System and methods for providing network quarantine using IPsec
First Claim
1. A method for a host to provide selective network isolation in a network using IP Security Protocol (IPsec), comprising:
- receiving a Internet Key Exchange (IKE) packet including a client health certificate from a client;
validating the client health certificate;
sending to the client a host health certificate if the client health certificate is valid; and
denying the client access to the host if the client health certificate is invalid.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for ensuring that machines having invalid or corrupt states are restricted from accessing host resources are provided. A quarantine agent (QA) located on a client machine acquires statements of health from a plurality of quarantine policy clients. The QA packages the statements and provides the package to a quarantine enforcement client (QEC). The QEC sends the package to a quarantine Health Certificate Server (HCS) with a request for a health certificate. If the client provided valid statements of health, the HCS grants the client health certificate that may be used in IPsec session negotiation.
179 Citations
20 Claims
-
1. A method for a host to provide selective network isolation in a network using IP Security Protocol (IPsec), comprising:
-
receiving a Internet Key Exchange (IKE) packet including a client health certificate from a client;
validating the client health certificate;
sending to the client a host health certificate if the client health certificate is valid; and
denying the client access to the host if the client health certificate is invalid. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for a host to acquire a health certificate, comprising:
-
sending at least one statement of health to a health certificate server;
receiving at least one statement of health response from a health certificate server; and
if the at least one statement of health is validated by the health certificate server, receiving a health certificate and configuring the host to implement an IPsec policy that requires a client health certificate from a client before granting the client access to the host. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer network implementing a network isolation model, comprising:
-
a first group of computers wherein each computer possesses a health certificate and communicates only with computers that also possess a valid health certificate;
a second group of computers wherein each computer possesses a health certificate and communicates with all other computers in the network; and
a third group of computers wherein each computer does not possess a health certificate and communicates with all other computers in the network. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsSwander, Brian D., Johansson, Jesper M., Mayfield, Paul G., Murthy, Karthik N., Black, Christopher J.
-
Application NumberUS11/056,276Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current726/14CPC Class CodesG06F 21/335 for accessing specific reso...H04L 63/0823 using certificates cryptogr...H04L 63/1433 Vulnerability analysisH04L 63/164 at the network layerH04L 63/20 for managing network securi...
