Systems and methods of controlling network access
First Claim
1. A computing network comprising:
- a less-restricted subset of the computing network, access to the less-restricted subset being responsive to a first VLAN;
a restricted subset of the computing network including a gatekeeper, the gatekeeper configured to receive requests for access to the less-restricted subset from an access device and to issue commands configured to allow access to the less-restricted subset in response to a security policy, access to the non-restricted subset of the computing network being responsive to a second VLAN; and
at least one access point including a communication port alternatively configurable for communication with less-restricted subset or for communication with only the restricted subset, configuration of the communication port including association of the communication port alternatively with the first VLAN or the second VLAN, configuration of the communication port being responsive to the commands issued by the gatekeeper.
2 Assignments
0 Petitions
Accused Products
Abstract
A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.
85 Citations
60 Claims
-
1. A computing network comprising:
-
a less-restricted subset of the computing network, access to the less-restricted subset being responsive to a first VLAN;
a restricted subset of the computing network including a gatekeeper, the gatekeeper configured to receive requests for access to the less-restricted subset from an access device and to issue commands configured to allow access to the less-restricted subset in response to a security policy, access to the non-restricted subset of the computing network being responsive to a second VLAN; and
at least one access point including a communication port alternatively configurable for communication with less-restricted subset or for communication with only the restricted subset, configuration of the communication port including association of the communication port alternatively with the first VLAN or the second VLAN, configuration of the communication port being responsive to the commands issued by the gatekeeper. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A network gatekeeper comprising:
-
at least one security policy including requirements that must be satisfied before an access device is granted access to a less-restricted subset of a protected network;
a policy auditor configured to audit then access device using the at least one security policy, in response to a request to access the less-restricted subset of the protected network, the request being sent from the access device to the gatekeeper via a communication device; and
an access control configured to reconfigure the communication device such that data sent from the access device is received by the less-restricted subset of the protected network rather than merely a restricted subset of the protected network, if the audit results in a determination that the access device meets the requirements of the at least one security policy, the restricted subset of the protected network including the gatekeeper. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method of granting access to a protected network, the method comprising:
-
receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;
applying a security policy to the access device, responsive to the request; and
reconfiguring the communication port for communicating between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
-
53. A method of granting access to a protected network, the method comprising:
-
receiving a first communication from an access device at a communication port, the communication port being configured to pass the first communication to a restricted subset of the protected network, the restricted subset including a gatekeeper configured to enforce security policy for access to a less-restricted subset of the protected network;
receiving a command from the gatekeeper, the command being responsive to the received first communication and being configured to reconfigure the communication port to communicate data to the less-restricted subset of protected network;
configuring the communication port to communicate data to the less-restricted subset of the protected network rather than merely the restricted subset of the protected network, responsive to the received command; and
receiving a second communication from the access device at the communication port, the communication port now being configured to pass the second communication to the less-restricted subset of the protected network. - View Dependent Claims (54, 55, 56)
-
-
57. A computing network comprising:
-
means for dividing the computing network into a restricted subset and a less-restricted subset;
means for receiving a request at the restricted subset, the request being to access the less-restricted subset;
means for enforcing a security policy in response to the request; and
means for allowing communication to the less-restricted subset, responsive to the enforcement of the security policy, the communication to the less-restricted subset not necessarily passing through the restricted subset. - View Dependent Claims (58)
-
-
59. A computer readable medium including computer code configured for controlling
access to a computer network, the computer code comprising: -
a code segment configured for receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;
a code segment configured for applying a security policy to the access device, responsive to the request; and
a code segment configured for reconfiguring the communication port for communicating between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied. - View Dependent Claims (60)
-
Specification