Abstract: In some implementations, a device receives a login request from a web browser executed by a client endpoint in a first network. The device provides a one-time password to the web browser that causes the client endpoint to invoke a local handler process associated with an access service executed by the client endpoint or invoke access by the web browser to a particular uniform resource locator on the device. The device receives a remote connection request from the access service that includes the one-time password to access a target endpoint in a second network. The device configures, based on the remote connection request, a remote access connection between the client endpoint in the first network and the target endpoint in the second network.

Abstract: In one embodiment, a device receives discovery data generated by a plurality of networking devices in a network. The device determines, based on the discovery data, a hierarchy of layers of the network. The device receives a request by a client that is external to the network to access remotely a particular endpoint in the network. The device configures, and in response to the request, a proxy chain of remote access agents executed by a subset of networking devices from the plurality of networking devices to allow the client to access remotely the particular endpoint, each of those networking devices proxying traffic between different layers of the network.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: A zero-touch deployment (ZTD) manager receives a first request to issue a first cryptographic token to a constrained device for establishing a communications session between the constrained device and a secured resource. The ZTD manager evaluates identity information corresponding to the constrained device and determines whether the identity information is valid. If so, the ZTD manager returns the first cryptographic token to the constrained device, where it is stored in cache memory. The ZTD manager receives a second request to obtain a second cryptographic token from the secured resource. When the second cryptographic token is provided to the secured resource, the secured resource uses this second cryptographic token to validate the first cryptographic token and to facilitate the communications session with the constrained device.

Abstract: According to one or more embodiments of the disclosure, a device associated with a first cluster of data sources may identify an amount of data from the first cluster of data sources to be sent by the device to a satellite. The device may send, to the satellite, a request for a transmission window that indicates the amount of data to be sent by the device to the satellite. The device may receive, from the satellite, an indication of an assigned transmission window during which the device may transmit data to the satellite. The satellite may compute the assigned transmission window based on the amount of data and such that the assigned transmission window does not overlap an assigned transmission window of a neighboring device associated with a second cluster of data sources. The device may send, during the assigned transmission window, the data towards the satellite.

Abstract: In one embodiment, an earthbound transceiver in a low earth orbit (LEO) satellite network establishes a connection with a first LEO satellite from a first set of LEO satellites. The first set of LEO satellites are distributed across a first plurality of orbits including first neighboring LEO satellites of the first LEO satellite, and the first neighboring LEO satellites have a fixed or semi-fixed position relative to the first LEO satellite. The earthbound transceiver determines first signal strength values associated with the first set of LEO satellites and second signal strength values associated with a second set of LEO satellites. The earthbound transceiver then periodically compares the first signal strength values to the second signal strength values. At an optimal handoff time, the earthbound transceiver initiates the handoff operation from the first LEO satellite to a second LEO satellite from the second set of LEO satellites.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: Automatic onboarding of a device onto a cellular network may be provided through a Wireless Local Area Network (WLAN). Subsequent to a device connecting to a first network (e.g., the WLAN), information associated with the device and the first network may be received. One or more tags may be generated and an intent profile may be defined for the device based on the received information, where the intent profile may indicate at least a second network (e.g., the cellular network) that the device is enabled to connect with and one or more policies associated with the connection. The tags and intent profile may be transmitted to a service provider platform, and an onboarding profile template identified using the tags and the intent profile may be received from the service provider platform. The onboarding profile template may be provided to the device to enable connection to the second network.

Abstract: In one embodiment, a remote access manager receives an access request from a client to remotely access a device on a local network. The remote access manager generates a universally unique identifier for the access request. The remote access manager sends a response to the client having a one-time use domain name system name that is based on the universally unique identifier. The remote access manager communicates with a web proxy to authorize the client to remotely access the device.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: A method includes determining a corresponding level of a security model associated with each device of a plurality of devices connected to a network, each level of the security model having a corresponding tag; applying, to each of the plurality of devices, the corresponding tag based on the corresponding level of the security model with which each of the plurality of devices are associated; receiving, over a network connection, network traffic from at least one of the plurality of devices and the corresponding tag; analyzing the corresponding tag associated with the network traffic; determining a destination for the network traffic; applying one or more security measures to the network traffic based on the corresponding tag for the at least one device and a corresponding tag of the destination for the network traffic; and sending the network traffic to the destination with the corresponding tag of the destination.

Abstract: Automatic onboarding of a device onto a cellular network may be provided through a Wireless Local Area Network (WLAN). Subsequent to a device connecting to a first network (e.g., the WLAN), information associated with the device and the first network may be received. One or more tags may be generated and an intent profile may be defined for the device based on the received information, where the intent profile may indicate at least a second network (e.g., the cellular network) that the device is enabled to connect with and one or more policies associated with the connection. The tags and intent profile may be transmitted to a service provider platform, and an onboarding profile template identified using the tags and the intent profile may be received from the service provider platform. The onboarding profile template may be provided to the device to enable connection to the second network.

Abstract: In one embodiment, a first device coordinates probing of network paths that extend between an edge device and a data collection point via a plurality of points of presence. The first device receives a set of probing results that are indicative of one or more performance metrics associated with the network paths. The first device selects, based on the set of probing results, a particular point of presence from among the plurality of points of presence through which the edge device should send traffic to the data collection point. The first device instructs the edge device to send traffic to the data collection point via the particular point of presence.

Abstract: In one embodiment, an earthbound transceiver in a low earth orbit (LEO) satellite network establishes a connection with a first LEO satellite from a first set of LEO satellites. The first set of LEO satellites are distributed across a first plurality of orbits including first neighboring LEO satellites of the first LEO satellite, and the first neighboring LEO satellites have a fixed or semi-fixed position relative to the first LEO satellite. The earthbound transceiver determines first signal strength values associated with the first set of LEO satellites and second signal strength values associated with a second set of LEO satellites. The earthbound transceiver then periodically compares the first signal strength values to the second signal strength values. At an optimal handoff time, the earthbound transceiver initiates the handoff operation from the first LEO satellite to a second LEO satellite from the second set of LEO satellites.

Abstract: Automatic onboarding of a device onto a cellular network may be provided through a Wireless Local Area Network (WLAN). Subsequent to a device connecting to a first network (e.g., the WLAN), information associated with the device and the first network may be received. One or more tags may be generated and an intent profile may be defined for the device based on the received information, where the intent profile may indicate at least a second network (e.g., the cellular network) that the device is enabled to connect with and one or more policies associated with the connection. The tags and intent profile may be transmitted to a service provider platform, and an onboarding profile template identified using the tags and the intent profile may be received from the service provider platform. The onboarding profile template may be provided to the device to enable connection to the second network.

Abstract: In one embodiment, a service receives a device registration request sent by an endpoint device, wherein the endpoint device executes an onboarding agent that causes the endpoint device to send the device registration request via a cellular connection to a private access point name (APN) associated with the service. The service verifies that a network address of the endpoint device from which the device registration request was sent is associated with an integrated circuit card identifier (ICCID) or international mobile equipment identity (IMEI) indicated by the device registration request. The service identifies a tenant identifier associated with the ICCID or IMEI. The service sends, based on the tenant identifier, a device registration response to the endpoint device via the private APN.

Abstract: In one embodiment, the system may identify a virtual network, the virtual network including a plurality of virtual entities and connections among the plurality of virtual entities. The system may automatically map each of the plurality of virtual entities to one or more resources or resource pools such that the virtual network is mapped to a physical network, wherein mapping includes allocating one or more resources or resource pools to a corresponding one of the plurality of virtual entities.

Abstract: In one embodiment, a device in a network receives data from one or more other devices in the network via one or more protocol adaptors. The device transforms the received data into a common data model. The device executes a containerized application. The device exposes the transformed data to the application.

Abstract: In one embodiment, the system may identify a virtual network, the virtual network including a plurality of virtual entities and connections among the plurality of virtual entities. The system may automatically map each of the plurality of virtual entities to one or more resources or resource pools such that the virtual network is mapped to a physical network, wherein mapping includes allocating one or more resources or resource pools to a corresponding one of the plurality of virtual entities.