Auto-triage of potentially vulnerable network machines
First Claim
Patent Images
1. A method for managing a network, comprising:
- partitioning a network into a low-risk subnet and a remedial subnet, the remedial subnet isolated from and having greater security than the low-risk subnet, a client to be assigned to either the low-risk subnet or the remedial subnet;
requesting configuration information from a client of the network, the configuration information including a state of an operating platform of the client; and
determining based, at least in part, on a response of the client to the configuration information request to assign the client to the low-risk subnet if the client platform is determined to comply with a security policy, or otherwise to the remedial subnet, the client to direct network traffic through the assigned subnet.
1 Assignment
0 Petitions
Accused Products
Abstract
Method, apparatus, and system for isolating potentially vulnerable nodes of a network. In one embodiment a network is partitioned into subnets of varying levels of security. A client device may be assigned a network access assignment through one of the subnets based on a level of vulnerability assessed for the client device. The level of vulnerability may be determined based on compliance of the client device with available upgrades and/or patches.
-
Citations
41 Claims
-
1. A method for managing a network, comprising:
-
partitioning a network into a low-risk subnet and a remedial subnet, the remedial subnet isolated from and having greater security than the low-risk subnet, a client to be assigned to either the low-risk subnet or the remedial subnet;
requesting configuration information from a client of the network, the configuration information including a state of an operating platform of the client; and
determining based, at least in part, on a response of the client to the configuration information request to assign the client to the low-risk subnet if the client platform is determined to comply with a security policy, or otherwise to the remedial subnet, the client to direct network traffic through the assigned subnet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article of manufacture comprising a machine accessible medium having content to provide instructions to result in a machine performing operations including:
-
partitioning a network into a low-risk subnet and a remedial subnet, the subnets having associated subnet identifiers, the remedial subnet isolated from and having greater security than the low-risk subnet, a client to be assigned to either the low-risk subnet or the remedial subnet;
requesting configuration information from a client of the network, the configuration information including a state of an operating platform of the client; and
determining based, at least in part, on a response of the client to the configuration information request to indicate to the client the identifier associated with the low-risk subnet if the client platform is determined to comply with a security policy, or otherwise to indicate the identifier of the remedial subnet, the client to direct network traffic through the subnet of the indicated identifier. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A network manager, comprising:
-
a network node to determine a virtual local areas network identifier (VLAN ID) to assign to an isolation subnet of a network, receive information from a network machine to indicate a configuration of the machine, and direct the machine to filter network traffic with the VLAN ID to direct traffic from the machine through the isolation subnet, if the machine fails to comply with a minimum security specification for the network, the isolation subnet to monitor packets passing through the isolation subnet for attack traffic; and
a database coupled with the network node to store the minimum security specification, the database to be queried by the network node to determine if the machine complies with the minimum security specification. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for participating in a network, comprising:
-
determining a state of an operating platform;
sending information regarding the state to a management node of a network for verification of compliance with a minimum security specification;
receiving from the management node a network access assignment in response to the sending the information, the access assignment indicating a quarantine subnet if the state of the platform fails verification; and
transmitting and receiving network traffic through the quarantine subnet. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. An article of manufacture comprising a machine accessible medium having content to provide instructions to result in a machine performing operations including:
-
determining a configuration of an operating platform, including a state of updates installed on the operating platform;
sending information regarding the state to a management node of a network for verification of compliance with a minimum security specification;
receiving from the management node a network access assignment in response to the sending the information, the access assignment indicating a quarantine subnet if the state of the platform fails verification; and
transmitting and receiving network traffic through the quarantine subnet. - View Dependent Claims (31, 32, 33)
-
-
34. A network client device, comprising:
-
an operating platform to execute an operating system and a user application;
a security agent coupled with the operating platform to determine a state of the operating platform and transmit the state to a security server node over a secure communication channel and receive an access assignment for one of multiple subnets in a network, the access assignment based, at least in part, on the state of the operating platform; and
a network interface coupled with the security agent having a packet filter to be configured according to the access assignment as indicated by the security agent to the network interface. - View Dependent Claims (35, 36, 37, 38)
-
-
39. A network system comprising:
-
a management node to partition a network into multiple virtual local area networks (VLANs) of differing levels of traffic security monitoring;
a security node communicatively coupled with the management node, to receive state information for a client in the network, determine a level of vulnerability of the client based, at least in part, on a compliance to a security configuration indicated in the state information, and assign the client to one of the VLANs based, at least in part, on the level of vulnerability, an increasing strictness of the level of traffic security monitoring in the VLANs corresponding to an increasing level of vulnerability of the client; and
a non-volatile memory coupled with the security node to store a vulnerability database of security configuration parameters to determine the level of vulnerability of the client. - View Dependent Claims (40, 41)
-
Specification