secure, it must first of all be physically secure
`from attack. Without physical security, it is almost certain an
`attacker can compromise a system. If management of the
`system requires physical access to the system then the
`security of the management is as strong as the physical
`security. But, as stated above, in most networks this is not
`practical. It is important, though, to realize that opening up
`a device to remote management allows a larger window for
`attackers to utilize in an attack. The use and security of
`remote management must be carefully considered.
`
`55
`
`60
`
`65
`
`Lenovo
`Ex. 1002 - Page 34
`
`

`

`3
`and the network element or strong authentication of the
`parties involved. This is especially critical if a public shared
`network such as the PSTN is utilized for the out-of-band
`connectivity. For instance, the protocol most frequently
`utilized for remote login to network elements (Telnet) trans
`mits traffic in the clear (any one who can tap into or sniff the
`network can capture and understand the traffic). It would not
`be uncommon for a remote administrator to be transmitting
`passwords and device configurations over Such a connec
`tion. If an attacker were able to insert himself in the middle
`of Such a connection, even more attacks would be possible.
`In order to control the cost of remote management solu
`tions, user traffic and management traffic are being com
`mingled at multiple locations throughout the management
`path. The use of the user data network for the transport of
`management traffic is one place this commingling of data
`occurs. There is also a commingling of user and manage
`ment data in the device itself. User traffic and device
`management traffic comes in over the same user interface,
`uses the same memory and buffers, and is processed by the
`same processor. The commingling of user traffic and man
`agement traffic can compromise the security of the device
`management.
`Maintenance and troubleshooting of network element
`problems can often be facilitated by having the element
`maintain an accurate time clock. One way of keeping the
`clock accurate on an element is to allow the network to set
`the clock utilizing a protocol such as Network Time Protocol
`(NTP). If an attacker were able to alter or interfere with NTP
`the smooth operation of the network could be interfered
`with.
`Some network elements utilize Hypertext Transfer Pro
`tocol (HTTP) or Hypertext Transfer Protocol over Secure
`Socket Layer (HTTPS) for managing the network element.
`HTTP transmits information in the clear and is susceptible
`to impersonation and data compromise. Often HTTPS is
`only authenticating the server to the client. For remote
`management, mutual authentication can be important.
`A common difficulty in maintaining the elements of a
`network is keeping the Software on the elements updated
`with patches that protect them from new exploits by hackers
`and crackers. One of the functions of firewalls is to protect
`the elements behind them from these exploits so that it is not
`as critical to keep protected elements updated. However, this
`does require the firewalls to be updated regularly to protect
`the elements from new exploits. Keeping the firewalls
`updated can be difficult.
`Some of these concerns can be addressed by technology
`existing today. A firewall/Virtual Private Network (VPN)
`appliance could be utilized to protect management traffic
`that flows from a user interface on the managed device to a
`central location providing services for the management of
`the device. This would protect the management data while it
`flows over the in-band network. A terminal server could be
`utilized to allow an administrator to dial into the managed
`device over an out-of-band network. Some terminal servers
`will even allow the connection from the administrator to the
`terminal server to be encrypted for protection of the man
`agement data. However, this does not solve all the concerns.
`60
`The terminal server does not fully support a centralized
`mechanism to verify an administrator should have access to
`the managed device, especially if the in-band network is
`down. The VPN/Firewall does not support connection to the
`console port of the managed device. Even having both a
`VPN/Firewall and a terminal server would leave gaps in the
`protection.
`
`45
`
`35
`
`40
`
`50
`
`55
`
`65
`
`US 7,325,140 B2
`
`5
`
`10
`
`15
`
`25
`
`4
`It would take a number of different devices configured to
`work together to address most of the concerns. This would
`require a number of additional devices in an environment
`where rack space is very expensive. Having another two or
`three devices in the rack is quite expensive in more ways
`than just the cost of the equipment.
`An object of the invention is to provide for the secure
`management of devices without requiring additional devices
`taking up additional rack space by embedding the necessary
`hardware and Software for secure management of the device
`in the device to be managed.
`Another object of the invention is to separate user traffic
`from device management traffic, logically and/or physically,
`both in the device and while in transit over a network.
`Another object of the invention is to establish a network
`enabled management interface for the secure remote man
`agement of the device. While similar to a console interface,
`the secure interface is to be engineered to secure remote
`aCCCSS,
`Another object of the invention is to define a virtual
`management interface for controlling management traffic
`that will flow over the in-band interfaces. The virtual man
`agement interface provides for logical separation of the
`management data from the user data even when the man
`agement data and the user data will transit the same physical
`network.
`Another object of the invention is to utilize standard
`packet filtering firewall methods to restrict access to the
`management interfaces of the device, both real and virtual,
`based on factors such as the source address of the connection
`request.
`Another object of the invention is to use a means of
`authentication, including the possibility of strong authenti
`cation, to verify the identity of the administrator and restrict
`access to the management interfaces based on the identity of
`the administrator.
`Another object of the invention is to use an Access
`Control Server (ACS) to allow for centralized authentication
`and authorization of administrators as well as to log account
`ing information.
`Another object of the invention is to restrict functions and
`protocols allowed to access the management interfaces to
`those necessary for remote management of that network
`element.
`Another object of the invention is to dynamically update
`the rules used for restricting access to the management
`interfaces.
`Another object of the invention is to provide for the
`confidentiality and integrity of the information transmitted
`between the remote administrator and the management
`interfaces.
`Another object of the invention is to monitor the man
`agement interfaces for proper functioning and alert manage
`ment Software upon failure.
`Another object of the invention is to monitor management
`interfaces for possible attacks and report possible attacks to
`Intrusion Detection System management Software.
`Another object of the invention is to provide for secure
`connections to a network providing network services both
`utilizing the managed device's user data connections and
`over a dedicated secure network enabled management con
`nection.
`Another object of the invention is to access network
`services such as ACS, Domain Name Server (DNS), NTP
`Network Management Stations, Logging Servers, and Intru
`sion Detection Systems management stations over either an
`in-band network connection or over the network enabled
`
`Lenovo
`Ex. 1002 - Page 35
`
`

`

`US 7,325,140 B2
`
`10
`
`15
`
`5
`management connection (or both) and dynamically Switch
`between which network is being utilized for the service.
`Another object of the invention is to allow a remote
`administrator or technician to access the management inter
`faces via either an in-band connection or a network enabled
`management connection (or both).
`Yet another object of the invention is to provide auditing
`information about attempted connections (successful and
`unsuccessful) to the management interfaces.
`Yet another object of the invention is to alert management
`Software on unsuccessful attempts to connect to manage
`ment interfaces.
`Yet another object of the invention is to be able to securely
`manage the device through in-band connections to the
`virtual management interface, the network enabled manage
`ment connection, or the console port.
`A further object of the invention is to enable securing a
`plurality of management protocols for managing the device,
`both over in-band connections to the virtual management
`interface and over the secure network enabled management
`connection. Exemplary protocols to be secured include
`telnet, Ssh, http, https, Snmp, dins, t?tp, ftp, intp, and Xml.
`A further object of the invention is to provide the end
`point for an in-band or out-of-band connection between the
`network segments providing network services and the man
`25
`agement interfaces on the managed devices which can be
`secured using protocols such as IPSec or may be unsecured.
`A further object of the invention is to provide the ability
`for the managed device to Switch which management path is
`being utilized for management network services, in particu
`lar, the managed device can utilize in-band connections for
`management network services when available and Switch to
`using a network enabled management connection for man
`agement network services when an inband connection is not
`available.
`A further objective of the invention is to enable the secure
`management of other devices that are collocated with the
`managed device.
`A further objective of the invention is to provide for the
`ability to easily upgrade existing hardware to Support secure
`management of the device.
`Finally, it is an object of the present invention to accom
`plish the foregoing objectives in a simple and cost effective
`a.
`
`6
`to manage the device. The administrator will be able to
`connect to the SMACC card through the Virtual Manage
`ment Interface (VMI) or directly through a SMACC inter
`face on the SMACC card.
`A primary function of the SMACC is to provide for the
`separation of management data from user data both within
`the device being managed and while the management infor
`mation is in transit. Within the device, the SMACC sets up
`a separate processor for receiving management information
`and interacting with the control functions of the device.
`Remote management functions will pass through the
`SMACC processor. The SMACC also provides for a sepa
`rate interface for management functions that is network
`enabled to facilitate remote management. Various embodi
`ments of the invention allow for different types of interfaces
`to be utilized for the network enabled management inter
`faces. Exemplary interfaces could include POTS connec
`tions to the PSTN, Packet Cellular connections to a cellular
`provider's infrastructure, an Ethernet interface to a broad
`band modem and the Internet, or a wireless connection. The
`types of interfaces are not limited to those in this list to be
`within the scope of this invention. AVMI is also established
`for logically separating management traffic from user data
`when the in-band path is to be used for management data.
`The VMI is the interface between the SMACC chipset and
`the user data interfaces. The VMI utilizes existing and
`developing technology such as VPN to build secure tunnels
`between the SMACC chipset and the management center
`while utilizing the user data interfaces of the managed
`device and the user network to provide the transport of the
`management data cost effectively. The VPN technology
`provides the logical separation, confidentiality, and integrity
`of the management traffic while it is in transit.
`Another primary function of the SMACC is to protect the
`management interfaces from attack. This is accomplished
`through a combination of firewall, VPN, and authentication
`and authorization applications. The SMACC chipset imple
`ments the logic to Support VPN tunnels to the management
`center, thus protecting the management traffic between the
`management interface on the SMACC (VMI or SMACC
`interface) and the management center. The firewall func
`tionality protects the SMACC chipset from access by unau
`thorized parties, both internal and external, and from unau
`thorized protocols. An exemplary embodiment of the
`SMACC can be configured to only allow the protocols
`necessary for managing the device to access the SMACC.
`No other protocols will be allowed through the interface.
`The authentication and authorization of administrators can
`either be configured and accomplished locally to the
`SMACC, and/or centralized services can be accessed at the
`management center utilizing the secure management inter
`faces to the management center (VMI or SMACC interface).
`The SMACC implements the client protocol for exemplary
`services such a Remote Authentication Dial-In User Service
`(RADIUS) protocol, Terminal Access Controller Access
`Control System (TACACS+), or Lightweight Directory
`Access Protocol (LDAP).
`The SMACC allows the use of shared networks including
`public networks such as the Internet, the Public Switched
`Telephone Network (PSTN), or a corporate backbone net
`work for secure network management while still providing
`for the confidentiality, integrity, and logical separation of the
`management data. In an exemplary embodiment, this is
`accomplished by utilizing Virtual Private Networking
`(VPN) technology to build secure tunnels between one or
`more management interface on the SMACC and the man
`agement center providing network resources for manage
`
`30
`
`35
`
`40
`
`SUMMARY OF THE INVENTION
`
`45
`
`The present invention addresses the foregoing problems,
`as well as other problems, by providing an exemplary
`embodiment of a Secure Management Access Control for
`Computer Chipset (SMACC) for inclusion in devices that
`are to be enabled for remote management. In this preferred
`exemplary embodiment, the SMACC functions are imple
`mented on a separate processor with separate flash and
`memory; however, this is not intended to limit the imple
`mentation of these features to separate chipsets in a device.
`These features also can be combined with other hardware
`and Software features such as being integrated with a modem
`or with the main processor of a device. Some of the features
`of the SMACC can also be implemented separately. Such
`implementations would still be within the spirit and scope of
`this invention.
`An additional exemplary embodiment of the invention
`implements the SMACC processor and Supporting chips on
`a card that can be inserted into the device to be managed. In
`this implementation, management of the device is controlled
`by the card and the administrator must connect to the card
`
`50
`
`55
`
`60
`
`65
`
`Lenovo
`Ex. 1002 - Page 36
`
`

`

`US 7,325,140 B2
`
`10
`
`15
`
`25
`
`35
`
`7
`ment. The VPN tunnels provide for logical separation of the
`management traffic from any other traffic utilizing the net
`work. The VPN tunnels also utilize encryption to provide for
`the confidentiality and integrity of the management traffic
`utilizing the network. SMACC increases both the security
`and the availability of remote management of devices.
`The SMACC allows for access controls both on what
`remote devices can connect to the management interfaces of
`the SMACC (and can th