Abstract: A centralized manager in a network deployment is configured to perform periodic automated rotation of secrets used in the network and customer devices in the deployment. The centralized manager is further configured with intelligence to automatically install the rotated secrets onto the deployed devices. The centralized controller can provide high frequency rotations to improve network security.

Abstract: Embodiments of the present disclosure include techniques for securing the flow of configuration commands issued to network devices. When an authorized command source, such as an authorized user or program, issues a command, security data for the command is generated and associated with the command. The command and security data may flow across multiple software applications to the network device. The network device receiving the command may use the security data to verify that the command source is an authorized source and to validate that the command was unaltered.

Abstract: A method for authenticating an origin of a network device. The method includes reading one or more encrypted parameters from a memory of the network device, decoding the one or more encrypted parameters, and determining whether one or more of the decoded parameters match parameters obtained from a trusted platform module (TPM) installed in the network device and/or a read only memory (ROM) of the network device. In response to a mismatch between the decoded parameters and the parameters obtained from the TPM or the ROM, at least one of suspending operation of the device or transmitting a report of an authentication failure across a network on which the device is operating.

Abstract: Embodiments of the present disclosure include techniques for securing the flow of configuration commands issued to network devices. When an authorized command source, such as an authorized user or program, issues a command, security data for the command is generated and associated with the command. The command and security data may flow across multiple software applications to the network device. The network device receiving the command may use the security data to verify that the command source is an authorized source and to validate that the command was unaltered.

Abstract: A method for distributing network services for a network device through a multi-tenant network service. An identification parameter is associated with the device and is stored in a database by an orders management system after the device is ordered. The method includes establishing a network connection between a network device and a multi-tenant network service and, in response to establishing the network connection, obtaining device-associated identification parameter from the network device. The identification parameter is used to query the database for at least one record associated with the network device identifying a tenant of the multi-tenant network service in which the tenant corresponds to the device. The service maps the network device to the identified tenant of the multi-tenant network service and distributes network services based upon the mapping of the network device to the identified tenant.

Abstract: A centralized manager in a network deployment is configured to perform periodic automated rotation of secrets used in the network and customer devices in the deployment. The centralized manager is further configured with intelligence to automatically install the rotated secrets onto the deployed devices. The centralized controller can provide high frequency rotations to improve network security.

Abstract: A method for authenticating an origin of a network device. The method includes reading one or more encrypted parameters from a memory of the network device, decoding the one or more encrypted parameters, and determining whether one or more of the decoded parameters match parameters obtained from a trusted platform module (TPM) installed in the network device and/or a read only memory (ROM) of the network device. In response to a mismatch between the decoded parameters and the parameters obtained from the TPM or the ROM, at least one of suspending operation of the device or transmitting a report of an authentication failure across a network on which the device is operating.

Abstract: Network devices are securely provisioned through authenticated ZTP servers. In some approaches, a storage device local to the network device includes information for connecting with and authenticating a local or remote ZTP server. This information may include a root of trust to use when connecting with a designated ZTP server. The ZTP server may be identified using either a dynamic host configuration protocol (DHCP) server or a network address specified in the local memory storage. In an approach, the local memory storage is a removable USB flash memory device inserted into the network device when the device is booted up. In another approach, the ZTP authentication information is stored within memory integrated within the network device. Once a ZTP server is connected to the network device, a secure connection may be established such as a secure transport layer session (TLS) utilizing the root of trust.

Abstract: A method for authenticating an origin of a network device. The method includes reading one or more encrypted parameters from a memory of the network device, decoding the one or more encrypted parameters, and determining whether one or more of the decoded parameters match parameters obtained from a trusted platform module (TPM) installed in the network device and/or a read only memory (ROM) of the network device. In response to a mismatch between the decoded parameters and the parameters obtained from the TPM or the ROM, at least one of suspending operation of the device or transmitting a report of an authentication failure across a network on which the device is operating.

Abstract: A method for distributing network services for a network device through a multi-tenant network service. An identification parameter is associated with the device and is stored in a database by an orders management system after the device is ordered. The method includes establishing a network connection between a network device and a multi-tenant network service and, in response to establishing the network connection, obtaining device-associated identification parameter from the network device. The identification parameter is used to query the database for at least one record associated with the network device identifying a tenant of the multi-tenant network service in which the tenant corresponds to the device. The service maps the network device to the identified tenant of the multi-tenant network service and distributes network services based upon the mapping of the network device to the identified tenant.

Abstract: A method for distributing network services for a network device through a multi-tenant network service. An identification parameter is associated with the device and is stored in a database by an orders management system after the device is ordered. The method includes establishing a network connection between a network device and a multi-tenant network service and, in response to establishing the network connection, obtaining device-associated identification parameter from the network device. The identification parameter is used to query the database for at least one record associated with the network device identifying a tenant of the multi-tenant network service in which the tenant corresponds to the device. The service maps the network device to the identified tenant of the multi-tenant network service and distributes network services based upon the mapping of the network device to the identified tenant.

Abstract: Network devices are securely provisioned through authenticated ZTP servers. In some approaches, a storage device local to the network device includes information for connecting with and authenticating a local or remote ZTP server. This information may include a root of trust to use when connecting with a designated ZTP server. The ZTP server may be identified using either a dynamic host configuration protocol (DHCP) server or a network address specified in the local memory storage. In an approach, the local memory storage is a removable USB flash memory device inserted into the network device when the device is booted up. In another approach, the ZTP authentication information is stored within memory integrated within the network device. Once a ZTP server is connected to the network device, a secure connection may be established such as a secure transport layer session (TLS) utilizing the root of trust.

Abstract: A method for authenticating an origin of a network device. The method includes reading one or more encrypted parameters from a memory of the network device, decoding the one or more encrypted parameters, and determining whether one or more of the decoded parameters match parameters obtained from a trusted platform module (TPM) installed in the network device and/or a read only memory (ROM) of the network device. In response to a mismatch between the decoded parameters and the parameters obtained from the TPM or the ROM, at least one of suspending operation of the device or transmitting a report of an authentication failure across a network on which the device is operating.

Abstract: A method for distributing network services for a network device through a multi-tenant network service. An identification parameter is associated with the device and is stored in a database by an orders management system after the device is ordered. The method includes establishing a network connection between a network device and a multi-tenant network service and, in response to establishing the network connection, obtaining device-associated identification parameter from the network device. The identification parameter is used to query the database for at least one record associated with the network device identifying a tenant of the multi-tenant network service in which the tenant corresponds to the device. The service maps the network device to the identified tenant of the multi-tenant network service and distributes network services based upon the mapping of the network device to the identified tenant.