CONTROLLING NETWORK ACCESS

US 20090113540A1
Filed: 10/29/2007
Published: 04/30/2009
Est. Priority Date: 10/29/2007
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a computer network based on a client'"'"'s compliance with network health policy standards, the method comprising:

sending a request for access to the network from the client to a server, the request including a statement of health of the client;

receiving a first response from the server, the first response including filtering instructions;

converting the filtering instructions into firewall rules on the client; and

filtering communications from the client to the network based on the firewall rules using a firewall on the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for controlling network access determine that a client computer on the network is in compliance with administrator-defined network health policy standards before the client computer is granted access to the network. A packet exchange mechanism is defined wherein filtering instructions from a server are converted into firewall rules on the client computer to restrict client access to remediation servers on the network. The client computer obtains update patches from the remediation servers to become compliant with network health policy standards.

Citations

20 Claims

1. A method for controlling access to a computer network based on a client'"'"'s compliance with network health policy standards, the method comprising:
- sending a request for access to the network from the client to a server, the request including a statement of health of the client;
  
  receiving a first response from the server, the first response including filtering instructions;
  
  converting the filtering instructions into firewall rules on the client; and
  
  filtering communications from the client to the network based on the firewall rules using a firewall on the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein filtering communications further comprises filtering the communications such that the client only has access to a restricted portion of the network.
  - 3. The method of claim 1, wherein filter communications further comprises limiting Internet Protocol addresses and port numbers on the network with which the client can communicate.
  - 4. The method of claim 1, further comprising:
    - allowing the client to seek remediation for health deficiencies;
      
      sending another request for access to the server including an updated statement of health of the client;
      
      receiving a second response from the server, the second response granting the client access to the network; and
      
      removing the filtering by the firewall such that the client has unrestricted access to the network.
  - 5. The method of claim 4, wherein the client receives update patches from one or more remediation servers.
  - 6. The method of claim 1, further comprising accessing the filtering instructions from a vendor specific field in the first response from the server.
  - 7. The method of claim 1, further comprising:
    - sending from the client to the server a Dynamic Host Configuration Protocol, version 6 request for access, the request including a vendor-specific option field, the vendor-specific option field indicating the client'"'"'s capability to negotiate access based on its health state;
      
      receiving at the client from the server a Dynamic Host Configuration Protocol, version 6 response, the response containing a DHCPv6 vendor-specific option field, the vendor-specific option field indicating the server'"'"'s capability to grant access based on the clients compliance with the health policy standard.
  - 8. The method of claim 1, wherein the filtering instructions include a list of remediation servers that the client is permitted to access.
  - 9. The method of claim 8, wherein the filtering instructions include health update patches to be obtained from remediation servers.
  - 10. The method of claim 9, further comprising:
    - receiving from the server a DHCPv6 REPLY message confirming that the client is compliant with the network health policy standards.
  - 11. The method of claim 7, further comprising:
    - receiving from the server a DHCPv6 REPLY message confirming that the client is compliant with the network health policy standards.

12. A method for a first server to determine whether a client should be granted access to a computer network, the method comprising:
- receiving a request from the client for access to the network, the request including a statement of health of the client;
  
  sending the request to a second server;
  
  receiving a first response from the second server, the first response indicating whether the client'"'"'s state of health is compliant with state of health policies of the network, the first response further including information about specific deficiencies in the client'"'"'s state of health and remediation instructions for the client in order to remedy the client'"'"'s health; and
  
  sending a second response to the client, the second response including the remediation instructions and filtering instructions, the filtering instructions enabling a firewall on the client to restrict the client'"'"'s access to the network.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, further comprising populating the remediation instructions and the filtering instructions in vendor-specific fields in the second response from the server.
  - 14. The method of claim 13, further comprising:
    - receiving at the first server from the client a Dynamic Host Configuration Protocol, version 6, request, the request containing a DHCPv6 vendor-specific option field containing the client'"'"'s state of health; and
      
      sending from the first server to the client a Dynamic Host Configuration Protocol, version 6, response having a vendor-specific option field containing the remediation instructions and the filtering instructions.
  - 15. The method of claim 14, further comprising:
    - receiving at the first server from the client a renew message, the renew message containing a DHCPv6 vendor specific option field, said vendor specific option field containing the client'"'"'s updated state of health;
      
      sending from the first server to the second server a message containing the client'"'"'s updated state of health, said message requesting the second server to validate the client'"'"'s state of health;
      
      receiving at the first server from the second server a message indicating whether the client'"'"'s state of health is compliant with state of health policies of the network; and
      
      sending from the first server to the client a message confirming that the client is compliant with network state of health policy.
  - 16. The method of claim 14, wherein the second server is a network policy server.

17. A client programmed to request access to a computer network, the client comprising:
- a system health agent programmed to monitor and report on the client'"'"'s health state;
  
  a network access protection agent programmed to collect, store and process statement of health information from the system health agent;
  
  an enforcement agent programmed to obtain the client'"'"'s statement of health from the network access protection agent, to send said statement of health to a server, and to convert filtering instructions received from the server into firewall rules to limit the client'"'"'s access to the network; and
  
  a firewall programmed to filter client communication to the network based on firewall rules.
- View Dependent Claims (18, 19, 20)
- - 18. The client of claim 17, wherein the enforcement agent is programmed to communicate with the server using a Dynamic Host Configuration Protocol, version 6, protocol.
  - 19. The client of claim 18, wherein the enforcement agent is further programmed to access the filtering instructions in a vendor specific field of a message from the server and convert the filtering instructions into the firewall rules.
  - 20. The client of claim 17, wherein the enforcement agent is further programmed to access the filtering instructions in a vendor specific field of a message from the server and convert the filtering instructions into the firewall rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chandwani, Santosh

Granted Patent

US 9,225,684 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

G06F 2221/2115   Third party

G06F 2221/2149   Restricted operating enviro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

CONTROLLING NETWORK ACCESS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONTROLLING NETWORK ACCESS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links