Integration of policy compliance enforcement and device authentication

US 20060005254A1
Filed: 06/09/2004
Published: 01/05/2006
Est. Priority Date: 06/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method for controlling network access, comprising:

receiving an access assignment at a device in an authentication sequence;

determining compliance of the device to an access policy; and

restricting network access of the device on the received assigned access with an enforcement agent on the device, based at least in part on the compliance determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses for integration of authentication and policy compliance enforcement. An enforcement agent may reside on a device. If an access assignment is provided to the device in conjunction with authentication, authorization to use the access granted may be restricted by the enforcement agent. In one embodiment a reduced-access assignment is made by an authenticator.

179 Citations

40 Claims

1. A method for controlling network access, comprising:
- receiving an access assignment at a device in an authentication sequence;
  
  determining compliance of the device to an access policy; and
  
  restricting network access of the device on the received assigned access with an enforcement agent on the device, based at least in part on the compliance determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein receiving an access assignment comprises receiving an Internet protocol (IP) address.
  - 3. A method according to claim 1, wherein receiving an access assignment comprises receiving a wireless access channel.
  - 4. A method according to claim 1, wherein determining compliance of the device further comprises determining compliance of the device with a compliance agent on the device.
  - 5. A method according to claim 1, wherein restricting network access comprises isolating the device from other devices on a network.
  - 6. A method according to claim 1, wherein restricting access with the enforcement agent comprises restricting access with a software-based access filtering module.
  - 7. A method according to claim 1, wherein restricting access with the enforcement agent comprises restricting access with a firewall.
  - 8. A method according to claim 1, wherein restricting access with the enforcement agent based on the compliance determination comprises restricting access according to one of multiple tiers of access authorization, based at least in part upon a tier of access authorization indicated by the compliance determination.

9. An article of manufacture comprising a machine accessible medium having content to provide instructions to cause a machine to perform operations including:
- determining compliance of a device authenticated for network access to a network policy; and
  
  restricting network access of the device with an enforcement agent on the device based at least in part on the compliance determination.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. An article of manufacture according to claim 9, wherein the content to provide instructions to cause the machine to perform operations including receiving an access assignment comprises the content to provide instructions to cause the machine to perform operations including receiving an Internet protocol (IP) address.
  - 11. An article of manufacture according to claim 9, wherein the content to provide instructions to cause the machine to perform operations including receiving an access assignment comprises the content to provide instructions to cause the machine to perform operations including receiving a wireless access channel.
  - 12. An article of manufacture according to claim 9, wherein the content to provide instructions to cause the machine to perform operations including restricting access with the enforcement agent comprises the content to provide instructions to cause the machine to perform operations including restricting access with a software-based access filtering module.
  - 13. An article of manufacture according to claim 9, wherein the content to provide instructions to cause the machine to perform operations including restricting access with the enforcement agent comprises the content to provide instructions to cause the machine to perform operations including restricting access with a firewall.
  - 14. An article of manufacture according to claim 9, wherein the content to provide instructions to cause the machine to perform operations including restricting access with the enforcement agent based on the compliance determination comprises the content to provide instructions to cause the machine to perform operations including restricting access according to one of multiple tiers of access authorization, based at least in part upon a tier of access authorization indicated by the compliance determination.

15. An apparatus to enforce a network policy, comprising:
- a compliance module to be embedded on a device to determine an observance of the device of a security policy; and
  
  an enforcement module to be embedded on the device to control network access of the device based at least in part on the observance determination of the compliance module and an authentication of the device.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. An apparatus according to claim 15, wherein the enforcement module to be embedded on the device comprises the enforcement module to be embedded on a network interface card on the device.
  - 17. An apparatus according to claim 15, wherein the enforcement module to be embedded on the device comprises the enforcement module to be embedded on a hardware sub-system of a hardware platform the device.
  - 18. An apparatus according to claim 15, wherein the enforcement module to control network access further comprises the enforcement module to include a firewall to filter network incoming and outgoing network traffic associated with the device.
  - 19. An apparatus according to claim 15, wherein the enforcement module to control network access comprises the enforcement module to modify settings of a network communication layer.
  - 20. An apparatus according to claim 15, wherein the enforcement module to control network access based on the observance determination further comprises the enforcement module to apply access restrictions specified in an access control specification received from a policy server.
  - 21. An apparatus according to claim 15, wherein the enforcement module to control network access comprises the enforcement module to prevent authorization to the device to an access that would otherwise be permitted under an access assignment received for the device.
  - 22. An apparatus according to claim 21, further comprising the enforcement module to reduce an access restriction on the device to allow authorization to an access permitted under access assignment if the device increases observance of the policy subsequent to the prevented authorization.
  - 23. An apparatus according to claim 15, wherein the enforcement module to control network access based on the authentication comprises the enforcement module to enforce access restrictions on the device based at least in part on an access specified for a class of users of which the devices is determined to be a part.

24. A method for controlling network access of a device, comprising:
- authenticating a device in response to receiving attestation credentials from the device, the credentials including an indicator of a level of compliance of the device with a network access policy; and
  
  assigning an access resource to enable full access to the device if the device is fully compliant, or a remediation access resource based at least in part on the level of compliance of the device if the device is not fully compliant.
- View Dependent Claims (25, 26)
- - 25. A method according to claim 24, wherein assigning the remediation access resource further comprises providing a policy to an enforcement agent on the device.
  - 26. A method according to claim 24, further comprising maintaining a list of resources for which full access is authorized and a list of resources for which reduced access is authorized, and wherein assigning the remediation access resource comprises assigning a resource from the list for which reduced access is authorized.

27. An article of manufacture comprising a machine accessible medium having content to provide instructions to cause a machine to perform operations including:
- authenticating a device in response to receiving attestation credentials from the device, the credentials including an indicator of a level of compliance of the device with a network access policy; and
  
  assigning an access resource to enable full access to the device if the device is fully compliant, or a remediation access resource based at least in part on the level of compliance of the device if the device is not fully compliant.
- View Dependent Claims (28, 29)
- - 28. An article of manufacture according to claim 27, wherein the content to provide instructions to cause the machine to perform operations including assigning the remediation access resource further comprises the content to provide instructions to cause the machine to perform operations including providing a policy to an enforcement agent on the device.
  - 29. An article of manufacture according to claim 27, further comprising the content to provide instructions to cause the machine to perform operations including maintaining a list of resources for which full access is authorized and a list of resources for which reduced access is authorized, and wherein the content to provide instructions to cause the machine to perform operations including assigning the remediation access resource comprises the content to provide instructions to cause the machine to perform operations including assigning a resource from the list for which reduced access is authorized.

30. A network node to perform authentication, comprising:
- a processor to authenticate credentials for a device and determine from the credentials a compliance of the device to a security policy; and
  
  an access server to make a full-access assignment if the device is determined to be completely compliant to the security policy, and otherwise to make a restricted-access assignment.
- View Dependent Claims (31, 32)
- - 31. A network node according to claim 30, wherein the access server to make the restricted-access assignment further comprises the access server to provide a policy to an enforcement agent on the device.
  - 32. A network node according to claim 30, further comprising the processor to maintain a list of resources for which full access is authorized and a list of resources for which restricted access is authorized, and wherein the access server to make the restricted-access assignment comprises the access server to assign a resource from the list for which reduced access is authorized.

33. A system comprising:
- a supplicant to negotiate an access assignment with an authenticator; and
  
  an embedded policy compliance enforcement agent coupled with the supplicant to enforce rules for reducing access on the assignment negotiated by the supplicant based at least in part on a level of compliance of a device to a network security policy.
- View Dependent Claims (34, 35, 36, 37)
- - 34. A system according to claim 33, wherein the policy compliance enforcement agent to enforce the rules for reducing access further comprises the policy compliance enforcement agent to issue commands to a firewall that controls traffic on the system.
  - 35. A system according to claim 33, wherein the policy compliance enforcement agent to enforce the rules for reducing access based on the level of compliance of the device further comprises the policy compliance enforcement agent to reduce access according to a level of a tiered access rule corresponding to the level of compliance.
  - 36. A system according to claim 33, wherein the embedded policy compliance enforcement agent comprises a module embedded on a network interface sub-system.
  - 37. A system according to claim 33, wherein the embedded policy compliance enforcement agent comprises a module embedded on a chipset of a hardware platform of the system.

38. A system comprising:
- an embedded circuit on a device having a policy application module to apply an access restriction for network access by the device, if the device is less than completely compliant with an access policy; and
  
  a persistent storage device coupled with the embedded circuit to store an access rule, the access rule to include a restriction to correspond to the compliance of the device with the access policy.
- View Dependent Claims (39, 40)
- - 39. A system according to claim 38, wherein the policy application module to apply the access restriction comprises the policy application module to perform on-device firewall operations to apply the access restriction.
  - 40. A system according to claim 38, wherein the policy application module to apply the access restriction comprises the policy application module to isolate the device from access to other points on the network if the device is not compliance with the access policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Ross, Alan D.

Granted Patent

US 7,526,792 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/08 for authentication of entit...

Integration of policy compliance enforcement and device authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

179 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Integration of policy compliance enforcement and device authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links