Detection of network environment

US 20080022355A1
Filed: 06/30/2006
Published: 01/24/2008
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request to connect a device to a network;

if a security policy is received for the connection of the device, applying the policy for the device; and

if a security policy for the connection of the device is not received, determining the domain of the device by;

determining whether the device is in an enterprise domain, anddetermining whether the device is in a network access control domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detection of network environment to aid policy selection for network access control. An embodiment of a method includes receiving a request to connect a device to a network and, if a security policy is received for the connection of the device, applying the policy for the device. If a security policy for the connection of the device is not received, the domain of the device is determined by determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain, which allows selection of an appropriate domain/environment specific policy.

41 Citations

View as Search Results

27 Claims

1. A method comprising:
- receiving a request to connect a device to a network;
  
  if a security policy is received for the connection of the device, applying the policy for the device; and
  
  if a security policy for the connection of the device is not received, determining the domain of the device by;
  
  determining whether the device is in an enterprise domain, anddetermining whether the device is in a network access control domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising establishing a security policy for the connection of the device based at least in part on the determined domain of the device.
  - 3. The method of claim 1, wherein the network provides for static network addressing, and further comprising extracting a network address for the device.
  - 4. The method of claim 3, wherein determining the domain of the device comprises comparing an element of the network address to a list of pre-configured address elements.
  - 5. The method of claim 1, wherein the network provides for dynamic network addressing.
  - 6. The method of claim 5, further comprising determining whether a response from the device is received.
  - 7. The method of claim 6, wherein the response comprises a DHCP (dynamic host configuration protocol) response.
  - 8. The method of claim 6, wherein if a response from the device is received then determining whether the device is in an enterprise domain comprises extracting domain information from the response.
  - 9. The method of claim 8, wherein determining whether the device is in a network access control domain comprising applying a configured protocol option to the response.
  - 10. The method of claim 5, wherein an agent presence feature is available, and wherein determining the domain of the device comprises determining whether a network access control agent is present.
  - 11. The method of claim 1, further comprising signing data regarding the domain of the device using an industry standard signature method and conveying the data as part of a DHCP (dynamic host configuration protocol) response.

12. A network security apparatus comprising:
- a network access control module, the network access control module to identify the platform of a device that seeks to connect to a network, the identification of the platform including;
  
  a determination whether the device in contained in an enterprise domain, anda determination whether the device is contained in a network access control domain; and
  
  a network management module, the network management module to control access of the device to the network based at least in part on the determination of the platform of the device.
- View Dependent Claims (13, 14, 15)
- - 13. The network security apparatus of claim 12, wherein the network utilizes static IP (Internet protocol addressing), and wherein identification of the platform of the device by the network access control module includes comparing an element of an address of the device to a list of pre-configured address elements.
  - 14. The network security apparatus of claim 12, wherein the network utilizes dynamic IP (Internet protocol addressing), and wherein identification of the platform of the device by the network access control module includes extracting data from a response of the device.
  - 15. The network security apparatus of claim 12, wherein the network utilizes dynamic IP (Internet protocol addressing), and wherein identification of the platform of the device by the network access control module includes using a presence function to determine whether a network access control agent is present.

16. A system comprising:
- a network access control unit for a network to determine network access for a device;
  
  a trust server to provide compliance vectors to the network access control unit; and
  
  a router, the router to direct a device connection request to the network access control unit, the device supporting a network management system;
  
  wherein the network access control unit obtains data regarding the device to determine the domain of the device, including;
  
  whether the device is contained in an enterprise domain, andwhether the device is contained in a network access control domain.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The system of claim 16, wherein the network management system enforces a policy for access to the network by the device.
  - 18. The system of claim 16, wherein the network utilizes static IP (Internet Protocol) addressing, and wherein determining the domain of the device includes comparing at least a portion of the address of the device to a list of pre-configured address elements.
  - 19. The system of claim 16, wherein the network utilizes dynamic IP (Internet Protocol) addressing.
  - 20. The system of claim 19, wherein determining the domain of the device includes receiving a response for the device and extracting the domain for the device from the response.
  - 21. The system of claim 19, wherein determining the domain of the device includes using a presence function to determine the presence of a network access control agent.
  - 22. The system of claim 16, wherein the data regarding the domain of the device is signed using an industry standard signature method and is conveyed as part of a DHCP (dynamic host configuration protocol) response.

23. A machine-readable medium having stored thereon data representing sequences of instructions that, when executed by a machine, cause the machine to perform operations comprising:
- receiving a request to connect a device to a network;
  
  if a security policy is received for the connection of the device, applying the policy for the device; and
  
  if a security policy for the connection of the device is not received, determining the domain of the device by;
  
  determining whether the device is in an enterprise domain,determining whether the device is in a network access control domain.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The medium of claim 23, further comprising instructions that, when executed by the machine, cause the machine to perform operations comprising:
    - establishing a security policy for the connection of the device based at least in part on the determined domain of the device.
  - 25. The medium of claim 23, wherein the network provides for static network addressing, and wherein determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain comprises comparing an element of the network address of the device to a list of pre-configured address elements.
  - 26. The medium of claim 23, wherein the network provides for dynamic network addressing, and wherein determining the domain of the device comprises extracting domain information from a response from the device.
  - 27. The medium of claim 23, wherein the network provides for dynamic network addressing, and wherein determining the domain of the device comprises determining whether a network access control agent is present.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kroiser, Ahuva, Eldar, Avigdor, Khosravi, Hormuzd, Grewal, Karanvir

Granted Patent

US 7,814,531 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

Detection of network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links