Controlling a network connection using dual-switching

US 20070050842A1
Filed: 08/30/2005
Published: 03/01/2007
Est. Priority Date: 08/30/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a host execution environment; and

a tunnel proxy coupled with the host execution environment, the tunnel proxy to provide a proxy of a policy decision point to the host execution environment, wherein the tunnel proxy includes logic to provide a security protocol client and logic to provide a security protocol server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention are generally directed to systems, methods, and apparatuses for controlling a network connection based, at least in part, on dual-switching. In an embodiment, a tunnel proxy is coupled with a host execution environment. The tunnel proxy includes logic to provide a security protocol client and logic to provide a security protocol server. In one embodiment, the tunnel proxy provides a proxy for a policy decision point to the host execution environment. Other embodiments are described and claimed.

Citations

22 Claims

1. An apparatus comprising:
- a host execution environment; and
  
  a tunnel proxy coupled with the host execution environment, the tunnel proxy to provide a proxy of a policy decision point to the host execution environment, wherein the tunnel proxy includes logic to provide a security protocol client and logic to provide a security protocol server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the host execution environment includes at least one of:
    - a processor;
      
      a partitioned core; and
      
      a virtual machine.
  - 3. The apparatus of claim 1, wherein the tunnel proxy is part of a protected execution environment.
  - 4. The apparatus of claim 3, wherein the protected execution environment is at least one of:
    - a virtual partition;
      
      a hardware partition; and
      
      a management processor.
  - 5. The apparatus of claim 4, wherein the security protocol is the extensible authentication protocol.
  - 6. The apparatus of claim 1, wherein the tunnel proxy further comprises at least one of:
    - collection logic, the collection logic to collect integrity measurement data associated with the host; and
      
      reporting logic, the reporting logic to enable the tunnel proxy to report the integrity measurement data to a remote policy decision point.
  - 7. The apparatus of claim 1, wherein the tunnel proxy further comprises:
    - a provisioning agent, the provisioning agent including logic to provision a local policy enforcement point with an enforcement policy.
  - 8. The apparatus of claim 1, wherein the tunnel proxy further comprises:
    - a media access module, the media access module to provide physical media access to one or more physical media.
  - 9. The apparatus of claim 1, further comprising:
    - a switch to control access to a communication channel.
  - 10. The apparatus of claim 8, wherein the switch is to control access to at least one of a control channel and a data channel.

11. A method comprising:
- authenticating a tunnel proxy to a remote policy decision point, wherein the tunnel proxy is to provide a proxy for the remote decision point;
  
  receiving a network connection request from a host coupled with the tunnel proxy;
  
  determining whether to grant a network connection to the host based, at least in part, on an enforcement policy; and
  
  unblocking a data channel to allow the host to access the network, if the network connection is granted to the host.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein authenticating the tunnel proxy to the remote policy decision point further comprises:
    - authenticating the tunnel proxy to the remote policy decision point based, at least in part, on a security protocol client implementation.
  - 13. The method of claim 12, wherein the security protocol client implementation is an implementation of an extensible authentication protocol client.
  - 14. The method of claim 11, wherein determining whether to grant the network connection to the host further comprises:
    - determining whether the host was previously denied access to the network; and
      
      reporting a previous unsuccessful attempt to access the network to the remote policy decision point, if the host was previously denied access to the network.
  - 15. The method of claim 11, further comprising:
    - collecting integrity measurement data from the host; and
      
      providing the collected integrity measurement data to the remote policy decision point.
  - 16. The method of claim 11, further comprising:
    - provisioning a local policy enforcement point with an enforcement policy.
  - 17. The method of claim 16, wherein provisioning the local policy enforcement point with the enforcement policy comprises:
    - provisioning the local policy enforcement point with an enforcement policy that is substantially similar to an enforcement policy that is provided to a remote policy enforcement point.

18. A system comprising:
- a processor;
  
  a volatile memory coupled with the processor to provide main memory for the processor; and
  
  a tunnel proxy coupled with the processor, the tunnel proxy to provide a proxy of a policy decision point, wherein the tunnel proxy includes logic to provide a security protocol client and logic to provide a security protocol server.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The system of claim 18, wherein the volatile memory is a dynamic random access memory (DRAM).
  - 20. The system of claim 18, wherein the tunnel proxy is part of a protected execution environment.
  - 21. The system of claim 18, further comprising:
    - a wireless transmitter and receiver.
  - 22. The system of claim 18, wherein the security protocol is the extensible authentication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned, Herbert, Howard

Granted Patent

US 8,661,521 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/029 Firewall traversal, e.g. tu...

H04L 63/08 for authentication of entit...

Controlling a network connection using dual-switching

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling a network connection using dual-switching

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links