Systems and methods for network access control
First Claim
Patent Images
1. A system for network access control, system comprising:
- a network device comprising one or more processors; and
a memory communicatively coupled to the network device, the memory storing instructions executable by the one or more processors of the network device, the network device being configured to;
determine whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device;
based on the determination that the client device is neither the trusted source nor the untrusted source, transmit a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device;
receive an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie;
determine whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet;
when the SYN cookie received from the client device is the incorrect SYN cookie, apply a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and
when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establish the connection with the network for the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
Network access control systems and methods are provided herein. A method includes receiving at a network device a SYN packet from a client device over a network, determining if the client device is a trusted source for the network using the SYN packet, if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device, and establishing a connection with the network for the client device.
-
Citations
18 Claims
-
1. A system for network access control, system comprising:
-
a network device comprising one or more processors; and a memory communicatively coupled to the network device, the memory storing instructions executable by the one or more processors of the network device, the network device being configured to; determine whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device; based on the determination that the client device is neither the trusted source nor the untrusted source, transmit a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device; receive an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie; determine whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet; when the SYN cookie received from the client device is the incorrect SYN cookie, apply a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establish the connection with the network for the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for network access control, the method comprising:
-
determining, at a network device, whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device; based on determining that the client device is neither the trusted source nor the untrusted source, transmitting a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device; receiving an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie; determining whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet; when the SYN cookie received from the client device is the incorrect SYN cookie, applying a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establishing the connection with the network for the client device. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium having embodied thereon a program executable by at least one processor to perform a method for network access control, the method comprising:
-
determining, at a network device, whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device; based on determining that the client device is neither the trusted source nor the untrusted source, transmitting a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device; receiving an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie; determining whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet; when the SYN cookie received from the client device is the incorrect SYN cookie, applying a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establishing the connection with the network for the client device.
-
Specification