Auto-triage of potentially vulnerable network machines

US 20060095961A1
Filed: 10/29/2004
Published: 05/04/2006
Est. Priority Date: 10/29/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing a network, comprising:

partitioning a network into a low-risk subnet and a remedial subnet, the remedial subnet isolated from and having greater security than the low-risk subnet, a client to be assigned to either the low-risk subnet or the remedial subnet;

requesting configuration information from a client of the network, the configuration information including a state of an operating platform of the client; and

determining based, at least in part, on a response of the client to the configuration information request to assign the client to the low-risk subnet if the client platform is determined to comply with a security policy, or otherwise to the remedial subnet, the client to direct network traffic through the assigned subnet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method, apparatus, and system for isolating potentially vulnerable nodes of a network. In one embodiment a network is partitioned into subnets of varying levels of security. A client device may be assigned a network access assignment through one of the subnets based on a level of vulnerability assessed for the client device. The level of vulnerability may be determined based on compliance of the client device with available upgrades and/or patches.

Citations

41 Claims

1. A method for managing a network, comprising:
- partitioning a network into a low-risk subnet and a remedial subnet, the remedial subnet isolated from and having greater security than the low-risk subnet, a client to be assigned to either the low-risk subnet or the remedial subnet;
  
  requesting configuration information from a client of the network, the configuration information including a state of an operating platform of the client; and
  
  determining based, at least in part, on a response of the client to the configuration information request to assign the client to the low-risk subnet if the client platform is determined to comply with a security policy, or otherwise to the remedial subnet, the client to direct network traffic through the assigned subnet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein the subnets have associated subnet identifiers, and wherein determining to assign the client to a subnet comprises assigning a subnet identifier to which the client will transmit network traffic to be routed.
  - 3. A method according to claim 2, wherein partitioning the network further comprises determining the identifiers to associate with the subnets.
  - 4. A method according to claim 2, wherein the subnet identifiers comprise virtual local area network (VLAN) identifiers (IDs), and wherein determining to assign the client to a subnet comprises assigning a VLAN tag to indicate the VLAN ID of the assigned subnet.
  - 5. A method according to claim 1, wherein the remedial subnet includes an intrusion detection system (IDS) through which network traffic from the client is directed.
  - 6. A method according to claim 1, wherein requesting the configuration information comprises requesting the configuration information as part of an authentication exchange.
  - 7. A method according to claim 1, wherein requesting the configuration information comprises requesting the configuration information for verification of the client when the client has already been authenticated and has a subnet assignment.
  - 8. A method according to claim 7, further comprising:
    - receiving the requested configuration information in response to the request;
      
      determining from the configuration information if the client complies with the security policy; and
      
      if the client is determined to have changed from complying to not complying with the security policy, or from not complying to complying with the security policy, re-assigning the client to either the remedial subnet or the low-risk subnet.
  - 9. A method according to claim 1, further comprising assigning the client to the remedial subnet if no response from the client is received to the configuration information request.
  - 10. A method according to claim 1, wherein requesting the configuration information comprises requesting the configuration information over an out-of-band communication link with the client.

11. An article of manufacture comprising a machine accessible medium having content to provide instructions to result in a machine performing operations including:
- partitioning a network into a low-risk subnet and a remedial subnet, the subnets having associated subnet identifiers, the remedial subnet isolated from and having greater security than the low-risk subnet, a client to be assigned to either the low-risk subnet or the remedial subnet;
  
  requesting configuration information from a client of the network, the configuration information including a state of an operating platform of the client; and
  
  determining based, at least in part, on a response of the client to the configuration information request to indicate to the client the identifier associated with the low-risk subnet if the client platform is determined to comply with a security policy, or otherwise to indicate the identifier of the remedial subnet, the client to direct network traffic through the subnet of the indicated identifier.
- View Dependent Claims (12, 13, 14, 15)
- - 12. An article of manufacture according to claim 11, wherein the subnet identifiers comprise virtual local area network (VLAN) identifiers (IDs), and wherein indicating to the client a subnet identifier comprises assigning to the client a VLAN tag of the indicated subnet.
  - 13. An article of manufacture according to claim 11, wherein the content to provide instructions to result in the machine partitioning the network further comprises the content to provide instructions to result in the machine monitoring traffic of the remedial subnet and not monitoring traffic of the low-risk subnet.
  - 14. An article of manufacture according to claim 11, further comprising the content to provide instructions to result in the machine performing operations including:
    - receiving the requested configuration information in response to the request;
      
      determining from the configuration information if the client complies with the security policy; and
      
      if the client is determined to have changed from complying to not complying with the security policy, or from not complying to complying with the security policy, re-assigning the client to either the remedial subnet or the low-risk subnet.
  - 15. An article of manufacture according to claim 11, wherein the content to provide instructions to result in the machine requesting the configuration information comprises the content to provide instructions to result in the machine requesting the configuration information over an out-of-band communication link with the client.

16. A network manager, comprising:
- a network node to determine a virtual local areas network identifier (VLAN ID) to assign to an isolation subnet of a network, receive information from a network machine to indicate a configuration of the machine, and direct the machine to filter network traffic with the VLAN ID to direct traffic from the machine through the isolation subnet, if the machine fails to comply with a minimum security specification for the network, the isolation subnet to monitor packets passing through the isolation subnet for attack traffic; and
  
  a database coupled with the network node to store the minimum security specification, the database to be queried by the network node to determine if the machine complies with the minimum security specification.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A network manager according to claim 16, the network node further to maintain a secure out-of-band communication link with the machine.
  - 18. A network manager according to claim 16, wherein the network node comprises a subnet server to partition the network into multiple VLANs, each VLAN having an associated VLAN ID, and to provide a VLAN ID to the machine, and a security specification server to determine compliance of the machine with the minimum security specification.
  - 19. A network manager according to claim 16, the network node further to provide updates for the machine to install to bring the machine into compliance with the minimum security specification.
  - 20. A network manager according to claim 19, the network node further to direct the machine to change network access and apply a VLAN ID of a immunized-machine subnet if the machine is made to comply with the minimum security specification.

21. A method for participating in a network, comprising:
- determining a state of an operating platform;
  
  sending information regarding the state to a management node of a network for verification of compliance with a minimum security specification;
  
  receiving from the management node a network access assignment in response to the sending the information, the access assignment indicating a quarantine subnet if the state of the platform fails verification; and
  
  transmitting and receiving network traffic through the quarantine subnet.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. A method according to claim 21, wherein determining the state of the operating platform comprises determining what upgrades are installed on the platform.
  - 23. A method according to claim 21, wherein determining the state of the operating platform comprises determining what patches are installed on the platform.
  - 24. A method according to claim 23, wherein determining what patches are installed comprises determining what patches are installed on an application running on the platform.
  - 25. A method according to claim 23, wherein determining what patches are installed comprises determining what patches are installed on an operating system running on the platform.
  - 26. A method according to claim 21, wherein sending the information comprises sending the information over an out-of-band communication link.
  - 27. A method according to claim 21, further comprising:
    - receiving from the management node an access assignment indicating a default access subnet if the state of the platform passes verification;
      
      wherein sending the information regarding the state comprises sending the information as part of a periodic verification process; and
      
      wherein receiving from the management node the network access assignment indicating the quarantine subnet comprises changing the access assignment from the default access subnet to the quarantine subnet in response to a verification failure in the periodic verification process.
  - 28. A method according to claim 21, further comprising:
    - receiving from the management node an access assignment indicating a default access subnet if the state of the platform passes verification;
      
      leaving the network and accessing a different network;
      
      returning to the network and sending the information regarding the state to the management node, the information including an indication that the different network was accessed; and
      
      receiving from the management node a network access assignment indicating the quarantine subnet in response to receiving the indication that the different network was accessed.
  - 29. A method according to claim 28, further comprising:
    - modifying the state of the operating platform to comply with the minimum security specification; and
      
      receiving from the management node the access assignment indicating the default access subnet in response to complying with the minimum security specification.

30. An article of manufacture comprising a machine accessible medium having content to provide instructions to result in a machine performing operations including:
- determining a configuration of an operating platform, including a state of updates installed on the operating platform;
  
  sending information regarding the state to a management node of a network for verification of compliance with a minimum security specification;
  
  receiving from the management node a network access assignment in response to the sending the information, the access assignment indicating a quarantine subnet if the state of the platform fails verification; and
  
  transmitting and receiving network traffic through the quarantine subnet.
- View Dependent Claims (31, 32, 33)
- - 31. An article of manufacture according to claim 30, wherein the content to provide instructions to result in the machine sending the information comprises the content to provide instructions to result in the machine sending the information over an out-of-band communication link.
  - 32. An article of manufacture according to claim 30, further comprising the content to provide instructions to result in the machine performing operations including:
    - receiving from the management node an access assignment indicating a general-access subnet if the state of the platform passes verification;
      
      wherein sending the information regarding the state comprises sending the information as part of a verification interchange; and
      
      wherein receiving from the management node the network access assignment indicating the quarantine subnet comprises changing the access assignment from the default access subnet to the quarantine subnet in response to a verification failure for non-compliance to a network security policy or for accessing a different network of unknown security.
  - 33. An article of manufacture according to claim 32, further comprising the content to provide instructions to result in the machine performing operations including:
    - modifying the configuration of the operating platform to comply with the network security policy; and
      
      receiving from the management node the access assignment indicating the default access subnet in response to complying with the minimum security specification.

34. A network client device, comprising:
- an operating platform to execute an operating system and a user application;
  
  a security agent coupled with the operating platform to determine a state of the operating platform and transmit the state to a security server node over a secure communication channel and receive an access assignment for one of multiple subnets in a network, the access assignment based, at least in part, on the state of the operating platform; and
  
  a network interface coupled with the security agent having a packet filter to be configured according to the access assignment as indicated by the security agent to the network interface.
- View Dependent Claims (35, 36, 37, 38)
- - 35. A network client according to claim 34, the security agent to obtain information from the operating platform to determine compliance of the operating platform to a minimum security specification.
  - 36. A network client according to claim 34, wherein the packet filter comprises a configurable register on a network access circuit.
  - 37. A network client according to claim 34, wherein the security agent comprises a microcontroller circuit on the client device.
  - 38. A network client according to claim 34, wherein the access assignment comprises an assignment to a high-security remedial virtual local area network (VLAN), the high security including packet monitoring by an intrusion detection system (IDS).

39. A network system comprising:
- a management node to partition a network into multiple virtual local area networks (VLANs) of differing levels of traffic security monitoring;
  
  a security node communicatively coupled with the management node, to receive state information for a client in the network, determine a level of vulnerability of the client based, at least in part, on a compliance to a security configuration indicated in the state information, and assign the client to one of the VLANs based, at least in part, on the level of vulnerability, an increasing strictness of the level of traffic security monitoring in the VLANs corresponding to an increasing level of vulnerability of the client; and
  
  a non-volatile memory coupled with the security node to store a vulnerability database of security configuration parameters to determine the level of vulnerability of the client.
- View Dependent Claims (40, 41)
- - 40. A system according to claim 39, the security node and the management node to maintain an out-of-band communication link with the client.
  - 41. A system according to claim 39, the security node to assign the client to a VLAN of minimal security if the client is determined to have total compliance with the security configuration parameters of the vulnerability database, and to a VLAN of higher security if the client is determined to be non-compliant with the security configuration parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Durham, David M., Sahita, Ravi, Govindarajan, Priya, Yavatkar, Raj, Larson, Dylan C.

Application Number

US10/976,397
Publication Number

US 20060095961A1
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1433 Vulnerability analysis

Auto-triage of potentially vulnerable network machines

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Auto-triage of potentially vulnerable network machines

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links