Abstract: Disclosed herein are systems, methods, and computer-readable media for enabling multi-factor authentication (MFA) for an Internet Of Things (IoT) device. In one aspect, a method includes receiving a network connection request from the IoT device to connect to a network. In one aspect, the method includes fetching authentication information for the device in response to the request. In one aspect, the method includes authenticating the device to the network. In one aspect, the method includes in response to the authentication of the device to the network, establishing a network connection between the IoT device and the network. In one aspect, the method includes applying the MFA policy. In one aspect, the method includes after successful compliance with the MFA policy establishing a session between the device and the application over the network.

Abstract: A method of transmitting an encrypted data packet includes, with a processor, in response to receiving the encrypted data packet, executing an extended Berkeley packet filter (eBPF) application at an express data path (XDP) hook point located within a kernel space, determining whether the encrypted data packet is to be processed via a trusted application (TA) within a trusted execution environment (TEE) based on an analysis by the eBPF application, and identifying application intelligence data defining packet forwarding decisions based on a manner in which the encrypted data packet is processed.

Abstract: In one embodiment, a method herein comprises: establishing, by a process, a virtual private network connection (VPN connection) with a particular VPN gateway; requesting, by the process, observability monitoring through the particular VPN gateway, wherein requesting results in a controller being informed about the particular VPN gateway and a domain of the particular VPN gateway; receiving, by the process, test specifics from the controller based on the particular VPN gateway and the domain of the particular VPN gateway; and executing, by the process, one or more tests to the particular VPN gateway based on the test specifics.

Abstract: Techniques are described for classification-based data security management. The classification-based data security management can include utilizing device and/or data attributes to identify security modes for communication of data stored in a source device. The security modes can be identified based on a hybrid-encryption negotiation. The attributes can include a device resource availability value, an access trust score, a data confidentiality score, a geo-coordinates value, and/or a date/time value. The security modes can include a hybrid-encryption mode. The source device can utilize the hybrid-encryption mode to transmit the data, via one or more network nodes, such as an edge node, to one or more service nodes.

Abstract: The present technology is directed to providing fault management with dynamic restricted access in a tenant network. The tenant network can be a private 5G cellular network or other wireless communication network. The present technology can identify a fault event within the tenant network based on received telemetry data, associate the fault event with a vendor component included in the tenant network, and generate a vendor fault context. The vendor fault context can be generated to include only the portion of telemetry data that is determined to be related to the fault event or the vendor component. The present technology can further use the vendor fault context to create a time-bound user account for remotely accessing the tenant network for fault triage and management. The time-bound user account can be associated to a static role-based access control (RBAC) scheme configured with access restrictions determined based on the vendor fault context.

Abstract: Systems, methods, and computer-readable media are disclosed for dynamically onboarding a UE between private 5G networks. In one aspect, a private 5G (P5G) federation system can receive a request from a user device for registration with a serving private 5G network, which is part of a P5G federation system. The P5G federation system can further determine that the user device is authenticated with a home private 5G network of the user device, which is also part of the P5G federation system. The P5G federation system can transmit, to the serving private 5G network, a security profile of the user device that is received from the home private 5G network. As follows, the P5G federation system can facilitate onboarding of the user device to the serving private 5G network with the security profile.

Abstract: In one embodiment, a method herein comprises: receiving, at a device, a registration request from a telemetry exporter that transmits telemetry data; generating, by the device, a telemetry configuration file for the telemetry exporter, the telemetry configuration file defining a policy for transmission of telemetry data from the telemetry exporter and an authentication token for the telemetry exporter; sharing, by the device, the policy with a security enforcer; and sending, by the device, the telemetry configuration file to the telemetry exporter, wherein the telemetry exporter is caused to connect with the security enforcer using the authentication token, send the telemetry configuration file to the security enforcer, and transmit collected telemetry data to the security enforcer, and wherein the security enforcer is caused to create a dynamic publish-subscribe stream for publishing the collected telemetry data received from the telemetry exporter based on the telemetry configuration file and the policy.

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for participating in a meeting through an application provider using application-specific network slices. A method includes transmitting a request to a mobile network operator (MNO) for setup of a data connection with a device for a meeting provided by an application provider; receiving allowed network slices for the data connection that are generated by the MNO for the meeting; identifying a network slice from the allowed network slices for the meeting based on one or more characteristics specific to the meeting; and establishing the data connection with the mobile network operator based on the network slice.

Abstract: In one embodiment, an illustrative method herein may comprise: determining, by a process, a tenant-specific policy for creation of low-code applications; dynamically computing, by the process and based on the tenant-specific policy and one or more parameters associated with a particular low-code application to be created, one or more injectable low-code tasks for the particular low-code application; determining, by the process, a plurality of selected injectable low-code tasks from the one or more injectable low-code tasks; and creating, by the process, the particular low-code application by injecting the plurality of selected injectable low-code tasks into the particular low-code application for execution.

Abstract: Techniques for a network controller to manage its data path dynamically in a data network. The techniques include causing the network controller to enter a first state, wherein the first state is associated with first processing rules for processing usage data. The network controller receives first usage data from one or more network devices associated with the data network, processes the first usage data according to the first processing rules. Further, the network controller may detect an event associated with transitioning the network controller to a second state, which cause the network controller to transition from the first state into a second state, wherein the second state is associated with second processing rules for processing the usage data. Moreover, the network controller receives second usage data from the one or more network devices, and processes the second usage data according to the second processing rules.

Abstract: Techniques for a network controller to manage its data path dynamically in a data network. The techniques include causing the network controller to enter a first state, wherein the first state is associated with first processing rules for processing usage data. The network controller receives first usage data from one or more network devices associated with the data network, processes the first usage data according to the first processing rules. Further, the network controller may detect an event associated with transitioning the network controller to a second state, which cause the network controller to transition from the first state into a second state, wherein the second state is associated with second processing rules for processing the usage data. Moreover, the network controller receives second usage data from the one or more network devices, and processes the second usage data according to the second processing rules.

Abstract: The present technology is directed to providing fault management with dynamic restricted access in a tenant network. The tenant network can be a private 5G cellular network or other wireless communication network. The present technology can identify a fault event within the tenant network based on received telemetry data, associate the fault event with a vendor component included in the tenant network, and generate a vendor fault context. The vendor fault context can be generated to include only the portion of telemetry data that is determined to be related to the fault event or the vendor component. The present technology can further use the vendor fault context to create a time-bound user account for remotely accessing the tenant network for fault triage and management. The time-bound user account can be associated to a static role-based access control (RBAC) scheme configured with access restrictions determined based on the vendor fault context.

Abstract: A method of transmitting an encrypted data packet includes, with a processor, in response to receiving the encrypted data packet, executing an extended Berkeley packet filter (eBPF) application at an express data path (XDP) hook point located within a kernel space, determining whether the encrypted data packet is to be processed via a trusted application (TA) within a trusted execution environment (TEE) based on an analysis by the eBPF application, and identifying application intelligence data defining packet forwarding decisions based on a manner in which the encrypted data packet is processed.

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for participating in a meeting through an application provider using application-specific network slices. A method includes transmitting a request to a mobile network operator (MNO) for setup of a data connection with a device for a meeting provided by an application provider; receiving allowed network slices for the data connection that are generated by the MNO for the meeting; identifying a network slice from the allowed network slices for the meeting based on one or more characteristics specific to the meeting; and establishing the data connection with the mobile network operator based on the network slice.

Abstract: In one embodiment, a method herein comprises: establishing, by a process, a virtual private network connection (VPN connection) with a particular VPN gateway; requesting, by the process, observability monitoring through the particular VPN gateway, wherein requesting results in a controller being informed about the particular VPN gateway and a domain of the particular VPN gateway; receiving, by the process, test specifics from the controller based on the particular VPN gateway and the domain of the particular VPN gateway; and executing, by the process, one or more tests to the particular VPN gateway based on the test specifics.

Abstract: Techniques for policy-based failure handling of data that is received for processing by failed edge services are described herein. The techniques may include receiving, at an edge node of a network, a data handling policy for a service hosted on the edge node. The service may be configured to process traffic on behalf of an application hosted by a cloud-based platform. In some examples, the data handling policy may be stored in a memory that is accessible to the edge node. The techniques may also include receiving traffic at the edge node that is to be processed at least partially by the service. At least partially responsive to detecting an error associated with the service, the edge node may cause the traffic to be handled according to the data handling policy while the service is experiencing the error.

Abstract: In one example, a home network associated with a user equipment obtains an authentication request to authenticate the user equipment to a serving network. The home network generates an authentication vector of a mobile security protocol. The authentication vector includes an indication that the user equipment is to be authenticated using a multi-factor authentication process. The home network provides the authentication vector to the serving network to prompt a response from the user equipment that is in accordance with the multi-factor authentication process. The home network authenticates the user equipment to the serving network based on the response.

Abstract: An approach to configure enterprise wireless mobile network slices. A method includes receiving slice definition information representative of a network slice, the slice definition information including an expected slice efficiency index of the network slice, provisioning the network slice, consistent with the slice definition information, in a wireless network, receiving telemetry corresponding to operational metrics of an instance of the network slice that is used by one or more devices in the wireless network, calculating an actual slice efficiency index for the instance of the network slice based on the telemetry corresponding to the operation metrics of the instance of the network slice, determining whether the expected slice efficiency index differs from the actual slice efficiency index by a predetermined threshold, and indicating a course of action to cause the actual slice efficiency index to more closely align with the expected slice efficiency index.

Abstract: An approach to configure enterprise wireless mobile network slices. A method includes receiving slice definition information representative of a network slice, the slice definition information including an expected slice efficiency index of the network slice, provisioning the network slice, consistent with the slice definition information, in a wireless network, receiving telemetry corresponding to operational metrics of an instance of the network slice that is used by one or more devices in the wireless network, calculating an actual slice efficiency index for the instance of the network slice based on the telemetry corresponding to the operation metrics of the instance of the network slice, determining whether the expected slice efficiency index differs from the actual slice efficiency index by a predetermined threshold, and indicating a course of action to cause the actual slice efficiency index to more closely align with the expected slice efficiency index.

Abstract: According to one or more embodiments of the disclosure, a particular networking device located in a ring of networking devices of a network receives an indication from a supervisory service that the particular networking device has been designated a ring manager for the ring of networking devices. The particular networking device determines that the supervisory service is unreachable by the ring of networking devices. The particular networking device obtains telemetry data regarding a new device connected to the ring of networking devices. The particular networking device onboards, based on the telemetry data, the new device to the network, when the supervisory service is unreachable by the ring of networking devices.