Isolation approach for network users associated with elevated risk

US 20050204162A1
Filed: 03/09/2004
Published: 09/15/2005
Est. Priority Date: 03/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the computer-implemented steps of:

determining a user identifier associated with a network device that has caused a security event in a network;

causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and

configuring one or more security restrictions with respect to the selected network address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An isolation approach for network users associated with elevated risk is disclosed for protecting networks. In one approach a method comprises the computer-implemented steps of determining a user identifier associated with a network device that has caused a security event in a network; causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and configuring one or more security restrictions with respect to the selected network address.

187 Citations

26 Claims

1. A method, comprising the computer-implemented steps of:
- determining a user identifier associated with a network device that has caused a security event in a network;
  
  causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and
  
  configuring one or more security restrictions with respect to the selected network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 21, 22, 23)
- - 2. A method as recited in claim 1, further comprising the steps of:
    - receiving information identifying the security event in the network;
      
      correlating the security event information with network user information to result in determining the user identifier associated with the network device.
  - 3. A method as recited in claim 1, wherein the network device uses dynamic host control protocol (DHCP) to obtain the network address, and wherein the step of causing the network device to receive a network address comprises resetting a port that is coupled to the network device to prompt a user to command the network device to request a new network address using DHCP.
  - 4. A method as recited in claim 1, wherein the network device uses dynamic host control protocol (DHCP) to obtain the network address, and wherein the step of causing the network device to receive a network address comprises issuing a DHCP FORCE_RENEW message to the network device.
  - 5. A method as recited in claim 1, wherein the network device uses dynamic host control protocol (DHCP) to obtain the network address, and wherein the step of causing the network device to receive a network address comprises prompting the network device to request a new network address using DHCP.
  - 6. A method as recited in claim 1, wherein the network device uses dynamic host control protocol (DHCP) to obtain the network address, and wherein the step of causing the network device to receive a network address comprises waiting for expiration of a lease for a current network address of the network device.
  - 7. A method as recited in claim 1, wherein the step of causing the network device to receive a network address comprises the step of providing the network device with an IP address that is selected from a plurality of IP addresses within a special IP subnet.
  - 8. A method as recited in claim 7, further comprising the step of publishing information describing characteristics of the special IP subnet to network service providers.
  - 9. A method as recited in claim 1, wherein the step of configuring security restrictions comprises the steps of modifying an internet protocol (IP) access control list (ACL) associated with a port that is coupled to the network device to permit entry of IP traffic from only the selected network address.
  - 10. A method as recited in claim 1, wherein the step of configuring security restrictions comprises the steps of modifying a media access control (MAC) ACL associated with a port that is coupled to the network device to permit entry of traffic only for a MAC address that is bound to the selected network address.
  - 11. A method as recited in claim 1, further comprising the steps of determining whether a malicious act caused the security event, and if so, providing information about the security event or malicious act to a security decision controller.
  - 12. A method as recited in claim 1, further comprising the steps of determining whether a malicious act caused the security event, and if not, removing the user from the elevated risk group.
  - 13. A method as recited in claim 1, further comprising the steps of determining whether a malicious act caused the security event, wherein a legal user action in the network is not determined to be a malicious act if the user is associated with a trusted customer of a network service provider.
  - 21. A computer-readable medium as recited in claim 18, further comprising instructions for performing the steps as recited in any of claims 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, or 13.
  - 22. An apparatus as recited in claim 19, further comprising means for performing the steps as recited in any of claims 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, or 13.
  - 23. An apparatus as recited in claim 20, further comprising instructions for performing the steps as recited in any of claims 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, or 13.

14. A method, comprising the computer-implemented steps of:
- receiving information identifying a security event in a network;
  
  correlating the security event information with network user information to result in determining a network user associated with the network device, placing the user in an elevated risk security group;
  
  configuring one or more security restrictions with respect to the selected network address;
  
  determining whether a malicious act caused the security event;
  
  if a malicious act caused the security event, then providing information about the security event or malicious act to a security decision controller;
  
  if a malicious act did not cause the security event, then removing the user from the elevated risk group.
- View Dependent Claims (15, 16, 17, 24, 25, 26)
- - 15. A method as recited in claim 14, wherein placing the user identifier in an elevated risk security group further comprises the step of forcing the user to acquire a new network address from a specified group of network addresses that is reserved for users associated with elevated user risk.
  - 16. A method as recited in claim 15, wherein forcing the user to acquire a new network address comprises the steps of:
    - re-configuring a dynamic host control protocol (DHCP) server to require said server to issue any new network address to the network device only from a specified group of network addresses that is reserved for users associated with elevated user risk;
      
      performing any one of the steps of;
      
      (a) resetting a port that is coupled to the network device to trigger the network device to request a new network address using DHCP;
      
      (b) issuing a DHCP FORCE_RENEW message to the network device;
      
      (c) prompting the network device to request a new network address using DHCP;
      
      (d) waiting for expiration of a lease for a current network address of the network device.
  - 17. A method as recited in claim 14, wherein the step of configuring one or more security restrictions comprises the steps of:
    - modifying an internet protocol (IP) access control list (ACL) associated with a port that is coupled to the network device to permit entry of IP traffic from only the selected network address;
      
      modifying a media access control (MAC) ACL associated with the port to permit entry of traffic only for a MAC address that is bound to the selected network address.
  - 24. A computer-readable medium carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps as recited in any of claims 14, 15, 16, or 17.
  - 25. An apparatus comprising means for performing the functions recited in the steps of any of claims 14, 15, 16, or 17.
  - 26. An apparatus, comprising:
    - a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
      
      a processor; and
      
      one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps as recited in any of claims 14, 15, 16, or 17.

18. A computer-readable medium carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- determining a user identifier associated with a network device that has caused a security event in a network;
  
  causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and
  
  configuring one or more security restrictions with respect to the selected network address.

19. An apparatus, comprising:
- means for determining a user identifier associated with a network device that has caused a security event in a network;
  
  means for causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and
  
  means for configuring one or more security restrictions with respect to the selected network address.

20. An apparatus, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  determining a user identifier associated with a network device that has caused a security event in a network;
  
  causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and
  
  configuring one or more security restrictions with respect to the selected network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Droms, Ralph, Rayes, Mark Ammar, Dini, Petre, Cheung, Michael

Granted Patent

US 7,607,021 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/5014   using dynamic host configur...

H04L 61/5061   Pools of addresses

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Isolation approach for network users associated with elevated risk

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

187 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Isolation approach for network users associated with elevated risk

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

187 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links