Dynamic address assignment for access control on DHCP networks

US 20070061458A1
Filed: 09/14/2005
Published: 03/15/2007
Est. Priority Date: 09/14/2005
Status: Active Grant

First Claim

Patent Images

1. A protected network comprising:

a less-restricted subset of the protected network;

a restricted subset of the protected network;

a gatekeeper included in the restricted subnet and configured to perform assessments;

a DHCP server configured to provide an IP address that may be used by an endpoint to access the less-restricted subset or restricted subset, the IP address being associated with a restricted subnet or a less-restricted subnet, provision of the IP address being responsive to an assessment of the endpoint performed by the gatekeeper, the DHCP server including computing instructions configured to determine the provided IP address responsive to a DHCPDISCOVER packet received from the endpoint;

a network filter logically disposed between the computing instructions within the DHCP server and an Input/Output of the DHCP server, and being further configured to modify the DHCPDISCOVER packet prior to receipt by the computing instructions, the modification being responsive to whether the endpoint requesting the IP address has passed the assessment; and

a router with an access control list configured to limit access to the restricted subset responsive to the provide IP address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets.

Citations

29 Claims

1. A protected network comprising:
- a less-restricted subset of the protected network;
  
  a restricted subset of the protected network;
  
  a gatekeeper included in the restricted subnet and configured to perform assessments;
  
  a DHCP server configured to provide an IP address that may be used by an endpoint to access the less-restricted subset or restricted subset, the IP address being associated with a restricted subnet or a less-restricted subnet, provision of the IP address being responsive to an assessment of the endpoint performed by the gatekeeper, the DHCP server including computing instructions configured to determine the provided IP address responsive to a DHCPDISCOVER packet received from the endpoint;
  
  a network filter logically disposed between the computing instructions within the DHCP server and an Input/Output of the DHCP server, and being further configured to modify the DHCPDISCOVER packet prior to receipt by the computing instructions, the modification being responsive to whether the endpoint requesting the IP address has passed the assessment; and
  
  a router with an access control list configured to limit access to the restricted subset responsive to the provide IP address.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The protected network of claim 1, wherein the network filter is configured to modify a Relay IP address within the DHCPDISCOVER packet responsive to whether the endpoint requesting the IP address has passed the assessment.
  - 3. The protected network of claim 1, wherein the network filter is further configured to modify a DHCP offer packet for delivery from the DHCP server to the endpoint.
  - 4. The protected network of claim 1, wherein the network filter is configured to modify a DHCP option parameter within the DHCPDISCOVER packet responsive to whether the endpoint requesting the IP address has passed the assessment.
  - 5. The protected network of claim 1, wherein the network filter is a software shim.

6. A DHCP Server comprising:
- an IP address table including a scope associated with a restricted subnet and a scope associated with a less-restricted subnet;
  
  a network filter configured to modify an incoming DHCPDISCOVER packet from an endpoint to control whether the DHCP server will provide a DHCPOFFER packet including an IP address within the scope associated with the restricted subnet or an IP address within the scope associated with the less-restricted subnet, responsive to whether the endpoint has passed a assessment;
  
  an input configured to receive data from a gatekeeper configured to perform the assessment, the data including an address of a device having satisfied the assessment; and
  
  computing instructions configured to generate the DHCPOFFER packet using the modified incoming DHCPDISCOVER packet, responsive to the modification of the incoming DHCPDISCOVER packet made by the network filter.
- View Dependent Claims (7, 8, 9)
- - 7. The DHCP Server of claim 6, wherein the modification includes setting a DHCP option parameter.
  - 8. The DHCP Server of claim 6, wherein the modification includes manipulating a relay IP address of the DHCPDISCOVER packet.
  - 9. The DHCP Server of claim 6, wherein the address of a device is a MAC address.

10. A network filter configured to modify a relay IP address within a DHCPDISCOVER packet responsive to whether a sender of the DHCPDISCOVER packet has passes a security assessment, the relay IP address being modified to control access to a restricted subset of a protected network.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The network filter of claim 10, wherein the network filter is further configured to modify the relay IP address in a DHCPOFFER packet such that the DHCPOFFER packet is delivered to the sender of the DHCPDISCOVER packet.
  - 12. The network filter of claim 10, wherein the network filter is included in a DHCP server.
  - 13. The network filter of claim 10, wherein the network filter is configured to receive configuration information from a DHCP server via a DHCPOFFER packet, and to use the received configuration information to modify the relay IP address.
  - 14. The network filter of claim 10, further including a gatekeeper configured to perform the security assessment, a protected network including a restricted subset and a less-restricted subset, or a router configured to restrict access to the restricted subset based in an IP address included in the DHCPOFFER packet.
  - 15. The network filter of claim 10, further including a DHCP server configured to generate the DHCPOFFER packet including the IP address, the IP address being selected from a restricted scope or a less-restricted scope in response to the modified relay IP address.

16. A network filter configured to modify a received DHCPDISCOVER packet, the modification being responsive to whether a sender of the DHCPDISCOVER packet has passed a security assessment, the modification further being responsive to configuration information received from a DHCP server in a DHCPOFFER packet.
- View Dependent Claims (17, 18)
- - 17. The network filter of claim 16, wherein the network filter is further configured to drop the DHCPOFFER packet including the configuration information.
  - 18. The network filter of claim 16, wherein the modification of the DHCPDISCOVER packet includes modification of a reply IP address, the modified reply IP address configured to cause the DHCP server to provide an IP address within a restricted scope if the sender of the DHCPDISCOVER packet has passed the security assessment.

19. A method of controlling access to a protected network, the method comprising:
- receiving a DHCPDISCOVER packet at an input of a DHCP server via a router from an endpoint having an address, the router including an access control list characterizing a restricted subnet and a less-restricted subnet of the protected network;
  
  determining if the address within the DHCPDISCOVER packet received at the input is included in a list of addresses qualified to access the restricted subnet of the protected network;
  
  altering the DHCPDISCOVER packet received at the input responsive to whether the address is included in the list of addresses qualified to access the restricted subnet;
  
  passing the altered DHCPDISCOVER packet to computing instructions included in the DHCP server, the computing instructions configured to generate a DHCPOFFER packet;
  
  generating the DHCPOFFER packet responsive to the alteration of the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the restricted subnet if the address is included in the list of addresses qualified to access the restricted subset, the DHCPOFFER packet including an IP address associated with the less-restricted subnet if the address is not in the list of addresses qualified to access the restricted subset, the IP address associated with the restricted subnet having access to the restricted subset responsive to the access control list.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, further including adding the address to the list of addresses qualified to access the restricted subnet responsive to an assessment performed using a gatekeeper, the gatekeeper being a member of the less-restricted subnet.
  - 21. The method of claim 19, wherein the address is a MAC address.

22. A method of controlling access to a protected network, the method comprising:
- receiving a first DHCPDISCOVER packet at a network filter from an endpoint having an address, the first DHCPDISCOVER packet including a first relay IP address;
  
  determining if the address of the endpoint is included in a list of addresses qualified to access a restricted subnet of the protected network;
  
  altering the received first DHCPDISCOVER packet by replacing a first relay IP address with a second relay IP address if the address is qualified to access the restricted subset; and
  
  passing the altered first DHCP DISCOVER packet to computing instructions of a DHCP server such that the DHCP server will respond to the DHCPDISCOVER packet including the second relay IP address with an IP address that will allow access to the restricted subset responsive to an access control list, the IP address being within a scope associated with a restricted subnet.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, further including receiving a second DHCPDISCOVER packet at the network filter from the endpoint, the second DHCPDISCOVER packet being received prior to receiving the first DHCPDISCOVER packet;
    - receiving a DHCPOFFER packet at the network filter responsive to the second DHCPDISCOVER packet, the DHCPOFFER packet including configuration information regarding an IP address associated with a less-restricted scope;
      
      storing the address of the endpoint in association with the configuration information in allocation accessible to the network filter; and
      
      dropping the second DHCPOFFER packet.
  - 24. The method of claim 22, further including receiving a DHCPOFFER packet in response to the first DHCPDISCOVER packet;
    - and replacing an instance of the second relay IP address in the received DHCPOFFER packet with an instance of the first relay IP address.

25. A method of communicating configuration information to a network filter, the method comprising:
- receiving a first DHCPDISCOVER packet at the network filter via a router from an endpoint;
  
  inserting a request for configuration information in the DHCPDISCOVER packet;
  
  receiving a first DHCPOFFER packet at the network filter responsive to the first DHCPDISCOVER packet, the DHCPOFFER packet including configuration information relating to a less-restricted IP address scope;
  
  storing the an address of the endpoint in a location accessible to the network filter, in association with the configuration information; and
  
  dropping the first DHCPOFFER packet.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method of claim 25, wherein inserting a request for configuration information in the DHCPDISCOVER packet includes setting a DHCP option.
  - 27. The method of claim 25, further including storing a first relay IP address included in the first DHCPDISCOVER packet in a location accessible to the network filter, in association with the address of the endpoint.
  - 28. The method of claim 25, wherein the configuration information includes a second relay IP address associated with the less-restricted scope.
  - 29. The method of claim 28, further including:
    - performing a security assessment of the endpoint;
      
      adding an address of the endpoint to a list of addresses of devices qualified to access the restricted subset if the security assessment determines that the endpoints meets the requirements of a security policy;
      
      receiving a second DHCPDISCOVER packet at the network filter from the endpoint;
      
      determining if the address of the endpoint is included in the list of addresses of devices qualified to access the restricted subset of the protected network;
      
      altering the received second DHCPDISCOVER packet to include the second relay IP address associated with the less-restricted scope if the address of the endpoint is not included in the list of addresses; and
      
      passing the second DHCPDISCOVER packet to computing instructions of a DHCP server such that the DHCP server will respond to the DHCPDISCOVER packet with a second DHCPOFFER packet including an IP address within the scope of the restricted subnet or an IP address within the scope of the less-restricted subnet depending on whether the DHCPDISCOVER packet includes the first relay IP address or the second relay IP address, respectively.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InfoExpress, Inc.
Original Assignee
InfoExpress, Inc.
Inventors
Lum, Stacey

Granted Patent

US 7,590,733 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

Dynamic address assignment for access control on DHCP networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic address assignment for access control on DHCP networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links