Dynamic device isolation in a network

US 10,356,124 B2
Filed: 03/01/2017
Issued: 07/16/2019
Est. Priority Date: 03/01/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

inserting, by a device in a network, a profile tag into an address request sent by an endpoint node in the network to a lookup service, wherein the lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of one or more services the endpoint node is expected to communicate with;

receiving, by the device, an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate, wherein the one or more addresses are associated with the one or more services;

determining, by the device, whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate;

blocking, by the device, the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate;

determining, by the device, whether a second communication between the endpoint node and a second particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate; and

sending, by the device, the second communication to the endpoint node or the second particular network address based on a determination that the second particular network address is in the set of one or more addresses with which the endpoint node is authorized to communicate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

17 Citations

View as Search Results

18 Claims

1. A method comprising:
- inserting, by a device in a network, a profile tag into an address request sent by an endpoint node in the network to a lookup service, wherein the lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of one or more services the endpoint node is expected to communicate with;
  
  receiving, by the device, an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate, wherein the one or more addresses are associated with the one or more services;
  
  determining, by the device, whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate;
  
  blocking, by the device, the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate;
  
  determining, by the device, whether a second communication between the endpoint node and a second particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate; and
  
  sending, by the device, the second communication to the endpoint node or the second particular network address based on a determination that the second particular network address is in the set of one or more addresses with which the endpoint node is authorized to communicate.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as in claim 1, wherein the lookup service comprises a Domain Name System (DNS) lookup service, and wherein the address request comprises a DNS lookup request.
  - 3. The method as in claim 1, further comprising:
    - profiling, by the device, traffic associated with the endpoint node; and
      
      requesting, by the device, the profile tag from an access policy server.
  - 4. The method as in claim 3, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy.
  - 5. The method as in claim 1, further comprising:
    - intercepting, by the device, the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy.
  - 6. The method as in claim 1, wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by:
    - retrieving a profile for the endpoint node associated with the inserted profile tag.

7. A method comprising:
- receiving, at a lookup service device in a network, an address request from an endpoint node in the network, wherein the address request includes profile tag for the endpoint node inserted into the address request by a networking device in the network;
  
  retrieving, by the lookup service device, a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of services the endpoint node is expected to communicate with;
  
  identifying, by the lookup service device, one or more addresses with which the endpoint node is authorized to communicate based on the profile for the endpoint node, wherein the one or more addresses are associated with the services; and
  
  sending, by the lookup service device, the one or more addresses with which the endpoint node is authorized to communicate to the networking device, wherein the networking device La blocks communications between the endpoint node and addresses that are not in the one or more addresses with which the endpoint node is authorized to communicate and (b) sends communications between the endpoint node and addresses that are in the one or more addresses with which the endpoint node is authorized to communicate.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method as in claim 7, wherein the lookup service device comprises a Domain Name System (DNS) lookup service device, and wherein the address request comprises a DNS lookup request.
  - 9. The method as in claim 7, wherein retrieving the profile for the endpoint node associated with the inserted profile tag comprises:
    - requesting, by the device, the profile from an access policy server using the profile tag.
  - 10. The method as in claim 9, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy.
  - 11. The method as in claim 7, wherein the one or more addresses with which the endpoint node is authorized to communicate is associated with a manufacturer of the endpoint node.

12. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  insert a profile tag into an address request sent by an endpoint node in the network to a lookup service, wherein the lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of one or more services the endpoint node is expected to communicate with;
  
  receive an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate, wherein the one or more addresses are associated with the one or more services;
  
  determine whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate;
  
  block the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate;
  
  determine whether a second communication between the endpoint node and a second particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate; and
  
  send the second communication to the endpoint node or the second particular network address based on a determination that the second particular network address is in the set of one or more addresses with which the endpoint node is authorized to communicate.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The apparatus as in claim 12, wherein the lookup service comprises a Domain Name System (DNS) lookup service, and wherein the address request comprises a DNS lookup request.
  - 14. The apparatus as in claim 12, wherein the process when executed is further operable to:
    - profile traffic associated with the endpoint node; and
      
      request the profile tag from an access policy server.
  - 15. The apparatus as in claim 14, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy.
  - 16. The apparatus as in claim 12, wherein the process when executed is further operable to:
    - intercept the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy.
  - 17. The apparatus as in claim 12, wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by:
    - retrieving a profile for the endpoint node associated with the inserted profile tag from an access policy server.
  - 18. The apparatus as in claim 12, wherein the apparatus comprises at least one of:
    - a network switch, a network router, or a network access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Thubert, Pascal, Levy-Abegnoli, Eric, Lear, Eliot, Weis, Brian E.
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US15/446,707
Publication Number

US 20180255092A1
Time in Patent Office

867 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1458   Denial of Service

Dynamic device isolation in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Dynamic device isolation in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others