Dynamic address assignment for access control on DHCP networks
First Claim
Patent Images
1. A protected network comprising:
- a less-restricted subset of the protected network;
a restricted subset of the protected network;
a gatekeeper included in the restricted subnet and configured to perform assessments;
a DHCP server configured to provide an IP address that may be used by an endpoint to access the less-restricted subset or restricted subset, the IP address being associated with a restricted subnet or a less-restricted subnet, provision of the IP address being responsive to an assessment of the endpoint performed by the gatekeeper, the DHCP server including computing instructions configured to determine the provided IP address responsive to a DHCPDISCOVER packet received from the endpoint;
a network filter logically disposed between the computing instructions within the DHCP server and an Input/Output of the DHCP server, and being further configured to modify the DHCPDISCOVER packet prior to receipt by the computing instructions, the modification being responsive to whether the endpoint requesting the IP address has passed the assessment; and
a router with an access control list configured to limit access to the restricted subset responsive to the provide IP address.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets.
-
Citations
29 Claims
-
1. A protected network comprising:
-
a less-restricted subset of the protected network;
a restricted subset of the protected network;
a gatekeeper included in the restricted subnet and configured to perform assessments;
a DHCP server configured to provide an IP address that may be used by an endpoint to access the less-restricted subset or restricted subset, the IP address being associated with a restricted subnet or a less-restricted subnet, provision of the IP address being responsive to an assessment of the endpoint performed by the gatekeeper, the DHCP server including computing instructions configured to determine the provided IP address responsive to a DHCPDISCOVER packet received from the endpoint;
a network filter logically disposed between the computing instructions within the DHCP server and an Input/Output of the DHCP server, and being further configured to modify the DHCPDISCOVER packet prior to receipt by the computing instructions, the modification being responsive to whether the endpoint requesting the IP address has passed the assessment; and
a router with an access control list configured to limit access to the restricted subset responsive to the provide IP address. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A DHCP Server comprising:
-
an IP address table including a scope associated with a restricted subnet and a scope associated with a less-restricted subnet;
a network filter configured to modify an incoming DHCPDISCOVER packet from an endpoint to control whether the DHCP server will provide a DHCPOFFER packet including an IP address within the scope associated with the restricted subnet or an IP address within the scope associated with the less-restricted subnet, responsive to whether the endpoint has passed a assessment;
an input configured to receive data from a gatekeeper configured to perform the assessment, the data including an address of a device having satisfied the assessment; and
computing instructions configured to generate the DHCPOFFER packet using the modified incoming DHCPDISCOVER packet, responsive to the modification of the incoming DHCPDISCOVER packet made by the network filter. - View Dependent Claims (7, 8, 9)
-
- 10. A network filter configured to modify a relay IP address within a DHCPDISCOVER packet responsive to whether a sender of the DHCPDISCOVER packet has passes a security assessment, the relay IP address being modified to control access to a restricted subset of a protected network.
- 16. A network filter configured to modify a received DHCPDISCOVER packet, the modification being responsive to whether a sender of the DHCPDISCOVER packet has passed a security assessment, the modification further being responsive to configuration information received from a DHCP server in a DHCPOFFER packet.
-
19. A method of controlling access to a protected network, the method comprising:
-
receiving a DHCPDISCOVER packet at an input of a DHCP server via a router from an endpoint having an address, the router including an access control list characterizing a restricted subnet and a less-restricted subnet of the protected network;
determining if the address within the DHCPDISCOVER packet received at the input is included in a list of addresses qualified to access the restricted subnet of the protected network;
altering the DHCPDISCOVER packet received at the input responsive to whether the address is included in the list of addresses qualified to access the restricted subnet;
passing the altered DHCPDISCOVER packet to computing instructions included in the DHCP server, the computing instructions configured to generate a DHCPOFFER packet;
generating the DHCPOFFER packet responsive to the alteration of the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the restricted subnet if the address is included in the list of addresses qualified to access the restricted subset, the DHCPOFFER packet including an IP address associated with the less-restricted subnet if the address is not in the list of addresses qualified to access the restricted subset, the IP address associated with the restricted subnet having access to the restricted subset responsive to the access control list. - View Dependent Claims (20, 21)
-
-
22. A method of controlling access to a protected network, the method comprising:
-
receiving a first DHCPDISCOVER packet at a network filter from an endpoint having an address, the first DHCPDISCOVER packet including a first relay IP address;
determining if the address of the endpoint is included in a list of addresses qualified to access a restricted subnet of the protected network;
altering the received first DHCPDISCOVER packet by replacing a first relay IP address with a second relay IP address if the address is qualified to access the restricted subset; and
passing the altered first DHCP DISCOVER packet to computing instructions of a DHCP server such that the DHCP server will respond to the DHCPDISCOVER packet including the second relay IP address with an IP address that will allow access to the restricted subset responsive to an access control list, the IP address being within a scope associated with a restricted subnet. - View Dependent Claims (23, 24)
-
-
25. A method of communicating configuration information to a network filter, the method comprising:
-
receiving a first DHCPDISCOVER packet at the network filter via a router from an endpoint;
inserting a request for configuration information in the DHCPDISCOVER packet;
receiving a first DHCPOFFER packet at the network filter responsive to the first DHCPDISCOVER packet, the DHCPOFFER packet including configuration information relating to a less-restricted IP address scope;
storing the an address of the endpoint in a location accessible to the network filter, in association with the configuration information; and
dropping the first DHCPOFFER packet. - View Dependent Claims (26, 27, 28, 29)
-
Specification