Method and apparatus for network security based on device security status

US 20050246767A1
Filed: 04/26/2004
Published: 11/03/2005
Est. Priority Date: 04/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access of a device to a network, comprising:

evaluating a security update status of said device; and

selecting one or more of a plurality of policies to apply to said device based on said security update status.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are provided for network security based on a security status of a device. A security update status of a device is evaluated; and one or more of a plurality of security policies are selected to apply to the device based on the security update status. The available security philosophies may include, for example, a “protect the good” philosophy, an “encourage the busy” philosophy and a “shut off the non-compliant” philosophy. The security update status can evaluate, for example, a version level of one or more security features installed on the device or can be based on a flag indicating whether the device satisfies predefined criteria for maintaining one or more computer security protection features up-to-date.

Citations

44 Claims

1. A method for controlling access of a device to a network, comprising:
- evaluating a security update status of said device; and
  
  selecting one or more of a plurality of policies to apply to said device based on said security update status.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein said evaluating step further comprises the step of determining if said device has a version of a virus scan application that satisfies a security policy.
  - 3. The method of claim 1, further comprising the step of obtaining security status information from said device.
  - 4. The method of claim 1, further comprising the step of obtaining a notification from said device that said device has connected to said network.
  - 5. The method of claim 1, further comprising the step of obtaining a notification from another network device that said device has connected to said network.
  - 6. The method of claim 1, wherein a client-side security function initially limits said device to communicate only with one or more authentication servers.
  - 7. The method of claim 1, wherein a network device initially limits said device to communicate only with one or more authentication servers.
  - 8. The method of claim 1, further comprising the step of denying access to said device until said device is authenticated.
  - 9. The method of claim 1, further comprising the step of allowing a device satisfying predefined criteria for maintaining computer security protection features up-to-date to communicate only with one or more update servers if said security update status of said device does not satisfy a security policy.
  - 10. The method of claim 9, wherein a client-side security function initially limits said device to communicate only with one or more authentication servers.
  - 11. The method of claim 10, wherein said client-side security function allows said device to communicate with said one or more update servers if said security update status of said device does not satisfy a security policy.
  - 12. The method of claim 10, wherein said client-side security function protects said device from malware prior to updating said security update status.
  - 13. The method of claim 1, further comprising the step of limiting access to one or more network services for a device that does not satisfy predefined criteria for maintaining one or more computer security protection features up-to-date.
  - 14. The method of claim 13, wherein said device can access said one or more network services once said security update status of said device satisfies said security policy.
  - 15. The method of claim 13, wherein a network device limits access of said device to said one or more network services.
  - 16. The method of claim 13, further comprising the step of broadcasting a message to each authorized user of at least one of said one or more network services.
  - 17. The method of claim 13, further comprising the step of broadcasting a message to each device connected to at least one of said one or more network services.
  - 18. The method of claim 1, further comprising the step of denying access to said network if said device does not satisfy predefined criteria for maintaining one or more computer security protection features up-to-date.
  - 19. The method of claim 18, wherein said device can access said network once said security update status of said device satisfies said security policy.
  - 20. The method of claim 18, wherein a network device denies access of said device to said network.
  - 21. The method of claim 1, wherein said security update status is a flag indicating whether said device satisfies predefined criteria for maintaining one or more computer security protection features up-to-date.
  - 22. The method of claim 1, wherein said security update status evaluates a version level of one or more security features installed on said device.
  - 23. The method of claim 1, wherein a plurality of said devices perform said method for controlling access and notify other peer devices in a same network zone if a device is denied access to said network.

24. A method for controlling access of a device to a network, comprising:
- ensuring that said device communicates only with one or more specified servers; and
  
  allowing said device to communicate with other devices over said network once said authentication server determines that a security update status of said device satisfies a security policy.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The method of claim 24, wherein said one or more specified servers include one or more authentication servers.
  - 26. The method of claim 24, wherein said one or more specified servers include one or more update servers.
  - 27. The method of claim 24, further comprising the step of allowing said device to communicate with one or more update servers if said security update status of said device does not satisfy said security policy.
  - 28. The method of claim 24, wherein said ensuring step protects said device from malware prior to said determination that said security update status satisfies said security policy.
  - 29. The method of claim 25, wherein said one or more authentication servers determines if said device has a version of a virus scan application that satisfies said security policy.
  - 30. The method of claim 25, further comprising the step of providing security status information to said one or more authentication servers.

31. A method for controlling access of a device to a network, comprising:
- evaluating a security update status of said device; and
  
  preventing said device from accessing one or more network services if said device does not satisfy predefined criteria for maintaining one or more computer security protection features up-to-date.
- View Dependent Claims (32, 33, 34)
- - 32. The method of claim 31, wherein said device can access said one or more network services once a security update status of said device satisfies a security policy.
  - 33. The method of claim 31, further comprising the step of broadcasting a message to each authorized user of at least one of said one or more network services.
  - 34. The method of claim 31, further comprising the step of broadcasting a message to each device connected to at least one of said one or more network services.

35. A method for controlling access of a device to a network, comprising:
- evaluating a security update status of said device; and
  
  preventing said device from accessing said network if said security update status does not satisfy predefined security criteria.
- View Dependent Claims (36, 37)
- - 36. The method of claim 35, further comprising the step of denying access to said network if said device does not satisfy predefined criteria for maintaining one or more computer security protection features up-to-date.
  - 37. The method of claim 35, wherein said device is allowed to access said network once said security update status of said device satisfies said security policy.

38. A communication method, comprising:
- controlling access to one or more network services based on a list of authorized users of said one or more network services; and
  
  broadcasting a message based on said list of authorized users.
- View Dependent Claims (39, 40)
- - 39. The method of claim 38, wherein said step of broadcasting a message further comprises the step of broadcasting a message to each authorized user.
  - 40. The method of claim 38, wherein said step of broadcasting a message further comprises the step of broadcasting a message to each device connected to at least one of said one or more network services.

41. An apparatus for controlling access of a device to a network, comprising:
- a memory; and
  
  at least one processor, coupled to the memory, operative to;
  
  evaluate a security update status of said device; and
  
  select one or more of a plurality of policies to apply to said device based on said security update status.

42. An apparatus for controlling access of a device to a network, comprising:
- a memory; and
  
  at least one processor, coupled to the memory, operative to;
  
  ensure that said device communicates only with one or more specified servers; and
  
  allow said device to communicate with other devices over said network once said authentication server determines that a security update status of said device satisfies a security policy.

43. An apparatus for controlling access of a device to a network, comprising:
- a memory; and
  
  at least one processor, coupled to the memory, operative to;
  
  evaluate a security update status of said device; and
  
  prevent said device from accessing one or more network services if said device does not satisfy predefined criteria for maintaining one or more computer security protection features up-to-date.

44. An apparatus for controlling access of a device to a network, comprising:
- a memory; and
  
  at least one processor, coupled to the memory, operative to;
  
  evaluate a security update status of said device; and
  
  prevent said device from accessing said network if said security update status does not satisfy predefined security criteria.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Kappes, Martin, Fazal, Lookman Y., Krishnakumar, Anjur S., Krishnan, P.

Granted Patent

US 8,230,480 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/065   for group communications cr...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Method and apparatus for network security based on device security status

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for network security based on device security status

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links