Peer based network access control
First Claim
1. A computing network comprising:
- a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
a PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the PFC being further configured to modify, drop or forward the received packets;
a first PVS configured to manage a security audit to determine whether a device is an unauthorized device by comparing a security policy to information about the device; and
a first DPEP and a second DPEP on the same network segment, the first DPEP and second DPEP each being general purpose computing devices and being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC, the first DPEP and the second DPEP each including logic configured for repeatedly determining if either of the first DPEP and second DPEP is an APEP.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of securing a computing network are described. Communication from unauthorized devices is prevented by defining one or more dynamic policy enforcement points (DPEPs) on a network segment and specifying one of these DPEPs as an active policy enforcement point (APEP). The APEP prevents communication from unauthorized devices by spoofing an ARP response. If an APEP becomes unavailable, another of the one or more DPEPs is automatically selected as a new APEP. Members of the one or more DPEPs may be non-dedicated devices configured as DPEPs by the addition of security software. The number of DPEPs and APEPs can automatically scale with the number of devices on the computing network.
-
Citations
34 Claims
-
1. A computing network comprising:
-
a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
a PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the PFC being further configured to modify, drop or forward the received packets;
a first PVS configured to manage a security audit to determine whether a device is an unauthorized device by comparing a security policy to information about the device; and
a first DPEP and a second DPEP on the same network segment, the first DPEP and second DPEP each being general purpose computing devices and being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC, the first DPEP and the second DPEP each including logic configured for repeatedly determining if either of the first DPEP and second DPEP is an APEP. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computing network comprising:
-
a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
a plurality of PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the plurality of PFC being further configured to modify, drop or forward the received packets;
a first DPEP, a second DPEP and a third DPEP on the same network segment, the first DPEP, second DPEP and third DPEP each configured to function as an APEP, and to enforce a security policy responsive to a security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC; and
a first PVS configured to manage the security audit to determine whether a device is an unauthorized device by comparing the security policy to information about the device, the first PVS being included in either the first DPEP or the second DPEP. - View Dependent Claims (28, 29, 30)
-
-
31. A computing network comprising:
-
a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
a plurality of PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the plurality of PFC being further configured to modify, drop or forward the received packets; and
a PVS configured to manage a security audit to determine whether a device is an unauthorized device by comparing a security policy to information about the device;
a first DPEP and a second DPEP on the same network segment, the first DPEP and second DPEP each being general purpose computing devices and being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC; and
a rule server configured to provide rules to the plurality of PFC for use in determining if a packet should be modified, dropped, or forwarded. - View Dependent Claims (32, 33, 34)
-
Specification