This disclosure relates generally to mobile networks and, more particularly, to methods and apparatus to configure virtual private mobile networks for security.
Virtualization of computing and networking platforms is becoming popular with clients and customers by providing flexible, on demand resources at a relatively low cost. A virtualized computing network, also known as a cloud computing network, enables clients to manage web-based applications and/or data resources by dynamically leasing computational resources and associated network resources from service providers. These web-based applications, data resources, and/or routing resources may be used by customers of the clients, individuals associated with the clients, and/or by the clients. This dynamic leasing of computational and network resources creates an appearance and function of a distributive computing network and, thus, is referred to as virtualization of a network. Virtualized platforms utilize partitioning and allocation of network and/or computing resources. Accordingly, new resources provisioned for a client may be added quickly as needed within short periods of time by a network provider allocating an additional portion of shared resources to the client. Additionally, virtualization in a network enables network providers to dynamically multiplex resources among multiple clients without dedicating individual physical resources to each client.
Example methods, articles of manufacture, and apparatus to configure virtual private mobile networks for security are disclosed. A disclosed example method includes identifying, in a wireless network, a communication from a user equipment that matches a security event profile. The example method also includes transmitting, from the wireless network, an instruction to enable the user equipment to be communicatively coupled to a virtual private mobile network, the virtual private mobile network being provisioned for security within the wireless network. The example method further includes enabling the user equipment to transmit a second communication through the virtual private mobile network securely isolated from other portions of the wireless network.
A disclosed example apparatus includes a security processor to identify, in a wireless network, communications from a user equipment that are a potential threat to the wireless network, the communications matching a security event profile. The example security processor also is to provision logically within the wireless network a virtual private mobile network to process the communications associated with the potential threat. The example apparatus further includes a device migrator to communicatively couple the user equipment to the virtual private mobile network.
Currently, wireless mobile networks enable subscribing customers to connect to an external packet switched network (e.g., the Internet) via mobile devices. These wireless mobile networks provide wireless network service via dedicated hardware (e.g., network elements also known as mobility network elements). In many instances, network elements are configured for a corresponding wireless communication protocol. Throughout the following disclosure, reference is made to network elements associated with the 3rd Generation Partnership Project (3GPP) Long Term Evolution (LTE) wireless communication standard. However, the disclosure is applicable to network elements associated with other wireless protocols and/or standards such as, for example, the General Packet Radio Service (GPRS) for second generation (2G) and Wideband-Code Division Multiple Access (W-CDMA) based third generation (3G) wireless networks.
In a typical wireless mobile network, a base transceiver station (BTS) (e.g., an LTE eNodeB) provides wireless communication service for mobile devices in a cell (e.g., a geographic area). The BTS enables one or more wireless devices to connect to an external packet switched network through the wireless mobile network. In these typical wireless mobile networks, a BTS is communicatively coupled to a serving gateway (e.g., a wireless network interface, router, and/or server), which routes communications between multiple BTSs and a packet data network (PDN) gateway. The PDN gateway is an interface between the wireless mobile network and external packet switched networks. In other GPRS-based wireless mobile networks, the serving gateway provides similar functionality to a Serving GPRS Support Node (SGSN) and the PDN gateway provides similar functionality to a Gateway GPRS Support Node (GGSN).
Additionally, many wireless mobile networks include a mobility management entity (MME) that monitors mobile devices on a wireless mobile network and coordinates wireless handoffs between BTSs for the mobile devices. Wireless mobile networks also include home subscriber servers (HSS) (e.g., a home location register (HLR) that mange wireless device profiles and/or authentication information. Collectively, BTSs, HSSs, HLRs, PDN gateways, and/or serving gateways are referred to as network elements, which provide a foundation for providing wireless communication services for mobile devices.
To implement a wireless mobile network, a wireless mobile network provider manages and/or configures network elements. The wireless mobile network enables customers of a wireless mobile network provider to subscribe to the wireless mobile network to receive and/or transmit voice and/or data communications. Many network providers configure network elements to provide wireless service to any subscribing customer of the network provider. For example, subscribing customers of a network provider may commonly access a wireless mobile network managed by the network provider.
Additionally, many network providers lease portions of their wireless mobile network to mobile virtual network operators (MVNOs). An MVNO (e.g., Virgin Mobile) is a company that provides mobile device services but does not own, control, and/or manage its own licensed frequency allocation of a wireless spectrum and/or does not own, control, and/or manage network elements needed to create a wireless mobile network. Network elements are capital intensive, which results in many MVNOs desiring to avoid the relatively large costs of creating and maintaining a wireless mobile network. To provide mobile device services, an MVNO leases bandwidth and/or portions of a wireless spectrum for subscribing customers of the MVNO. In this manner, an MVNO may compete with a wireless mobile network provider for customers but use the same wireless mobile network managed by the wireless mobile network provider.
In other instances, an MVNO may be a relatively large business and/or government entity that leases a portion of a wireless mobile network for private and/or proprietary use. For example, a military may lease a portion of a wireless mobile network. In these other instances, employees, agents, and/or contractors of the MVNO use the leased portion of the wireless mobile network to communicatively couple to data centers and/or computing elements managed by the MVNO.
Currently, many wireless mobile network providers use dedicated network elements to manage wireless communications for an MVNO. These dedicated network elements are often separate from network elements used by subscribing customers of the network provider. In other instances where it may not be efficient to provide dedicated network elements for an MVNO, a wireless mobile network provider shares network resources with an MNVO. However, this sharing may result in security issues as compromises and/or denial of service attacks on an MVNO service can affect wireless service provided by the network provider. In other words, an issue with a portion of a wireless mobile network for an MVNO can develop into a larger issue for the wireless mobile network provider. Additionally, sharing and/or creating individual network resources with an MVNO creates a relatively inflexible wireless mobile network that makes realization of varying service differentiating features a difficult task for a wireless mobile network provider.
The example methods, apparatus, and articles of manufacture described herein configure a wireless mobile network for security by partitioning network elements to create a virtual private mobile network (VPMN) to process and/or route unsecure, suspect, and/or otherwise high risk communications (e.g., problematic or potentially threatening communications). The example methods, apparatus, and articles of manufacture described herein determine problematic communications (e.g., security events) within a wireless mobile network by identifying which communications match a security event profile. For example, security event profiles may specify a known network worm, a known malicious application, and/or a known unsecure and/or unsupported mobile device. An unsecure mobile device includes a mobile device that does not have security updates and/or network security protection. An unsupported mobile device includes a mobile device that is modified to operate on a wireless mobile network where the mobile device would not otherwise be able to communicatively couple to the wireless mobile network (e.g., a jail broken mobile device). A malicious application includes an application that reduces network performance by generating excessive traffic. A network worm can include any malicious program and/or code that is embedded within a payload of network communications configured to disrupt network performance and/or penetrate network safeguards.
The example methods, apparatus, and articles of manufacture described herein use identified potentially problematic communications to identify mobile devices associated with the communications. The example methods, apparatus, and articles of manufacture described herein then provision the identified mobile devices to communicatively couple to a VPMN designated for security that is logically separate from a wireless mobile network. In this manner, the example methods, apparatus, and articles of manufacture described herein isolate potentially problematic communications from a wireless mobile network.
A VPMN provides private network communications on shared network elements. In some instances, a VPMN may extend end-to-end on a wireless mobile network. In other instances, a VPMN may only be included within some network elements and/or some types of network elements. To partition (e.g., virtualize) many network elements, portions of a control plane and/or a data plane of the network elements are partitioned for a particular VPMN. Partitioning network elements may also include partitioning processing power and/or bandwidth of the network elements for a particular VPMN to separate the VPMN from other portions of a wireless mobile network. Virtualizing VPMNs in a wireless mobile network enables the VPMNs to provide a private secure virtual circuit (and/or a private path using similar technology such as, for example, a Multiprotocol Label Switching (MPLS) path) extending from mobile devices to an external packet switched network, other mobile devices, and/or data centers of an MVNO.
An example VPMN designated for security routes and/or processes potentially problematic and/or threatening communications through a wireless mobile network separate from non-potentially problematic communications. Additionally, the example VPMN may include security protocols and/or security tools that are not implemented in a wireless mobile network for communications that are not potentially problematic. The security protocols and/or analysis tools analyze, diagnose, filter, block, and/or monitor potentially problematic communications and/or identified problematic communications. Thus, the example methods, apparatus, and articles of manufacture described herein conserve wireless mobile network resources by only using additional security protocols and/or security tools within the example VPMN without having to deploy the additional security protocols and/or tools to other portions of the wireless mobile network. For example, deploying an additional security protocol may increase a propagation time because the security protocol has to analyze the problematic communications. By having the additional security protocol deployed only within the secure VPMN, only propagation times of potentially problematic communications are affected.
Through the use of separate isolated VPMNs, the example methods, apparatus, and articles of manufacture described herein provide enhanced security. Thus, a compromise on a first VPMN and/or a wireless mobile network cannot propagate to other VPMNs because the VPMNs are logically separate. As a result of enhanced security, some MVNOs with relatively more stringent security requirements can utilize VPMNs without implementing other security protocols and/or methods.
In the interest of brevity and clarity, throughout the following disclosure, reference will be made to an example communication system 100 of
In the illustrated example, the wireless mobile network 104 is shown as including and/or associated with network elements 108-112. The example network elements 108-112 are shown as one example of communicatively coupling the mobile device 106 to the IP network 102. In other examples, the wireless mobile network 104 can include additional network elements and/or different types of network elements including, for example, an MME, an HSS, and/or a policy charging and rules function (PCRF) server. Further, the example network elements 108-112 correspond to the LTE standard. In other examples, the network elements 108-112 may be associated with any other wireless communication protocol and/or standard including, for example, Universal Mobile Telecommunication System (UMTS) and/or GPRS.
The example mobile device 106 (e.g., user equipment (UE)) of the illustrated example includes any device capable of wirelessly communicatively coupling to the wireless mobile network 104. For example, the mobile device 106 includes any laptop, smartphone, computing pad, personal digital assistant, tablet computer, personal communicator, etc. Additionally, while
To wirelessly connect to the wireless mobile network 104, the wireless mobile network 104 includes the eNodeB 108. The example eNodeB 108 is a BTS (e.g., an access point) and includes any controllers, transmitters, receivers, and/or signal generators to provide a wireless spectrum to facilitate wireless communication with, for example, the mobile device 106. The eNodeB 108 transforms communications received from the serving gateway 110 into a wireless signal transmitted to the mobile device 106. Similarly, the eNodeB 108 transforms wireless communications received from the mobile device 106 into a wired communications that may be routed to the IP network 102.
To route communications to and/or from the eNodeB 108, the wireless mobile network 104 of
The example serving gateway 110 also functions as a mobility anchor for a user plane during inter-eNodeB handovers of the mobile device 106. In other words, the serving gateway 110 ensures the mobile device 106 is connected to an eNodeB when the mobile device 106 moves to a different physical location. The example serving gateway 110 further manages and stores contexts (e.g. parameters of the IP wireless mobile network, security events, and/or network internal routing information) associated with the mobile device 106. While the wireless mobile network 104 of
To interface with the IP network 102 of the illustrated example, the example wireless mobile network 104 is associated with the PDN gateway 112. In this example, the PDN gateway 112 is communicatively coupled to the IP network 102 via an interface 114. The example PDN gateway 112 functions as a router by routing communications from the wireless mobile network 104 to an appropriate edge and/or network router within the IP network 102. Also, the PDN gateway 112 routes communications directed to the mobile device 106 from the IP network 102 to an appropriate serving gateway (e.g., the gateway 110). In some examples, the PDN gateway 112 may determine if the mobile device 106 is active (e.g., available to receive the communications) by sending a query to the serving gateway 110. If the serving gateway 110 indicates the mobile device is active 106, the serving gateway 110 sends a response to the PDN gateway 112 causing the PDN gateway 112 to forward the communications to the serving gateway 110. If the mobile device 106 is inactive and/or unavailable, the PDN gateway 112 may discard the communications and/or query other serving gateways in the wireless mobile network 104.
In some examples, the PDN gateway 112 transforms and/or converts communications originating from the mobile device 106 received via the serving gateway 110 into an appropriate packet data protocol (PDP) format (e.g., IP, X.25, etc.) for propagation through the IP network 102. Additionally, for communications received from the IP network 102, the PDN gateway 112 converts the communications into a wireless protocol (e.g., 3GPP LTE, Global System for Mobile Communications (GSM), etc.). The example PDN gateway 112 then readdresses the communications to the corresponding serving gateway 110.
To configure VPMNs on the network elements 108-112, the wireless mobile network 104 includes a VPMN controller 116. The example VPMN controller 116 receives requests from the network elements 108-112 to create a VPMN (e.g., a security VPMN) to isolate potentially problematic communications (and/or identified problematic communications) originating from, for example, the mobile device 106. The example VPMN controller 116 may also receive requests from clients (e.g., MVNOs) for VPMNs. To create a VPMN, the example VPMN controller 116 identifies available portions of the network elements 108-112 for the requested VPMNs, and partitions control and/or data plane space on the network elements 108-112 to configure the VPMNs. In some examples, the VPMN controller 116 may also configure the mobile device 106 to access a VPMN.
To receive requests for a VPMN, the example communication system 100 of
In the illustrated example, a client administrator 122 (e.g., a client) accesses the MaaS portal 120 to request a VPMN. The request for a VPMN may include a list of mobile devices that are to be authorized to access the VPMN, an estimated maximum and/or average amount of bandwidth to be utilized, a geographic location for the VPMN (including a geographic location of the eNodeB 108 and/or the serving gateway 110), administrative information, billing information, security event profiles, and/or any other information that may be needed to provision a VPMN.
In response to the client administrator 122 requesting a VPMN, the MaaS portal 120, via the VPMN controller 116, establishes a VPMN through the network elements 108-112. Examples of VPMNs are described below in conjunction with
An APN identifies a PDN that a mobile device requests to communicatively couple. The APN may also define a type of service, server, and/or multimedia message service that is provided by a PDN. Typically, an APN includes a network identifier and an operator identifier. The network identifier may define an external network to which the PDN gateway 112 is connected (e.g., the IP network 102). The operator identifier specifies which network (e.g., VPMN) is associated with the PDN gateway 112. In the example of
The example VPMN controller 116 of the illustrated example transmits an assigned APN to subscribing customers identified to be communicatively coupled to a VPMN. The VPMN controller 116 also registers the APN with APN domain name system (DNS) servers 124 and 126 within the respective networks 102 and 104. Registering the APN with the APN DNS servers 124 and 126 enables communications associated with a VPMN to be routed to the appropriate VPMN on the network elements 108-112 when the VPMN controller 116 is unable to extend the VPMN from end-to-end (e.g., from the eNodeB 108 to the interface 114 of the PDN gateway 112). Thus, the use of APNs enables the VPMN controller 116 to provision a VPMN over a portion of the network elements 108-112 when other network elements are not capable and/or are not configured to host the VPMN.
To determine which communications from, for example, the mobile device 106 are potentially problematic and/or threatening to the wireless mobile network 104, the example VPMN controller 116 of
The example security processor 130 transmits the security rules to each of the VPMNs implemented on the network elements 108-112. The security processor 130 may also transmit the security rules to the network elements 108-112 in instances where the network elements 108-112 process communications separate from a VPMN. In some instances, the security processor 130 may transmit different sets of security rules to different VPMNs based on instructions from, for example, the client administrator 122. For example, some client administrators may only be concerned with malicious network worms and denial of service attacks for their respective VPMNs while other client administrators are concerned with malicious applications, unsupported mobile devices, and/or unsecure mobile devices for their respective VPMNs.
The example VPMNs and/or the network elements 108-112 use the security rules to identify potentially problematic communications (e.g., security events). In other examples, the security processor 130 may monitor VPMNs and/or the network elements 108-112 for potentially problematic communications. After detecting potentially problematic communications, the VPMNs and/or the network elements 108-112 broadcast information about the security event and/or an identifier of a mobile device associated with the security event to other VPMNs and/or the security processor 130. The VPMNs and/or the security processor 130 may then determine if, for example, the mobile device 106 is associated with other potentially problematic communications and transmits those identified security events.
The example security processor 130 and/or the VPMNs of the illustrated example use the information regarding the security event to provision, for example, the mobile device 106 to a VPMN designated for security (e.g., a security VPMN). In some instances, the example network elements 108-112 may have a VPMN for security provisioned. In other examples, the security processor 130 provisions a VPMN after a security event is detected. The example security processor 130 and/or a VPMN that detected the security event communicatively couples the mobile device 106 to the security VPMN. To communicatively couple the mobile device 106, the example security processor 130 and/or the detecting VPMN uses over the air programming to send an APN of the security VPMN to the mobile device. In some examples, the over the air programming may include provisioning a subscriber identity module (SIM) card of the mobile device 106 with an APN corresponding to the security VPMN.
The example security VPMN processes and/or routes communications from the mobile device 106. In some instances, the security VPMN may analyze the communications to identify the security event and determine a resolution (e.g., a defense strategy) to the security event. In other examples, the security VPMN may propagate the communications associated with the mobile device 106 through the wireless mobile network 104 to the IP network 102 separate and/or isolated from other communications from other mobile devices. After resolving the security event, the security VPMN and/or the security processor 130 migrates the mobile device 106 to an originally connected VPMN and/or to the general non-VPMN portions of the network elements 108-112.
While the above described example involves creating a general security VPMN for any detected security event, the example security processor 130 of
In the example of
The example MME 210 tracks and pages mobile devices that are communicatively coupled to the wireless mobile network 104. The example MME 210 may also activate and/or deactivate mobile devices and/or authenticate mobile devices attempting to connect to the wireless mobile network 104 by requesting user profile information from the HSS 212. In some examples, the MME 210 may be similar to the servers 124 and 126 of
The example HSS 212 of
The example PCRF server 214 determines policy rules for the wireless mobile network 104. The example PCRF server 214 aggregates information to and/or from the wireless mobile network 104 and/or the network elements 108-112, 210, and 212 in real time to create rules. The example PCRF 214 may also store security rules 216 that include security event profiles. Based on the created rules, the PCRF server 214 automatically makes intelligent policy decisions for each mobile device active on the wireless mobile network 104. In this manner, the PCRF server 214 enables a wireless mobile network provider to offer multiple services, quality of service (QoS) levels, and/or charging rules. Additionally, the PCRF server 214 may also broadcast and/or transmit the security rules to the portions of the network elements 108-112, 210 and 212 hosting the VPMNs 202 and 204.
In the example of
In this illustrated example, the Client X requests that the VPMN 202 extend end-to-end of the wireless mobile network 104. As a result of the request, the VPMN controller 116 extends the VPMN 202 to all of the network elements 108-112 and 210-214 within the wireless mobile network 104. In other examples, the Client X may only request and/or may only be able to request a VPMN to be setup on some of the network elements 108-112 and 210-214. By requesting the VPMN 202, the example VPMN controller 116 identifies available space within the network elements 108-112 and 210-214 and allocates control and/or data planes of the network elements 108-112 and 210-214 for the VPMN 202. The VPMN controller 116 then configures the allocated control and/or data plane portions of the network elements 108-112 and 210-214 for the VPMN 202.
To configure the network elements 108-112 and 210-214, the example VPMN controller 116 may assign an APN to the VPMN 202 and update a control plane of the network elements 108 and 210-214 with the APN assignment. The VPMN controller 116 may also assign and/or configure specific interfaces, switches, and/or processors within the network elements 108-112 and 210-214 to host the VPMN 202.
The mobile devices 220-224 use the assigned APN to access the respective VPMN 202. Further, by using the APN, the network elements 108-112 and 210-214 may propagate communications within the VPMN 202 until an end point is reached. By using APNs, the example VPMN controller 116 creates exclusive virtual circuits (e.g., MPLS paths) from the eNodeB 108 to the PDN gateway 112 for routing communications within the VPMN 202 for the mobile devices 220-224 registered with the Client X MVNO. Thus, the APNs ensure that communications from the mobile devices 220-224 are routed through the wireless mobile network 104 via the VPMN 202.
Further, the VPMN 202 partitioned within the network elements 210-214 enables access control, authentication, mobile device profile management, security event profiles, and/or network rules to be configurable for the Client X. Thus, subscriber information for the Client X within the HSS 212 is separate from subscriber information associated with other VPMNs (not shown) and/or subscribers that use non-VPMN portions of the network elements 108-112 and 210-214. The separation of the control and/or data planes of the network elements 210-214 via the VPMN 202 also enables the Client X to provide different types of services using the same network elements 108-112 and 210-214. Further, the separation of the control and/or data planes of the network elements 210-214 via the VPMN 202 prevents security issues in, for example, the VPMN 202 from propagating to other portions of the network elements 108-112 and 210-214.
The example wireless mobile network 104 of
After detecting the security event 302, the example serving gateway 110 transmits information regarding the security event 302 to the other network elements 108, 112, and 210-214. The serving gateway 110 may also transmit the information to the example security processor 130 within the example VPMN controller 116. The serving gateway 110 may communicate with the other network elements 108, 112, and 210-214, the VPMN controller 116, and/or any other VPMNs (not shown) via a controlled interface (e.g., an application programming interface (API)). The transmission of the security event information causes the network elements 108, 112, and 210-214 to determine if any potentially problematic communications that match the security event are included within their respective portions of the VPMN 202. The example serving gateway 110 and/or the network elements 108, 112, and 210-214 may use the security event information to identify, for example, that the mobile device 224 is associated with (e.g., originated) the potentially problematic communications.
To communicatively couple the mobile device 224 to the security VPMN 204, the example serving gateway 110 sends the mobile device 224 an APN that corresponds to the security VPMN 204. For example, the serving gateway 110 may provision a SIM card of the mobile device 224 with the APN. Further, the example serving gateway 110 may broadcast the provisioning of the mobile device 224 to the security VPMN 204 so that the network elements 108, 112, and 210-214 route and/or process communications associated with the mobile device 224 through the security VPMN 204 using the newly assigned APN.
Once the mobile device 224 is communicatively coupled to the security VPMN 204, additional security protocols and/or analysis tools may determine specific information regarding the security event 302 and/or the potentially problematic communications. The security protocols and/or analysis tools may be used to determine an appropriate strategy for the mobile device 224. For example, the VPMN 204 may send a message to a user of the mobile device 224 that the mobile device 224 has been provisioned for the security VPMN 2404 and provide actions to be completed (e.g., removing a malicious application, removing modifications from the mobile device 224, installing a security upgrade, and/or deleting a network worm) before the mobile device 224 can be provisioned for the VPMN 202. In other instances, the security protocols and/or the analysis tools of the security VPMN 204 may resolve the security event 302. In yet other instances, the security protocols and/or analysis tools of the security VPMN 204 may monitor communications associated with the mobile device 224 to determine if other security events occur. Further, the example security VPMN 204 may continue to isolate communications associated with the mobile device 224 from the VPMN 202 until the mobile device 224 is removed from service.
The security protocols deployed within the security VPMN 204 may increase a propagation time of communications between the mobile device 224 and, for example, the IP network 102. However, the example security VPMN 204 ensures that potentially problematic and/or threatening communications associated with the mobile device 224 cannot affect other communications associated with, for example, the mobile devices 220 and 222 communicatively coupled to the VPMN 202. In this manner, the example Client X only needs to deploy and/or utilize additional security protocols within the portions of the network elements 108-112 and 210-214 provisioned to host the security VPMN 204, thereby reducing protocols configured for the VPMN 202. By not having to implement additional protocols for the VPMN 202, communication propagation times through the VPMN 202 and/or processing capacity allocated for the VPMN 202 can be reduced. In other words, the additional protocols are only implemented in the relatively smaller security VPMN 204 configured specifically to process the potentially problematic communications.
The example eNodeBs 402 and 404 of the illustrated example are physically separate to create isolation in a wireless spectrum between the VPMNs 202 and 204. Thus, mobile devices 406 provisioned for the VPMN 202 are communicatively coupled to the example eNodeB 402 and mobile devices 408 provisioned for the security VPMN 204 are communicatively coupled to the example eNodeB 404. In this example, the mobile devices 408 may be associated with identified potentially problematic communications. Specifically, the example mobile devices 408 may operate a malicious and/or problematic application. To protect the VPMN 202 from the malicious applications, the example VPMN controller 116, the example security processor 130, and/or the network elements 110, 112, 210-214, and/or 402 may migrate the mobile devices 408 to the security VPMN 204. To communicatively couple the mobile devices 408 to the eNodeB 404, the example serving gateway 110 may transmit an APN to the mobile devices 408 that corresponds to the security VPMN 204.
In the illustrated example, the example mobile devices 502 and 504 are communicatively coupled to the wireless mobile network 104 via the network elements 108-112 and 210-214. Additionally, the mobile device 506 is communicatively coupled to the wireless mobile network 104 via the security VPMN 204 provisioned within the network elements 108-112 and 210-214. In this example, the mobile device 506 is identified as being associated with potentially problematic communications.
The example of
The example local PDN gateway 508 may be utilized within the example wireless mobile network 104 to reduce propagation times of communications between, for example, the mobile devices 502-506 and the content server 510. In many wireless networks, the example PDN gateway 112 can be located thousands of miles from the serving gateway 110. Thus, the mobile devices 502-506 that communicate with entities reachable via the IP network 102 may have to transmit communications a thousand miles to reach the PDN gateway 112 and possibly another thousand miles to reach a destination. The example local PDN gateway 508 is deployed relatively physically close to the content server 510.
In the illustrated example, the local PDN gateway 508 may include many of the functions of the PDN gateway 112, as described in conjunction with
The example security event profiles 602-612 are shown including an identifier of a security event. For example, the security event profile 602 includes a ‘Virus XXX’ identifier. The security event profile 602 may also include a description of how the Virus XXX can be identified within communications. Further, the security event profile 602 may include a list of device identifiers and/or addresses known to be associated with the Virus XXX.
The example security rules 216 of
To receive requests and/or security rules from clients (e.g., the client administrator 122 of
After receiving a request from a client for a VPMN, the client interface 702 creates a client account that includes the information provided by the client. The client interface 702 stores the client account to a client records database 704. In some examples, the HSS 212 of
The example client interface 702 may also assign one or more APNs to a VPMN requested by a client. The client interface 702 may store the APN(s) to the client account in the client records database 704. Additionally, the client interface 702 may transmit the APN(s) and/or any information associated with a newly created VPMN to the client.
To manage the creation and/or management of VPMNs, the VPMN controller 116 of
The example network monitor 708 of the illustrated example scans the wireless mobile network 104 to determine network traffic conditions, bandwidth usage, and/or any QoS issues. In some examples, the network monitor 708 may maintain a history of network performance based on detected network conditions. The network monitor 708 may also determine an amount of available capacity and/or bandwidth within network elements (e.g., the network elements 108-112, 210-214, 402, and 404 of
The example network manager 706 of
For each of the network elements with available capacity, the network manager 706 allocates a portion of a control plane and/or a data plane. Allocating a data plane may include allocating a portion of a wireless spectrum of one or more eNodeBs for a VPMN. The network manager may also allocate a data plane by partitioning a portion of a switch within for example, the gateways 110 and 112 for network traffic associated with a VPMN. The network manager 706 may further allocate a data plane by designating certain interfaces of a switch and/or a router for a VPMN. After allocating data plane space to network elements, the network manager 706 sends an instruction to a data plane configurer 710 to configure a data plane on the allocated portions of the identified network elements.
The example network manager 706 allocates a control plane by, for example, designating a portion of IP address space that is to be associated with a VPMN. The portion of the IP address space may be referenced to an assigned APN. The example network manager 706 may also partition a control plane of a network element by virtualizing functionality of the network element specifically designated for a VPMN. The example network manager 706 may further allocate a control plane by partitioning portions of databases and/or servers (e.g., the MME 210, HSS 212, and/or the PCRF server 214) to store information associated with clients and/or subscribing customers of a VPMN and/or security rules. After allocating control plane space to network elements, the network manager 706 sends an instruction to a control plane configurer 712 to configure a control plane on the allocated portions of the identified network elements.
By allocating portions of a data plane and/or a control plane, the example network manager 706 may also specify a virtual circuit (and/or other type of private path such as, for example, a MPLS path) to be implemented within a VPMN. To specify a virtual circuit, the network manager 706 identifies outgoing and/or incoming interfaces of the network elements associated with the VPMN and/or IP address space allocated to the VPMN. The example network manager 706 then links together the interfaces, routers, switches, interfaces, and/or connections based on the identified information to create the virtual circuit and updates routing and/or forwarding tables within the corresponding network elements. Thus, any communications associated with a VPMN are transmitted between the VPMN allocated portions of the network elements.
Additionally, the network manager 706 may determine if separate eNodeBs are to be used for each VPMN (as described in conjunction with
To configure a VPMN on a data plane of network elements, the example VPMN controller 116 of
Additionally, the data plane configurer 710 may designate portions of a server and/or a router (e.g., the gateways 110 and/or 112) for hosting the VPMN. The example data plane configurer 710 may also create a virtual circuit (e.g., MPLS path) for a VPMN by updating routing and/or forwarding tables of network elements based on information from the network manager 706. The example data plane configurer 710 may also dynamically change an amount of bandwidth and/or processing capacity provisioned for a VPMN based on instructions from the network manager 706.
For example, the network manager 106 may receive an indication from the network monitor 708 that a VPMN on a serving gateway is operating close to provisioned capacity. In this example, the network manager 106 may increase data plane space for the VPMN by instructing the data plane configurer 710 to provision additional interfaces, links, circuitry, and/or processing capacity of the serving gateway for the VPMN. Thus, the data plane configurer 710 enables a VPMN to be dynamically provisioned based on current, future, and/or predicted network traffic conditions.
To configure a VPMN on a control plane of network elements, the example VPMN controller 116 of
The example control plane configurer 712 provisions a control plane for a security VPMN (e.g., the security VPMN 204 of
Further, the control plane configurer 712 may provision portions of a database storing client profile information and/or subscriber profile information so that the information is only accessible via a VPMN. In other examples, the control plane configurer 712 may update network elements with specialized service information for a VPMN. Thus, the control plane configurer 712 ensures that client and/or subscribing customer information associated with different VPMNs can be stored on the same network element so that the information is only accessible to entities and/or network elements associated with the corresponding VPMN.
To update mobile devices with information, thereby enabling the mobile devices to communicatively couple to a VPMN, the example VPMN controller 116 of
To propagate an APN assigned to a VPMN to network element(s), the example VPMN controller 116 of the illustrated example includes an APN manager 716. The example APN manager 716 receives an APN assigned to a VPMN by the network manager 706 and transmits the APN to network elements that have a portion of a control and/or a data plane partitioned for an associated VPMN. For example, the APN manager 716 may transmit an APN to the HSS 212 and/or the MME 210, thereby enabling the MME 210 to determine to which VPMN on the serving gateway 110 communications from a mobile device are to be routed. Additionally or alternatively, the APN manager 716 may transmit an assigned APN to the APN DNS servers 124 and 126 of
To identify potentially problematic communications, provision security VPMNs, and/or manage which mobile devices are communicatively coupled to which security VPMNs, the example VPMN controller 116 of
In some examples, the security processor 130 monitors communications within, for example, the wireless mobile network 104 for potentially problematic and/or threatening communications. In other examples, the example security processor 130 may coordinate the monitoring of communications between, for example, the network elements 108-112 and 210-214 and/or VPMNs provisioned on the network elements 108-112 and 210-214. The example security processor 130 accesses a security database 720 to identify which communications are potentially threatening and/or problematic to the network elements 108-112 and 210-214.
The example security database 720 stores security rules (e.g., the security rules 216) that include security event profiles that describe how security events are to be detected. In some examples, the security database 720 may be included within, for example, the PCRF server 214 of
After detecting potentially problematic communications and/or receiving an indication of potentially problematic communications from, for example, the VPMN 202 of
In examples where a security VPMN is already provisioned, the example security processor 130 instructs a device migrator 722 to communicatively couple a mobile device (e.g., the mobile device 224 of
The example device migrator 722 of
While the example VPMN controller 116 and/or the security processor 130 has been illustrated in
When any apparatus claim of this patent is read to cover a purely software and/or firmware implementation, at least one of the example client interface 702, the example client resource database 704, the example network manager 706, the example network monitor 708, the example data plane configurer 710, the example control plane configurer 712, the example mobile device configurer 714, the example APN manager 716, the example security processor 130, the example security database 720, and/or the example device migrator 722 are hereby expressly defined to include a computer readable medium such as a memory, DVD, CD, etc. storing the software and/or firmware. Further still, the example VPMN controller 116 and/or the security processor 130 may include one or more elements, processes and/or devices in addition to, or instead of, those illustrated in
Alternatively, some or all of the example processes of
The example process 800 of
The example process 800 continues by the example security processor 130 determining potentially problematic communications (and/or problematic communications) from a mobile device that match at least one security event profile within the security rules (block 806). The example security processor 130 determines the potentially problematic communications by matching the communications to at least one security event profile. The example security processor 130 may then classify the potentially problematic communication as a security event. The example security processor 130 then identifies a mobile device associated with the potentially problematic communications (block 808). The example security processor 130 may then transmit the identity of the mobile device and/or the security event to other VPMNs within the wireless mobile network 104 (block 810). Further, the security processor 130 creates a record of the security event and stores the record to the security database 720 (block 812).
The example security processor 130 next determines if a security VPMN is provisioned (block 814). If a security VPMN is not provisioned for the security event, the example security processor 130 and/or the network manager 706 of
The example process 800 of
If the mobile device is to be communicatively coupled to the security VPMN, the example device migrator 722 and/or the APN manager 716 communicatively couples the mobile device to the security VPMN by provisioning a corresponding SIM card with an APN of the security VPMN (block 822). The example device migrator 722 and/or the APN manager 716 then register the mobile device with the security VPMN (block 824). The example security processor 130 and/or the security VPMN then apply security protocols and/or analysis tools to communications associated with the mobile device (block 826).
The example process 800 of
The processor platform P100 of the example of
The processor P105 is in communication with the main memory (including a ROM P120 and/or the RAM P115) via a bus P125. The RAM P115 may be implemented by DRAM, SDRAM, and/or any other type of RAM device, and ROM may be implemented by flash memory and/or any other desired type of memory device. Access to the memory P115 and the memory P120 may be controlled by a memory controller (not shown). One or both of the example memories P115 and P120 may be used to implement the example resource client database 704 and/or the security database 720 of
The processor platform P100 also includes an interface circuit P130. The interface circuit P130 may be implemented by any type of interface standard, such as an external memory interface, serial port, general-purpose input/output, etc. One or more input devices P135 and one or more output devices P140 are connected to the interface circuit P130.
At least some of the above described example methods and/or apparatus are implemented by one or more software and/or firmware programs running on a computer processor. However, dedicated hardware implementations including, but not limited to, application specific integrated circuits, programmable logic arrays and other hardware devices can likewise be constructed to implement some or all of the example methods and/or apparatus described herein, either in whole or in part. Furthermore, alternative software implementations including, but not limited to, distributed processing or component/object distributed processing, parallel processing, or virtual machine processing can also be constructed to implement the example methods and/or apparatus described herein.
To the extent the above specification describes example components and functions with reference to particular standards and protocols, it is understood that the scope of this patent is not limited to such standards and protocols. For instance, each of the standards for Internet and other packet switched network transmission (e.g., Transmission Control Protocol (TCP)/Internet Protocol (IP), User Datagram Protocol (UDP)/IP, HyperText Markup Language (HTML), HyperText Transfer Protocol (HTTP)) represent examples of the current state of the art. Such standards are periodically superseded by faster or more efficient equivalents having the same general functionality. Accordingly, replacement standards and protocols having the same functions are equivalents which are contemplated by this patent and are intended to be included within the scope of the accompanying claims.
Additionally, although this patent discloses example systems including software or firmware executed on hardware, it should be noted that such systems are merely illustrative and should not be considered as limiting. For example, it is contemplated that any or all of these hardware and software components could be embodied exclusively in hardware, exclusively in software, exclusively in firmware or in some combination of hardware, firmware and/or software. Accordingly, while the above specification described example systems, methods and articles of manufacture, the examples are not the only way to implement such systems, methods and articles of manufacture. Therefore, although certain example methods, apparatus and articles of manufacture have been described herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus and articles of manufacture fairly falling within the scope of the appended claims either literally or under the doctrine of equivalents.
This patent arises from a continuation of U.S. patent application Ser. No. 13/165,520, entitled, “Methods and Apparatus to Configure Virtual Private Mobile Networks for Security,” filed Jun. 21, 2011 (now U.S. Pat. No. 9,386,035, issued Jul. 5, 2016), which is hereby incorporated herein by reference in its entirety.
Number | Name | Date | Kind |
---|---|---|---|
5345502 | Rothenhofer | Sep 1994 | A |
5475819 | Miller et al. | Dec 1995 | A |
5623601 | Vu | Apr 1997 | A |
6016318 | Tomoike | Jan 2000 | A |
6029067 | Pfundstein | Feb 2000 | A |
6058426 | Godwin et al. | May 2000 | A |
6079020 | Liu | Jun 2000 | A |
6205488 | Casey et al. | Mar 2001 | B1 |
6781982 | Borella et al. | Aug 2004 | B1 |
6880002 | Hirschfeld et al. | Apr 2005 | B2 |
6885864 | McKenna et al. | Apr 2005 | B2 |
6891842 | Sahaya et al. | May 2005 | B2 |
6954790 | Forslow | Oct 2005 | B2 |
6976177 | Ahonen | Dec 2005 | B2 |
6990666 | Hirschfeld et al. | Jan 2006 | B2 |
7072346 | Hama | Jul 2006 | B2 |
7075933 | Aysan | Jul 2006 | B2 |
7126921 | Mark et al. | Oct 2006 | B2 |
7131141 | Blewett et al. | Oct 2006 | B1 |
7185106 | Moberg et al. | Feb 2007 | B1 |
7221675 | Bryden et al. | May 2007 | B2 |
7225270 | Barr et al. | May 2007 | B2 |
7292575 | Lemieux et al. | Nov 2007 | B2 |
7340519 | Golan et al. | Mar 2008 | B1 |
7366188 | Kim | Apr 2008 | B2 |
7388844 | Brown et al. | Jun 2008 | B1 |
7400611 | Mukherjee et al. | Jul 2008 | B2 |
7415627 | Radhakrishnan et al. | Aug 2008 | B1 |
7738891 | Tenhunen et al. | Jun 2010 | B2 |
7769036 | Sorge et al. | Aug 2010 | B2 |
8077681 | Ahmavaara et al. | Dec 2011 | B2 |
8380863 | Natarajan et al. | Feb 2013 | B2 |
8458787 | Wei et al. | Jun 2013 | B2 |
8509169 | Van Der Merwe et al. | Aug 2013 | B2 |
20020181477 | Mo et al. | Dec 2002 | A1 |
20030051021 | Hirschfeld et al. | Mar 2003 | A1 |
20030147403 | Border et al. | Aug 2003 | A1 |
20030188001 | Eisenberg et al. | Oct 2003 | A1 |
20040073642 | Iyer | Apr 2004 | A1 |
20040148439 | Harvey et al. | Jul 2004 | A1 |
20050071508 | Brown et al. | Mar 2005 | A1 |
20050138204 | Iyer et al. | Jun 2005 | A1 |
20050195780 | Haverinen et al. | Sep 2005 | A1 |
20060025149 | Karaoguz et al. | Feb 2006 | A1 |
20060068845 | Muller et al. | Mar 2006 | A1 |
20060083205 | Buddhikot et al. | Apr 2006 | A1 |
20060111113 | Waris | May 2006 | A1 |
20060168279 | Lee et al. | Jul 2006 | A1 |
20060168321 | Eisenberg et al. | Jul 2006 | A1 |
20060242305 | Alnas | Oct 2006 | A1 |
20060251088 | Thubert et al. | Nov 2006 | A1 |
20060268901 | Choyi et al. | Nov 2006 | A1 |
20070039047 | Chen et al. | Feb 2007 | A1 |
20070070914 | Abigail | Mar 2007 | A1 |
20070105548 | Mohan et al. | May 2007 | A1 |
20070140250 | McAllister et al. | Jun 2007 | A1 |
20070140251 | Dong | Jun 2007 | A1 |
20070195800 | Yang et al. | Aug 2007 | A1 |
20070213050 | Jiang | Sep 2007 | A1 |
20070217419 | Vasseur | Sep 2007 | A1 |
20070232265 | Park et al. | Oct 2007 | A1 |
20070271606 | Amann et al. | Nov 2007 | A1 |
20070280241 | Verma | Dec 2007 | A1 |
20080002697 | Anantharamaiah et al. | Jan 2008 | A1 |
20080022094 | Gupta et al. | Jan 2008 | A1 |
20080034365 | Dahlstedt | Feb 2008 | A1 |
20080049752 | Grant | Feb 2008 | A1 |
20080080396 | Meijer et al. | Apr 2008 | A1 |
20080080517 | Roy et al. | Apr 2008 | A1 |
20080080552 | Gates et al. | Apr 2008 | A1 |
20080082546 | Meijer et al. | Apr 2008 | A1 |
20080125116 | Jiang | May 2008 | A1 |
20080148341 | Ferguson et al. | Jul 2008 | A1 |
20090006603 | Duponchel et al. | Jan 2009 | A1 |
20090113422 | Kani | Apr 2009 | A1 |
20100017861 | Krishnaswamy et al. | Jan 2010 | A1 |
20100039978 | Rangan | Feb 2010 | A1 |
20100111093 | Satterlee et al. | May 2010 | A1 |
20100186024 | Eker et al. | Jul 2010 | A1 |
20100284343 | Maxwell et al. | Nov 2010 | A1 |
20110007690 | Chang et al. | Jan 2011 | A1 |
20110026468 | Conrad et al. | Feb 2011 | A1 |
20110142053 | Van Der Merwe et al. | Jun 2011 | A1 |
20110154101 | Merwe et al. | Jun 2011 | A1 |
20110177790 | Monte et al. | Jul 2011 | A1 |
20110302630 | Nair et al. | Dec 2011 | A1 |
20120106565 | Yousefi et al. | May 2012 | A1 |
20120147824 | Van der Merwe et al. | Jun 2012 | A1 |
20120155274 | Wang | Jun 2012 | A1 |
20120208506 | Hirano et al. | Aug 2012 | A1 |
20120282924 | Tagg et al. | Nov 2012 | A1 |
20120303838 | Kempf et al. | Nov 2012 | A1 |
20120311107 | Van der Merwe et al. | Dec 2012 | A1 |
20120331545 | Baliga et al. | Dec 2012 | A1 |
20130007232 | Wang et al. | Jan 2013 | A1 |
20130031271 | Bosch et al. | Jan 2013 | A1 |
20130089026 | Piper et al. | Apr 2013 | A1 |
20130107725 | Jeng et al. | May 2013 | A1 |
20150237543 | Montemurro | Aug 2015 | A1 |
Entry |
---|
Van Der Merwe et al., “Dynamic Connectivity Management with an Intelligent Route Service Control Point,” AT&T Labs, Proceedings of the 2006 SIGCOMM Workshop on Internet Network Management, held on Sep. 11-16, 2006, (6 pages). |
Van Der Merwe et al., PowerPoint presentation of “Dynamic Connectivity Management with an Intelligent Route Service Control Point,” AT&T Labs, Proceedings of the 2006 SIGCOMM Workshop on Internet Network Management, held on Sep. 11-16, 2006, (14 pages). |
Brady, Kevin F., “Cloud Computing—Is It Safe for IP?” Portfolio Media, Inc., http://www.law360.com/print_article/113709 on Aug. 27, 2009. Retrieved from the Internet on Sep. 3, 2009, (8 pages). |
“Amazon Elastic Computing Cloud,” http://aws.amazon.com/ec2. Retrieved from the Internet on Dec. 23, 2009, (8 pages). |
Armbrust et al., “Above the Clouds: A Berkeley View of Cloud Computing,” Technical Report UCB/EECS-2009-28, EECS Department, University of California, Berkeley, February Technical Report No. UCB/EECS-2009-28, http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.html, Feb. 10, 2009, (25 pages). |
Sundararaj et al., “Towards Virtual Networks for Virtual Machine Grid Computing,” in VM '04: Proceedings of the 3rd conference on Virtual Machine Research and Technology Symposium, 2004, (14 pages). |
Clark et al., “Live Migration of Virtual Machines,” in Proceedings of NSDA, http://www.cl.cam.ac.uk/research/srg/netos/papers/2005-migration-nsdi-pre.pdf, May 2005, (14 pages). |
Duffield et al., “Resource management with hoses: point-to-cloud services for virtual private networks,” IEEE ACM Transactions on Networking, 2002, (16 pages). |
Cohen, Reuven, “Elasticvapor Blog: Virtual Private Cloud,” www.elasticvapor.com/2008/05/virtual-private-cloud-vpc.htm, May 8, 2008, (2 pages). |
“Goggle App Engine” hthttp://code.google.com/appengine/. Retrieevd from the Internet on Dec. 23, 2009, (4 pages). |
Nelson et al., “Fast Transparent Migration for Virtual Machines,” In ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference, 2005, (4 pages). |
Ramakrishnan et al., “Live Data Center Migration Across WANs: A Robust Cooperative Context Aware Approach,” in INM '07: Proceedings of the SIGCOMM workshop on Internet network management, Aug. 27-31, 2007, (6 pages). |
Ruth et al., “Autonomic Live Adaptation of Virtual Computational Environments in a Multi-Domain Infrastructure,” in ICAC '06: Proceedings of the 2006 IEEE International Conference of Autonomic Computing, 2006, (10 pages). |
United States Patent and Trademark Office, “Final Office Action”, issued in connection with corresponding U.S. Appl. No. 13/154,121 dated Feb. 4, 2014 (22 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with corresponding U.S. Appl. No. 13/154,121 dated Jul. 17, 2013 (23 pages). |
“Response to Office Action dated Jul. 17, 2013” filed on Nov. 18, 2013 in connection with corresponding U.S. Appl. No. 13/154,121 (11 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with corresponding U.S. Appl. No. 12/966,681 dated Dec. 20, 2012 (29 pages). |
“Response to Office Action dated Dec. 20, 2012” filed on Mar. 20, 2013 in connection with corresponding U.S. Appl. No. 12/966,681 (11 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with corresponding U.S. Appl. No. 13/222,876 dated Dec. 26, 2013 (19 pages). |
“Response to Office Action dated Dec. 26, 2013” filed on Mar. 26, 2014 in connection with corresponding U.S. Appl. No. 13/222,876 (12 pages). |
United States Patent and Trademark Office, “Final Office Action,” issued in connection with U.S. Appl. No. 13/154,121, dated Sep. 19, 2014 (25 pages). |
United States Patent and Trademark Office, “Non-Final Office Action,” issued in connection with U.S. Appl. No. 13/222,876 dated Jul. 15, 2015 (18 pages). |
United States Patent and Trademark Office, “Non-Final Office Action,” issued in connection with U.S. Appl. No. 13/222,876 dated Feb. 26, 2015 (21 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with U.S. Appl. No. 13/165,520, dated Jan. 15, 2013 (14 pages). |
United States Patent and Trademark Office, “Final Office Action”, issued in connection with U.S. Appl. No. 13/165,520, dated Jul. 30, 2013 (15 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with U.S. Appl. No. 13/165,520, dated Aug. 12, 2015 (5 pages). |
United States Patent and Trademark Office, “Notice of Allowance”, issued in connection with U.S. Appl. No. 13/165,520, dated Feb. 11, 2016 (7 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with U.S. Appl. No. 13/222,876, dated Dec. 7, 2017 (17 pages). |
United States Patent and Trademark Office, “Non-Final Office Action”, issued in connection with U.S. Appl. No. 13/222,876, dated Sep. 1, 2016 (15 pages). |
United States Patent and Trademark Office, “Final Office Action”, issued in connection with U.S. Appl. No. 13/222,876, dated Jun. 2, 2017 (16 pages). |
United States Patent and Trademark Office, “Notice of Allowance,” issued in connection with U.S. Appl. No. 13/222,876, dated Apr. 2, 2018, 14 pages. |
United States Patent and Trademark Office, “Non-final Office Action,” issued in connection with U.S. Appl. No. 15/231,406, dated Feb. 22, 2018, 28 pages. |
Number | Date | Country | |
---|---|---|---|
20160308837 A1 | Oct 2016 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13165520 | Jun 2011 | US |
Child | 15194037 | US |