Hierarchical trust based posture reporting and policy enforcement

US 20070234402A1
Filed: 03/31/2006
Published: 10/04/2007
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network;

establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform;

establishing a secure communication channel over an other communication link, the other communication link between at least the policy enforcement point and a manageability engine resident on the platform, the manageability engine to forward posture information associated with the access requester and the manageability engine, the posture information to be forwarded via the secure communication channel between the manageability engine and the policy enforcement point; and

forwarding the posture information to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point, the policy decision point to indicate what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

Citations

36 Claims

1. A method comprising:
- initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network;
  
  establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform;
  
  establishing a secure communication channel over an other communication link, the other communication link between at least the policy enforcement point and a manageability engine resident on the platform, the manageability engine to forward posture information associated with the access requester and the manageability engine, the posture information to be forwarded via the secure communication channel between the manageability engine and the policy enforcement point; and
  
  forwarding the posture information to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point, the policy decision point to indicate what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method according to claim 1, further comprising:
    - configuring a data traffic filter on a communication link that couples the platform to the network, the data traffic filter configured by the manageability engine based on a default network administrative policy, configuring the data traffic filter to occur prior to forwarding the posture information to the policy decision point, wherein configuring the data traffic filter establishes a first hierarchical trust layer to access the network.
  - 3. A method according to claim 2, wherein the default network administrative policy includes configuring the data traffic filter to allow only control data traffic to establish a secure communication channel on the communication link.
  - 4. A method according to claim 2 further comprising:
    - reconfiguring the data traffic filter based at least in part on what access was indicated by the policy decision point, wherein reconfiguring the data traffic filter establishes a second hierarchical trust layer to access the network.
  - 5. A method according to claim 2 further comprising:
    - receiving the indication of what access the access requester can obtain to the network; and
      
      implementing a remediation action based on the indication not granting the level of network access the access requester is seeking, wherein implementing the remediation action establishes a second hierarchical trust layer to access the network.
  - 6. A method according to claim 5, wherein the remediation action is to include at least one remediation action selected from the following group of:
    - updating anti-virus software, downloading a patch from a server, installing given software and implementing an access control policy by configuring the data traffic filter on the communication link that couples the platform to the network.
  - 7. A method according to claim 1, wherein the access requester comprises a capability operation system and the policy enforcement point is part of a service operation system, the capability operation system and the service operation system to operate on different partitions on the platform, each partition to use platform resources independently.
  - 8. A method according to claim 1, wherein the posture information associated with the access requester is based on integrity measurements of the access requester, the integrity measurements to include at least one integrity measurement selected from the following group of:
    - an anti-virus parameter, a firewall status, a software version, a hardware status, a log file and an existence of given software in a memory on the platform.
  - 9. A method according to claim 1, wherein the one or more network administrative policies include at least one policy selected from the following group of:
    - an access control list policy, an outbreak containment policy, an intrusion detection policy and a monitoring policy.
  - 10. A method according to claim 1, wherein establishing the secure communication channel between the policy decision point and the policy enforcement point includes establishing the secure communication channel using IEEE 802.1X communication protocols.
  - 11. A method according to claim 1, wherein establishing the secure communication channel between the policy enforcement point and the manageability engine includes establishing the secure communication channel using extensible markup language (XML) signatures.

12. A method comprising:
- initiating a network access request to a first network from an access requester on a platform that couples to the first network, the network access request made to a policy decision point for the first network, the platform including a plurality of partitions, each partition to use at least a portion of platform resources that are independent of platform resources used by another partition, the plurality of partitions including a partition that supports a capability operating system and including a partition that supports a service operating system, the capability operating system including the access requester, the service operating system including a policy enforcement agent;
  
  determining whether the service operating system is activated on the platform, the determination made by a manageability engine resident on the platform; and
  
  permitting the access requester to seek the requested access to the first network based on the manageability engine'"'"'s determination, wherein permitting the access requester to seek the requested access establishes a first layer of hierarchical trust to access a second network.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A method according to claim 12 further comprising:
    - obtaining the access indicated for the access requester to the first network;
      
      seeking access to the second network through the first network, the access sought by the access requester, monitoring data traffic between the capability operating system and the first network, the data traffic monitored by the service operating system;
      
      determining whether the data traffic meets one or more default network administrative policies for the second network, the determination made by the service operating system; and
      
      permitting the access requester to initiate the requested access to the second network based on the system operating system'"'"'s determination, wherein permitting the access requester to initiate the requested access to the second network establishes a second hierarchical trust layer to access the second network.
  - 14. A method according to claim 13, wherein the one or more default network administrative policies include at least one policy selected from the following group of:
    - an access control list policy, an outbreak containment policy, an intrusion detection policy and a monitoring policy.
  - 15. A method according to claim 13, further comprising:
    - the access requester initiating the other network access request to the second network through the first network, the other network access request made to a policy decision point for the second network;
      
      establishing a secure communication channel over a communication link between the policy decision point for the second network and the service operating system;
      
      establishing a secure communication channel over another communication link, the other communication link between the service operating system and the manageability engine, the manageability engine to forward posture information associated with the access requester and the manageability engine, the posture information to be forwarded via the secure communication channel between the manageability engine and the service operating system;
      
      forwarding the posture information to the policy decision point for the second network via the secure communication channel between the service operating system and the policy decision point for the second network, the policy decision point for the second network to indicate what access the access requester can obtain to the second network based on a comparison of the posture information to one or more network administrative policies; and
      
      receiving the indication of what access the access requester can obtain to the second network, the system operating system'"'"'s policy enforcement agent to enforce the level of access based on the indication, wherein enforcing the level of access establishes a third hierarchical trust layer to access the second network.
  - 16. A method according to claim 15, further comprising:
    - obtaining the access indicated for the access requester to the second network;
      
      gathering posture information associated with the capability operating system, the posture information associated with the capability operating system gathered by the service operating system;
      
      forwarding the gathered posture information to the policy decision point for the second network, wherein the policy decision point for the second network indicates what access the access requester can maintain to the second network based on a comparison of the gathered posture information to the one or more network administrative policies; and
      
      receiving the indication of what access the access requester can maintain to the second network, the system operating system'"'"'s policy enforcement agent to enforce the level of access based on the indication, wherein enforcing the level of access maintains the third hierarchical trust layer to access the second network.

17. An apparatus resident on a platform to couple to a network, the apparatus comprising:
- a manageability engine that includes memory and logic, the logic to;
  
  establish a secure communication channel via a communication link on the platform, the secure communication channel establish with a policy enforcement agent on the platform;
  
  obtain posture information associated with the manageability engine and an access requester on the platform, the access requester to seek access to the network;
  
  cryptographically sign the posture information with a secret key maintained in the memory; and
  
  forward the cryptographically signed posture information to the policy enforcement agent via the secure communication channel, the cryptographically signed posture information to be forwarded to a policy decision point for the network via another secure communication channel established between the policy enforcement agent and the policy decision point, wherein the policy decision point is to indicate what access the access requester can obtain to the network based on a comparison of the posture information to a network administrative policy.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. An apparatus according to claim 17, the logic to further comprise logic to:
    - configure a data traffic filter on a communication link that couples the platform to the network, the data traffic filter configured by the logic based on a default network administrative policy that allows only control data traffic to pass through the data traffic filter, the control data traffic to include authentication information, wherein to establish a first hierarchical trust layer to access the network, the logic is to configure the data traffic filter prior to forwarding the cryptographically signed posture information to the policy decision point.
  - 19. An apparatus according to claim 18, the indication of what access the access requester can obtain to the network is cryptographically signed by the policy decision point, the cryptographically signed indication to be decoded by the manageability engine'"'"'s logic to determine what access the access requester can obtain to the network, wherein to establish a second hierarchical trust level to access the network, the policy enforcement agent on the platform is to enforce the level of access determined to be obtainable.
  - 20. An apparatus according to claim 19, wherein the posture information and the indication are cryptographically signed using a public key infrastructure (PKI) encryption scheme.
  - 21. An apparatus according to claim 17, the logic to cryptographically sign the posture information comprises the logic to include a nonce with the posture information, the nonce to include a time-sensitive, randomly generated number, the logic to cryptographically sign both the posture information and the nonce, wherein the indication of what access the access requester can obtain to the network is cryptographically signed by the policy decision point, the cryptographically signed indication to also include the nonce, the cryptographically signed indication to be decoded by the manageability engine'"'"'s logic, the logic to authenticate that the indication is associated with the cryptographically signed posture information based on the nonce included with the indication matching the nonce included with the posture information.
  - 22. An apparatus according to claim 17, wherein the posture information associated with the access requester and the manageability engine is based on integrity measurements of the access requester and the manageability engine, the integrity measurements to include at least one integrity measurement selected from the following group of:
    - an anti-virus parameter, a firewall status, a software version, a hardware status, a log file and an existence of given software in a memory on the platform.
  - 23. An apparatus according to claim 17, wherein the secure communication channel established with the policy enforcement point is established using extensible markup language (XML) signatures.

24. A platform to couple to a network comprising:
- platform resources to include memory and one or more processing elements;
  
  a plurality of partitions, each partition to use at least a portion of platform resources that are independent of platform resources used by another partition, the plurality of partitions to include a partition that supports a capability operating system and a partition that supports a service operating system, the capability operation system to request access to the network, the service operating system to include a policy enforcement agent to enforce one or more network administrative policies; and
  
  a manageability engine that includes logic and memory that is exclusively accessible to the logic, the logic to;
  
  obtain posture information associated with the capability operating system;
  
  cryptographically sign the posture information with a secret key maintained in the memory that is exclusively accessible to the logic;
  
  forward the cryptographically signed posture information to a policy decision point for the network, wherein the policy decision point is to indicate what access the capability operating system can obtain to the network based on a comparison of the posture information to network administrative policies.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. A platform according to claim 24, the manageability engine'"'"'s logic to further comprise logic to:
    - configure a data traffic filter on a communication link that couples the platform to the network, the data traffic filter configured by the logic based on a default network administrative policy that allows only control data traffic to pass through the data traffic filter, the control data traffic to include authentication information, wherein to establish a first hierarchical trust layer to access the network, the logic is to configure the data traffic filter prior to forwarding the cryptographically signed posture information to the policy decision point.
  - 26. A platform according to claim 25, the decoded indication to be used by the service operating system'"'"'s policy enforcement agent to enforce the one or more network administrative policies and determine what access the capability operating system can obtain to the network, the service operating system to implement a remediation action based on the capability operating system not obtaining a desired level of access to the network, wherein to establish a second hierarchical trust layer to access the network includes the enforcement of one or more network administrative policies and the implementation of the remediation action.
  - 27. A platform according to claim 26, wherein the remediation action is to include at least one remediation action selected from the following group of:
    - updating anti-virus software used by the capability operating system, downloading a patch for the capability operating system from a server, installing given software and implementing an access control policy by configuring a data traffic filter on a communication link that couples the platform to the network.
  - 28. A platform according to claim 24, wherein the posture information and the indication are cryptographically signed using a public key infrastructure (PKI) encryption scheme.
  - 29. A platform according to claim 24, wherein the posture information associated with the capability operating system and the manageability engine is based on integrity measurements of the capability operating system, the integrity measurements to include at least one integrity measurement selected from the following group of:
    - an anti-virus parameter, a firewall status, a software version, a hardware status, a log file and an existence of given software in a memory on the platform.
  - 30. A platform according to claim 24, wherein the manageability engine'"'"'s memory and logic are physically separate from the platform resources used by the plurality of partitions.
  - 31. A platform according to claim 24, the memory that is exclusively accessible to the manageability engine'"'"'s logic includes default network administrative polices, the default network administrative polices to include a policy to restrict access to the capability operating system if the service operating system is not active, the manageability engine'"'"'s logic to enforce the policy, wherein to enforce the policy establishes a first hierarchical trust layer to access the network.
  - 32. A platform according to claim 31, the service operating system is to establish a secure communication link with the policy decision point, the service operating system to gather and forward posture information associated with the capability operating system, the policy decision point to indicate what network access the capability operating system can obtain to the network based on a comparison of the posture information gathered by the service operating system, the service operating system'"'"'s policy enforcement agent to enforce the level of access based on the indication from the policy decision point, wherein enforcing the level of access is to maintain the second hierarchical trust level to access the network.
  - 33. A platform according to claim 24, wherein the platform is to operate according to a virtualization technology scheme.

34. A machine-accessible medium comprising content, which, when executed by a machine resident on a platform to couple to a network causes the machine to:
- establish a secure communication channel via a communication link on the platform, the secure communication channel establish with a policy enforcement agent on the platform;
  
  obtain posture information associated with the machine and an access requester on the platform, the access requester to seek access to the network;
  
  cryptographically sign the posture information with a secret key maintained in the memory; and
  
  forward the cryptographically signed posture information to the policy enforcement agent via the secure communication channel, the cryptographically signed posture information to be forwarded to a policy decision point for the network via another secure communication channel established between the policy enforcement agent and the policy decision point, wherein the policy decision point is to indicate what access the access requester can obtain to the network based on a comparison of the posture information to network administrative policies.
- View Dependent Claims (35, 36)
- - 35. A machine-accessible medium according to claim 34, wherein the posture information associated with the access requester and the machine is based on integrity measurements of the access requester and the machine, the integrity measurements to include at least one integrity measurement selected from the following group of:
    - an anti-virus parameter, a firewall status, a software version, a hardware status, a log file and an existence of given software in a memory on the platform.
  - 36. A machine-accessible medium according to claim 34, wherein the secure communication channel established with the policy enforcement point is using established extensible markup language (XML) signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Khosravi, Hormuzd, Durham, David, Grewal, Karanvir

Granted Patent

US 7,703,126 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Hierarchical trust based posture reporting and policy enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical trust based posture reporting and policy enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links