Network security based on device identifiers and network addresses
First Claim
Patent Images
1. A computing system for controlling communication in a computer network managed by an organization, comprising:
- a processor; and
a memory that stores instructions that are configured, when executed by the processor, to evaluate a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by;
determining whether the source network address is included in a list of trusted network addresses;
when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network;
when the source network address is included in the list of trusted network addresses,receiving data representing a non-modifiable device identifier of the first computing device;
determining whether the device identifier is included in a list of trusted device identifiers; and
when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network;
receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
determining a first communication property that is associated with the network communication;
determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address;
evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property;
in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication;
in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; and
randomly auditing packets received at a network interface by;
randomly selecting a first packet;
determining whether the source network address and the non-modifiable device identifier associated with the first packet are both authorized;
allowing multiple packets received from the first device subsequent to the first packet without verifying a non-modifiable device identifier;
randomly selecting a second packet received after the multiple packets;
determining whether the source network address and the non-modifiable device identifier are both authorized; and
determining whether the source network address and the non-modifiable device identifier associated with the second packet are both authorized,wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of the source network address and non-modifiable device identifier.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques for network security are disclosed. In some implementations, an evaluation module determines whether a network communication from a computing device is allowable. The allowability of the communication is determined based on (1) whether the computing device is using an authorized source network address, and (2) whether a non-modifiable identifier of the computing device is authorized. The non-modifiable identifier is a fixed hardware identifier of the computing device, such as an identifier of a CPU, network interface card, storage device, or the like.
-
Citations
16 Claims
-
1. A computing system for controlling communication in a computer network managed by an organization, comprising:
-
a processor; and a memory that stores instructions that are configured, when executed by the processor, to evaluate a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by; determining whether the source network address is included in a list of trusted network addresses; when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network; when the source network address is included in the list of trusted network addresses, receiving data representing a non-modifiable device identifier of the first computing device; determining whether the device identifier is included in a list of trusted device identifiers; and when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network; receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; determining a first communication property that is associated with the network communication; determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address; evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property; in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication; in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; and randomly auditing packets received at a network interface by; randomly selecting a first packet; determining whether the source network address and the non-modifiable device identifier associated with the first packet are both authorized; allowing multiple packets received from the first device subsequent to the first packet without verifying a non-modifiable device identifier; randomly selecting a second packet received after the multiple packets; determining whether the source network address and the non-modifiable device identifier are both authorized; and determining whether the source network address and the non-modifiable device identifier associated with the second packet are both authorized, wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of the source network address and non-modifiable device identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for controlling communication in a computer network managed by an organization, the method comprising:
-
evaluating a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by; determining whether the source network address is included in a list of trusted network addresses; when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network; when the source network address is included in the list of trusted network addresses, receiving data representing a non-modifiable device identifier of the first computing device; determining whether the device identifier is included in a list of trusted device identifiers; and when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network; receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; determining a first communication property that is associated with the network communication; determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address; evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property; in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication; in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; determining that a first packet that is transmitted by the first device is associated with an authorized network address and an authorized non-modifiable device identifier; allowing multiple packets received from the first device subsequent to the first packet, wherein the multiple packets are allowed based on source network addresses and without any evaluation of non-modifiable device identifiers; and after passage of a determined time interval or a determined number of packets, requiring the first device to again provide its non-modifiable device identifier to authorize further communication, wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of hardware identifiers of the first computing device including the non-modifiable device identifier. - View Dependent Claims (13, 14, 15)
-
-
16. A non-transitory computer-readable medium that stores instructions that are configured, when executed by a computer processor, to perform a method for controlling communication in a computer network managed by an organization, the method comprising:
-
evaluating a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by; determining whether the source network address is included in a list of trusted network addresses; when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network; when the source network address is included in the list of trusted network addresses, receiving data representing a non-modifiable device identifier of the first computing device; determining whether the device identifier is included in a list of trusted device identifiers; and when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network; receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties; determining a first communication property that is associated with the network communication; determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address; evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property; in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication; and in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; and randomly audits packets received at a network interface by; randomly selecting a first packet; determining whether the source network address and the non-modifiable device identifier associated with the first packet are both authorized; allowing multiple packets received from the first device subsequent to the first packet without verifying a non-modifiable device identifier; randomly selecting a second packet received after the multiple packets; determining whether the source network address and the non-modifiable device identifier are both authorized; and determining whether the source network address and the non-modifiable device identifier associated with the second packet are both authorized, wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of hardware identifiers of the first computing device including the non-modifiable device identifier.
-
Specification