Systems and methods of controlling network access

US 20050063400A1
Filed: 09/24/2004
Published: 03/24/2005
Est. Priority Date: 09/24/2003
Status: Active Grant

First Claim

Patent Images

1. A computing network comprising:

a less-restricted subset of the computing network, access to the less-restricted subset being responsive to a first VLAN;

a restricted subset of the computing network including a gatekeeper, the gatekeeper configured to receive requests for access to the less-restricted subset from an access device and to issue commands configured to allow access to the less-restricted subset in response to a security policy, access to the non-restricted subset of the computing network being responsive to a second VLAN; and

at least one access point including a communication port alternatively configurable for communication with less-restricted subset or for communication with only the restricted subset, configuration of the communication port including association of the communication port alternatively with the first VLAN or the second VLAN, configuration of the communication port being responsive to the commands issued by the gatekeeper.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.

85 Citations

View as Search Results

60 Claims

1. A computing network comprising:
- a less-restricted subset of the computing network, access to the less-restricted subset being responsive to a first VLAN;
  
  a restricted subset of the computing network including a gatekeeper, the gatekeeper configured to receive requests for access to the less-restricted subset from an access device and to issue commands configured to allow access to the less-restricted subset in response to a security policy, access to the non-restricted subset of the computing network being responsive to a second VLAN; and
  
  at least one access point including a communication port alternatively configurable for communication with less-restricted subset or for communication with only the restricted subset, configuration of the communication port including association of the communication port alternatively with the first VLAN or the second VLAN, configuration of the communication port being responsive to the commands issued by the gatekeeper.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computing network of claim 1, wherein the restricted subset of the computing network includes elements configured to communicate with access devices having an unknown security status, and the less-restricted subset of the computing network includes those elements of the computing network not included in the restricted subset.
  - 3. The computing network of claim 1, further including a router configured to limit access to only the restricted subset using an access control list.
  - 4. The computing network of claim 1, wherein association of the communication port with the first VLAN allows communication with elements of both the restricted subset and the less-restricted subset.
  - 5. The computing network of claim 1, wherein the gatekeeper is further configured to enforce a security policy regarding access to the less-restricted subset.
  - 6. The computing network of claim 1, wherein the gatekeeper is further configured to update the access device using an update module.
  - 7. The computing network of claim 1, wherein the gatekeeper is further configured to obtain system data from the access device.
  - 8. The computing network of claim 7, wherein the gatekeeper is further configured to use the system data to determine if the access device meets requirements of a security policy, and to issue the commands responsive to this determination.
  - 9. The computing network of claim 1, wherein the gatekeeper is further configured to read an administrator specified configuration of the communication port from the at least one access point, to store the read administrator specified configuration in a port configuration table, and to issue commands configured to prevent access to the less-restricted subset of the computing network via the communication port.
  - 10. The computing network of claim 9, wherein the gatekeeper is further configured to use the stored administrator specified configuration when issuing commands configured to allow access to the less-restricted subset.
  - 11. The computing network of claim 1, wherein the gatekeeper is further configured to select from a plurality of security policies.
  - 12. The computing network of claim 1, wherein the gatekeeper is further configured to select from a hierarchical set of security policies, the hierarchical set configured to provide access to different parts of the less-restricted subset of the computing network.
  - 13. The computing network of claim 1, wherein the gatekeeper is further configured to control access to the less-restricted subset of the computing network by configuring communication ports on a plurality of access points, the at least one access point being a member of the plurality of access points.
  - 14. The computing network of claim 1, wherein the gatekeeper is further configured to control access to a plurality of protected networks, the computing network being a member of the plurality of protected networks.
  - 15. The computing network of claim 1, wherein the gatekeeper is further configured to read identification data concerning the access device from the at least one access point and to use the read identification data to identify the access device or to identify data sent by the access device.
  - 16. The computing network of claim 1, wherein the security policy includes an audit of the access device.

17. A network gatekeeper comprising:
- at least one security policy including requirements that must be satisfied before an access device is granted access to a less-restricted subset of a protected network;
  
  a policy auditor configured to audit then access device using the at least one security policy, in response to a request to access the less-restricted subset of the protected network, the request being sent from the access device to the gatekeeper via a communication device; and
  
  an access control configured to reconfigure the communication device such that data sent from the access device is received by the less-restricted subset of the protected network rather than merely a restricted subset of the protected network, if the audit results in a determination that the access device meets the requirements of the at least one security policy, the restricted subset of the protected network including the gatekeeper.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The network gatekeeper of claim 17, wherein the restricted subset of the protected network includes elements configured to communicate with the access device having a questionable security status, and the less-restricted subset of the protected network includes those elements of the protected network not included in the restricted subset.
  - 19. The network gatekeeper of claim 17, wherein the at least one security policy is responsive to an identity of the access device.
  - 20. The network gatekeeper of claim 17, wherein the at least one security policy is selected by the policy auditor responsive to a part of the less-restricted subset of the protected network to which access is requested.
  - 21. The network gatekeeper of claim 17, wherein the audit is responsive to antivirus software executing on the access device.
  - 22. The network gatekeeper of claim 17, wherein the audit is responsive to an operating system, a version of the operating system, or patches applied to the operating system, executing on the access device.
  - 23. The network gatekeeper of claim 17, wherein the policy auditor is configured to request data from an agent on the access device.
  - 24. The network gatekeeper of claim 17, wherein the communication device includes a wireless access point.
  - 25. The network gatekeeper of claim 17, wherein the communication device includes a wireless access point configured to support an 802.1x standard.
  - 26. The network gatekeeper of claim 17, wherein the communication device includes a network switch.
  - 27. The network gatekeeper of claim 17, wherein the communication device includes a router.
  - 28. The network gatekeeper of claim 17, wherein the reconfiguration of the communication device includes reconfiguring a port on the communication device such that data received at the port is passed on to elements of both the less-restricted subset of the protected network and the restricted subset of the protected network.
  - 29. The network gatekeeper of claim 28, wherein reconfiguring the port includes returning the port to an administrator specified setting.
  - 30. The network gatekeeper of claim 28, wherein reconfiguring the port includes sending one or more commands from the gatekeeper to the communication device.

31. A method of granting access to a protected network, the method comprising:
- receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;
  
  applying a security policy to the access device, responsive to the request; and
  
  reconfiguring the communication port for communicating between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 32. The method of claim 31, further including reading an administrator specified configuration of the communication port from the access point, and storing the read administrator specified configuration.
  - 33. The method of claim 31, further including configuring the communication port such that requests for access to the less-restricted subset are communicated to the gatekeeper.
  - 34. The method of claim 31, further including authenticating a user of the access device.
  - 35. The method of claim 31, further including obtaining system data from the access device, and wherein applying the security policy includes using the system data to determine if the access device satisfies the requirements of the security policy.
  - 36. The method of claim 35, wherein the system data includes antivirus software version data.
  - 37. The method of claim 31, further including communicating between the gatekeeper and an agent executing on the access device to obtain system data from the access device, and wherein applying the security policy includes using the system data to determine if the access device satisfies the requirements of the security policy.
  - 38. The method of claim 37, wherein the system data includes information regarding devices connected to the access device.
  - 39. The method of claim 31, further including communicating between the gatekeeper and an agent executing on the access device to monitor security status of the access device after reconfiguring the communication port for communicating between the access device and the less-restricted subset.
  - 40. The method of claim 39, wherein the system data includes information regarding computing code executing on the access device.
  - 41. The method of claim 31, further including obtaining identification information regarding the access device from the access point.
  - 42. The method of claim 31, further including selecting the security policy from among a plurality of security policies.
  - 43. The method of claim 42, wherein selecting the security policy is responsive to an identity of the access device or an identity of a user of the access device.
  - 44. The method of claim 42, wherein selecting the security policy is responsive to an identity of elements within the less-restricted subset of the protected network to which access is requested.
  - 45. The method of claim 31, further including updating the access device if requirements of the security policy are not satisfied.
  - 46. The method of claim 31, wherein the access point is a network switch.
  - 47. The method of claim 31, wherein the access point is a wireless access point.
  - 48. The method of claim 31, wherein the access point is a remote access virtual private network.
  - 49. The method of claim 31, wherein the gatekeeper is accessible to elements of the less-restricted subset of the protected network.
  - 50. The method of claim 31, wherein the restricted subset of the protected network is characterized by an access control list.
  - 51. The method of claim 50, wherein access to the restricted subset of the protected network is responsive to a VLAN configured to communicate with the protected network subject to the access control list.
  - 52. The method of claim 31, wherein the gatekeeper and the access point are embodied in separate devices.

53. A method of granting access to a protected network, the method comprising:
- receiving a first communication from an access device at a communication port, the communication port being configured to pass the first communication to a restricted subset of the protected network, the restricted subset including a gatekeeper configured to enforce security policy for access to a less-restricted subset of the protected network;
  
  receiving a command from the gatekeeper, the command being responsive to the received first communication and being configured to reconfigure the communication port to communicate data to the less-restricted subset of protected network;
  
  configuring the communication port to communicate data to the less-restricted subset of the protected network rather than merely the restricted subset of the protected network, responsive to the received command; and
  
  receiving a second communication from the access device at the communication port, the communication port now being configured to pass the second communication to the less-restricted subset of the protected network.
- View Dependent Claims (54, 55, 56)
- - 54. The method of claim 53, wherein configuring the communication port includes association the communication port with a VLAN.
  - 55. The method of claim 53, wherein the communication port is limited to communicating with the restricted subset of the protected network by an access control list, when the first communication is received.
  - 56. The method of claim 55, wherein the communication port is limited to communicating with elements of protected network by another access control list, when the second communication is received.

57. A computing network comprising:
- means for dividing the computing network into a restricted subset and a less-restricted subset;
  
  means for receiving a request at the restricted subset, the request being to access the less-restricted subset;
  
  means for enforcing a security policy in response to the request; and
  
  means for allowing communication to the less-restricted subset, responsive to the enforcement of the security policy, the communication to the less-restricted subset not necessarily passing through the restricted subset.
- View Dependent Claims (58)
- - 58. The computing network of claim 57, wherein the restricted subset of the computing network includes elements configured to communicate with access devices having an unknown security status, and the less-restricted subset of the computing network includes those elements of the computing network not included in the restricted subset.

59. A computer readable medium including computer code configured for controlling access to a computer network, the computer code comprising:
- a code segment configured for receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;
  
  a code segment configured for applying a security policy to the access device, responsive to the request; and
  
  a code segment configured for reconfiguring the communication port for communicating between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied.
- View Dependent Claims (60)
- - 60. The computer readable medium of claim 59, wherein the computer code further includes a code segment configured for reading an administrator specified configuration of the communication port from the access point, and storing the read administrator specified configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InfoExpress, Inc.
Original Assignee
InfoExpress, Inc.
Inventors
Lum, Stacey C.

Granted Patent

US 7,523,484 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 63/0876 based on the identity of th...

H04L 63/20 for managing network securi...

Systems and methods of controlling network access

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

85 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of controlling network access

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links