The present invention generally relates to networks and configuring devices in such networks.
Management applications generally require direct access to target devices, such as routers, switches and hubs, for example, in order to ensure that the appropriate target device receives the configuration data.
If the central network administrator does not have physical access to the target devices, then the network administrator must trust the technicians that do have physical access to the device. It is very undesirable to grant such limited-trust technicians full access to the data contained in the configuration.
Current deployment solutions have a limited capability to ensure that the configuration is deployed only to the intended targeted device. This is particularly true if the deployment must occur through a secondary computational device, such as a laptop or notebook computer or PDA.
If the configurations need to be deployed via an indirect channel, such as a technician physically interacting with the target device using a laptop or PDA, then it is difficult to ensure that the configuration remains in existence for only a specified duration of time. Therefore timeliness of the deployment is difficult to ensure.
If the configuration is deployed indirectly, the configurations (in current implementations) would remain on the intermediate device, such as laptop or PDA. thus allowing a malicious technician to have time to attack the encrypted configuration and potentially compromise the data integrity.
Current practice is to encapsulate configurations in simple text files. Even though it is possible to encrypt such text files to protect them during transit to the target device, without an autonomous encapsulated agent, it is not possible for the configuration itself to enforce the intended use of the configuration. Such enforcement would have to be implemented by management applications requiring direct interaction with the target device. Such requirements increase the cost and complexity of management solutions, and also impose undesirable connectivity requirements.