System and Methodology for Policy Enforcement

US 20040107360A1
Filed: 03/13/2003
Published: 06/03/2004
Est. Priority Date: 12/02/2002
Status: Abandoned Application

First Claim

Patent Images

1. A system for authentication of a client device for access to a network, the system comprising:

a first authentication module that establishes a session with a client device requesting network access, said session for collecting information from the client device and determining whether to authenticate the client device for access to the network based, at least in part, upon the collected information; and

a second authentication module that participates in said session with the client device for supplemental authentication of the client device for access to the network, said supplemental authentication based, at least in part, upon the collected information and a policy required as a condition for network access.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and methodology for policy enforcement during authentication of a client device for access to a network is described. A first authentication module establishes a session with a client device requesting network access for collecting information from the client device and determining whether to authenticate the client device for access to the network based, at least in part, upon the collected information. A second authentication module participates in the session with the client device for supplemental authentication of the client device for access to the network. The supplemental authentication of the client device is based, at least in part, upon the collected information and a policy required as a condition for network access.

Citations

59 Claims

1. A system for authentication of a client device for access to a network, the system comprising:
- a first authentication module that establishes a session with a client device requesting network access, said session for collecting information from the client device and determining whether to authenticate the client device for access to the network based, at least in part, upon the collected information; and
  
  a second authentication module that participates in said session with the client device for supplemental authentication of the client device for access to the network, said supplemental authentication based, at least in part, upon the collected information and a policy required as a condition for network access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein said policy required as a condition for network access comprises a security policy.
  - 3. The system of claim 1, wherein said policy required as a condition for network access includes anti-virus measures required on the client device.
  - 4. The system of claim 1, wherein said policy required as a condition for network access includes security measures required on the client device.
  - 5. The system of claim 1, wherein participation by the second authentication module in said session with the client device includes trapping communications between the first authentication module and the client device.
  - 6. The system of claim 1, wherein said first authentication module exchanges communications with the client device using an authentication protocol.
  - 7. The system of claim 6, wherein said authentication protocol comprises an Extensible Authentication Protocol (EAP).
  - 8. The system of claim 6, wherein said authentication protocol comprises a Generic Security Services Application Program Interface (GSS-API) based protocol.
  - 9. The system of claim 6, wherein the information collected from the client device is packaged within Extensible Authentication Protocol (EAP) communications.
  - 10. The system of claim 1, further comprising:
    - a client authentication module on the client device for gathering information required for supplemental authentication of the client device.
  - 11. The system of claim 10, wherein said client authentication module gathers information about policy enforcement on the client device.
  - 12. The system of claim 10, wherein said client authentication module packages the collected information into Extensible Authentication Protocol (EAP) packets for transmission.
  - 13. The system of claim 1, wherein the client device comprises a server which requests network access for the purpose of linking together at least two networks.
  - 14. The system of claim 1, wherein said first authentication module includes a Remote Authentication Dial In User Service (RADIUS) server.
  - 15. The system of claim 1, wherein said first authentication module includes an Internet Authentication Service (IAS) server.
  - 16. The system of claim 1, wherein said second authentication module includes a policy server.

17. A method for enforcing compliance with security rules required as a condition for access, the method comprising:
- specifying security rules required as a condition for access;
  
  detecting a request for access from a client;
  
  verifying authentication of the client requesting access, including collecting information from the client;
  
  if the client is authenticated for access, providing access to the client in accordance with the security rules based at least in part on said information collected during authentication.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 18. The method of claim 17, wherein said detecting step includes detecting a request for access to a network.
  - 19. The method of claim 17, wherein said detecting step includes detecting a request for access to a host.
  - 20. The method of claim 19, wherein said host includes a web server.
  - 21. The method of claim 17, wherein said client includes a network access server connecting to link together at least two networks.
  - 22. The method of claim 17, wherein said verifying authentication step includes using an authentication protocol.
  - 23. The method of claim 22, wherein said authentication protocol comprises a Generic Security Services Application Program Interface (GSS-API) based protocol.
  - 24. The method of claim 22, wherein said authentication protocol comprises an Extensible Authentication Protocol (EAP).
  - 25. The method of claim 24, wherein said information collected from the client is packaged within EAP packets.
  - 26. The method of claim 24, wherein said information collected from the client is included as extended attributes of EAP packets sent by the client.
  - 27. The method of claim 17, wherein said verifying authentication step includes using a client-side component for gathering information regarding the client.
  - 28. The method of claim 27, wherein said client-side component packages the gathered information in Extensible Authentication Protocol (EAP) packets.
  - 29. The method of claim 17, wherein said providing access step includes blocking access if the client is determined not to be in compliance with the security rules.
  - 30. The method of claim 17, wherein said providing access step includes applying a restrictive filter if the client is determined not to be in compliance with the security rules.
  - 31. The method of claim 17, wherein said providing access step includes allowing access subject to conditions if the client is determined not to be in compliance with the security rules.
  - 32. The method of claim 17, wherein said providing access step includes redirecting a client determined not to be in compliance to a sandbox server for remedying compliance.
  - 33. A computer-readable medium having computer-executable instructions for performing the method of claim 17.
  - 34. A downloadable set of computer-executable instructions for performing the method of claim 17.

35. A method for enforcing compliance with a security policy required as a condition for access to at least one resource, the method comprising:
- specifying a security policy required for access to at least one resource;
  
  detecting a request for access from a particular computer;
  
  attempting authentication of said particular computer, including determining the particular computer'"'"'s compliance with the security policy;
  
  if the particular computer is authenticated and is in compliance with the security policy, providing access in accordance with the security policy; and
  
  otherwise, denying access.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43)
- - 36. The method of claim 35, wherein said detecting step includes detecting a request for access to a network.
  - 37. The method of claim 35, wherein said particular computer includes a network access server connecting to link together at least two networks.
  - 38. The method of claim 35, wherein said attempting authentication step includes using an authentication protocol that is extensible.
  - 39. The method of claim 35, wherein the security policy comprises a plurality of rules.
  - 40. The method of claim 39, wherein providing access includes allowing access to a resource permitted under said rules.
  - 41. The method of claim 39, wherein access to a resource is denied if not permitted under said rules.
  - 42. The method of claim 35, wherein said attempting authentication step includes using a component on said particular computer for determining compliance with the security policy.
  - 43. The system of claim 35, wherein said denying step includes restricting said particular computer to an area of the network for remedying compliance.

44. An improved method for authenticating a device for access to a network including an improvement for determining compliance with a policy required as a condition for access, the improvement comprising:
- specifying a policy required as a condition for network access;
  
  determining whether the device is in compliance with the policy during attempted authentication of the device; and
  
  if the device is authenticated, allowing network access based upon the determination made about the device'"'"'s compliance with the policy.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52)
- - 45. The improvement of claim 44, wherein said determining step includes using an authentication protocol for providing information about compliance with the policy.
  - 46. The improvement of claim 45, wherein said authentication protocol comprises a Generic Security Services Application Program Interface (GSS-API) based protocol.
  - 47. The improvement of claim 45, wherein said authentication protocol comprises an Extensible Authentication Protocol (EAP).
  - 48. The improvement of claim 47, wherein said Extensible Authentication Protocol is extended to provide for policy negotiation.
  - 49. The improvement of claim 44, further comprising:
    - providing a component on the device for generating information about policy compliance.
  - 50. The improvement of claim 49, wherein said component packages the information in Extensible Authentication Protocol (EAP) packets.
  - 51. The improvement of claim 44, wherein said allowing step includes allowing partial access.
  - 52. The improvement of claim 44, wherein said allowing step includes allowing access subject to conditions if the device is not in compliance with the policy.

53. A system for determining an access policy to be applied to a device requesting access to a network, the system comprising:
- a network access module for receiving a request for network access from a device and regulating access to the network;
  
  a primary authentication module which communicates with the device for determining whether the device is authorized to access the network; and
  
  a secondary authentication module which participates in communications between the device and the primary authentication module for determining an access policy to be applied to the device based upon a security policy required as a condition of network access.
- View Dependent Claims (54, 55, 56, 57, 58, 59)
- - 54. The system of claim 53, wherein said network access module applies the access policy determined by the secondary authentication module.
  - 55. The system of claim 53, wherein said primary authentication module exchanges communications with the device using an authentication protocol.
  - 56. The system of claim 55, wherein said authentication protocol comprises an Extensible Authentication Protocol (EAP).
  - 57. The system of claim 56, wherein Extensible Authentication Protocol communications between the device and the primary authentication module are extended to include security attributes of the device.
  - 58. The system of claim 53, wherein said access policy specifies network resources that may be accessed by the device based upon compliance with the security policy.
  - 59. The system of claim 53, wherein said access policy includes allowing partial access to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Zone Labs Inc. (Check Point Software Technologies Limited)
Inventors
Murari, Sinduja, Herrmann, Conrad K.

Application Number

US10/249,073
Publication Number

US 20040107360A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/162   at the data link layer

H04L 63/20   for managing network securi...

System and Methodology for Policy Enforcement

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

System and Methodology for Policy Enforcement

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links