Peer based network access control

US 20070192858A1
Filed: 02/16/2006
Published: 08/16/2007
Est. Priority Date: 02/16/2006
Status: Abandoned Application

First Claim

Patent Images

1. A computing network comprising:

a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;

a PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the PFC being further configured to modify, drop or forward the received packets;

a first PVS configured to manage a security audit to determine whether a device is an unauthorized device by comparing a security policy to information about the device; and

a first DPEP and a second DPEP on the same network segment, the first DPEP and second DPEP each being general purpose computing devices and being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC, the first DPEP and the second DPEP each including logic configured for repeatedly determining if either of the first DPEP and second DPEP is an APEP.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of securing a computing network are described. Communication from unauthorized devices is prevented by defining one or more dynamic policy enforcement points (DPEPs) on a network segment and specifying one of these DPEPs as an active policy enforcement point (APEP). The APEP prevents communication from unauthorized devices by spoofing an ARP response. If an APEP becomes unavailable, another of the one or more DPEPs is automatically selected as a new APEP. Members of the one or more DPEPs may be non-dedicated devices configured as DPEPs by the addition of security software. The number of DPEPs and APEPs can automatically scale with the number of devices on the computing network.

Citations

34 Claims

1. A computing network comprising:
- a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
  
  a PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the PFC being further configured to modify, drop or forward the received packets;
  
  a first PVS configured to manage a security audit to determine whether a device is an unauthorized device by comparing a security policy to information about the device; and
  
  a first DPEP and a second DPEP on the same network segment, the first DPEP and second DPEP each being general purpose computing devices and being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC, the first DPEP and the second DPEP each including logic configured for repeatedly determining if either of the first DPEP and second DPEP is an APEP.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The computing network of claim 1, wherein the first PVS is not included in the first DPEP or the second DPEP.
  - 3. The computing network of claim 1, further including a second PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices.
  - 4. The computing network of claim 1, wherein the PFC is included in the DPEP.
  - 5. The computing network of claim 1, further including a rule server configured to provide rules to the first PVS, the rules being for use in determining if a packet will be modified, dropped, or forwarded.
  - 6. The computing network of claim 5, wherein the first PVS is included in the DPEP.
  - 7. The computing network of claim 1, wherein the PFC is not included in the APEP.
  - 8. The computing network of claim 1, wherein the first PVS is further configured to configure a device on the computing network as a DPEP by downloading and installing software to the device.
  - 9. The computing network of claim 1, wherein the PFC is configured to redirect network requests to a software download site, the software download site including software configured to configure the device as a DPEP or to enable the device to participate in a security audit.
  - 10. The computing network of claim 1, wherein a number of DPEPs increases automatically when more devices are added to the computing network, up to a number of general computing devices on the network.
  - 11. The computing network of claim 1, wherein a number of APEPs can range from one up to a number of DPEPs.
  - 12. The computing network of claim 11, wherein the first DPEP is configured to automatically start to function as an APEP when an existing APEP is removed from the computing network, logic configured to start the first DPEP functioning as an APEP being included in the first DPEP.
  - 13. The computing network of claim 1, wherein the logic is configured to use a list of devices that have passed the security audit to determine the APEP.
  - 14. The computing network of claim 1, wherein the first DPEP and the second DPEP are configured to exchange a list of DPEPs.
  - 15. The computing network of claim 1, wherein whether or not the first DPEP is an APEP is responsive to factors relating to security.
  - 16. The computing network of claim 1, wherein selection of the APEP or the configuration parameters used in the selection of the APEP is managed by a PVS.
  - 17. The computing network of claim 1, wherein a security status of a device on the computing network is tracked using a MAC or IP address of the device.
  - 18. The computing network of claim 1, wherein the first DPEP is further configured to maintain a list of MAC and IP address combinations associated with devices that have passed the security audit.
  - 19. The computing network of claim 18, wherein the first DPEP is configured to use the list of MAC and IP address combinations to manage a destination MAC address for a packet sent to an IP address, to determine if the IP address is within the list of MAC and IP address combinations, and if the IP address is within the list to determine if the destination MAC address of the packet matches a MAC address associated with the IP address in the list, and if the destination MAC address does not match either dropping the packet or changing the destination MAC address.
  - 20. The computing network of claim 18, wherein the first DPEP is configured to use the list of MAC and IP address combinations to assure that an ARP cache of the first DPEP is not inconsistent with the list of MAC and IP address combinations.
  - 21. The computing network of claim 1, wherein neither the first DPEP nor the other DPEPs are dedicated security devices.
  - 22. The computing network of claim 1, wherein essentially any personal computer, notebook computer, or server on the computing network is a potential DPEP.
  - 23. The computing network of claim 1, wherein both the first DPEP and the second DPEP are configured to track, in parallel, which devices on the network segment have passed the security audit.
  - 24. The computing network of claim 1, wherein the APEP is configured to prevent a device that has not passed the security audit from communicating with parts of the computing network.
  - 25. The computing network of claim 1, wherein the first DPEP is configured to prevent a device on the network from communicating with the unauthorized device.
  - 26. The computing network of claim 1, further including a third DPEP on the same network segment as the first DPEP and the second DPEP, the third DPEP being a peer of the first DPEP and the second DPEP.

27. A computing network comprising:
- a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
  
  a plurality of PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the plurality of PFC being further configured to modify, drop or forward the received packets;
  
  a first DPEP, a second DPEP and a third DPEP on the same network segment, the first DPEP, second DPEP and third DPEP each configured to function as an APEP, and to enforce a security policy responsive to a security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC; and
  
  a first PVS configured to manage the security audit to determine whether a device is an unauthorized device by comparing the security policy to information about the device, the first PVS being included in either the first DPEP or the second DPEP.
- View Dependent Claims (28, 29, 30)
- - 28. The computing network of claim 27, wherein at least two of the first DPEP, second DPEP and third DPEP are configured to function as an APEP at the same time.
  - 29. The computing network of claim 27, wherein the first DPEP, second DPEP and third DPEP are each general purpose computing devices.
  - 30. The computing network of claim 27, wherein the first DPEP, second DPEP and third DPEP include at least two different device types.

31. A computing network comprising:
- a server configured to download logic to a non-dedicated, general purpose computing devices, the logic being configured to allow the general purpose computing device to operate as a DPEP;
  
  a plurality of PFC configured to receive packets sent by unauthorized devices or to receive packets sent to unauthorized devices, the plurality of PFC being further configured to modify, drop or forward the received packets; and
  
  a PVS configured to manage a security audit to determine whether a device is an unauthorized device by comparing a security policy to information about the device;
  
  a first DPEP and a second DPEP on the same network segment, the first DPEP and second DPEP each being general purpose computing devices and being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication, between an unauthorized device and an other device, to the PFC; and
  
  a rule server configured to provide rules to the plurality of PFC for use in determining if a packet should be modified, dropped, or forwarded.
- View Dependent Claims (32, 33, 34)
- - 32. The computing network of claim 31, wherein the plurality of PFC are included in the first DPEP and the second DPEP.
  - 33. The computing network of claim 31, further including a third DPEP on the same network segment as the first DPEP, the third DPEP being configured to function as an APEP, and to enforce the security policy responsive to the security audit by sending an ARP message to redirect communication.
  - 34. The computing network of claim 31, wherein each of the plurality of PFC are configured to differentiate between packets intended for themselves or intended for other devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InfoExpress, Inc.
Original Assignee
InfoExpress, Inc.
Inventors
Lum, Stacey

Application Number

US11/356,555
Publication Number

US 20070192858A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Peer based network access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Peer based network access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links