Hierarchical trust based posture reporting and policy enforcement
First Claim
1. A method comprising:
- initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network;
establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform;
establishing a secure communication channel over an other communication link, the other communication link between at least the policy enforcement point and a manageability engine resident on the platform, the manageability engine to forward posture information associated with the access requester and the manageability engine, the posture information to be forwarded via the secure communication channel between the manageability engine and the policy enforcement point; and
forwarding the posture information to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point, the policy decision point to indicate what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.
1 Assignment
0 Petitions
Accused Products
Abstract
A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.
-
Citations
36 Claims
-
1. A method comprising:
-
initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network;
establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform;
establishing a secure communication channel over an other communication link, the other communication link between at least the policy enforcement point and a manageability engine resident on the platform, the manageability engine to forward posture information associated with the access requester and the manageability engine, the posture information to be forwarded via the secure communication channel between the manageability engine and the policy enforcement point; and
forwarding the posture information to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point, the policy decision point to indicate what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
initiating a network access request to a first network from an access requester on a platform that couples to the first network, the network access request made to a policy decision point for the first network, the platform including a plurality of partitions, each partition to use at least a portion of platform resources that are independent of platform resources used by another partition, the plurality of partitions including a partition that supports a capability operating system and including a partition that supports a service operating system, the capability operating system including the access requester, the service operating system including a policy enforcement agent;
determining whether the service operating system is activated on the platform, the determination made by a manageability engine resident on the platform; and
permitting the access requester to seek the requested access to the first network based on the manageability engine'"'"'s determination, wherein permitting the access requester to seek the requested access establishes a first layer of hierarchical trust to access a second network. - View Dependent Claims (13, 14, 15, 16)
-
-
17. An apparatus resident on a platform to couple to a network, the apparatus comprising:
a manageability engine that includes memory and logic, the logic to;
establish a secure communication channel via a communication link on the platform, the secure communication channel establish with a policy enforcement agent on the platform;
obtain posture information associated with the manageability engine and an access requester on the platform, the access requester to seek access to the network;
cryptographically sign the posture information with a secret key maintained in the memory; and
forward the cryptographically signed posture information to the policy enforcement agent via the secure communication channel, the cryptographically signed posture information to be forwarded to a policy decision point for the network via another secure communication channel established between the policy enforcement agent and the policy decision point, wherein the policy decision point is to indicate what access the access requester can obtain to the network based on a comparison of the posture information to a network administrative policy. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
24. A platform to couple to a network comprising:
-
platform resources to include memory and one or more processing elements;
a plurality of partitions, each partition to use at least a portion of platform resources that are independent of platform resources used by another partition, the plurality of partitions to include a partition that supports a capability operating system and a partition that supports a service operating system, the capability operation system to request access to the network, the service operating system to include a policy enforcement agent to enforce one or more network administrative policies; and
a manageability engine that includes logic and memory that is exclusively accessible to the logic, the logic to;
obtain posture information associated with the capability operating system;
cryptographically sign the posture information with a secret key maintained in the memory that is exclusively accessible to the logic;
forward the cryptographically signed posture information to a policy decision point for the network, wherein the policy decision point is to indicate what access the capability operating system can obtain to the network based on a comparison of the posture information to network administrative policies. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A machine-accessible medium comprising content, which, when executed by a machine resident on a platform to couple to a network causes the machine to:
-
establish a secure communication channel via a communication link on the platform, the secure communication channel establish with a policy enforcement agent on the platform;
obtain posture information associated with the machine and an access requester on the platform, the access requester to seek access to the network;
cryptographically sign the posture information with a secret key maintained in the memory; and
forward the cryptographically signed posture information to the policy enforcement agent via the secure communication channel, the cryptographically signed posture information to be forwarded to a policy decision point for the network via another secure communication channel established between the policy enforcement agent and the policy decision point, wherein the policy decision point is to indicate what access the access requester can obtain to the network based on a comparison of the posture information to network administrative policies. - View Dependent Claims (35, 36)
-
Specification