DYNAMIC ADDRESS ASSIGNMENT FOR ACCESS CONTROL ON DHCP NETWORKS
First Claim
1. A method of controlling access to a protected network, the method comprising:
- receiving first endpoint information from an agent running on an endpoint, the first endpoint information including a MAC address of the endpoint and information characterizing the endpoint;
receiving a DHCPDISCOVER packet with the MAC address of the endpoint at an input of a DHCP server via a router, the router including an access control list characterizing a restricted subnet of the protected network, the restricted subnet accessible to endpoints with an IP address in a first address range but not accessible to endpoints with an IP address in a second address range;
altering the DHCPDISCOVER packet received at the input, the alteration being responsive to the first endpoint information having met requirements of a security assessment;
passing the altered DHCPDISCOVER packet to a processor configured to execute computing instructions for generating a DHCPOFFER packet;
executing the computing instructions, wherein execution of the computing instructions by the processor generates the DHCPOFFER packet responsive to the alteration made in the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the first address range if the endpoint information has met the requirements of the security assessment, the DHCPOFFER packet including an IP address associated with the second address range if the endpoint information has not met the requirements of the security assessment;
receiving second endpoint information from the agent as a result of the agent detecting changes at the endpoint; and
using the second endpoint information in a subsequent security assessment.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets.
-
Citations
19 Claims
-
1. A method of controlling access to a protected network, the method comprising:
-
receiving first endpoint information from an agent running on an endpoint, the first endpoint information including a MAC address of the endpoint and information characterizing the endpoint; receiving a DHCPDISCOVER packet with the MAC address of the endpoint at an input of a DHCP server via a router, the router including an access control list characterizing a restricted subnet of the protected network, the restricted subnet accessible to endpoints with an IP address in a first address range but not accessible to endpoints with an IP address in a second address range; altering the DHCPDISCOVER packet received at the input, the alteration being responsive to the first endpoint information having met requirements of a security assessment; passing the altered DHCPDISCOVER packet to a processor configured to execute computing instructions for generating a DHCPOFFER packet; executing the computing instructions, wherein execution of the computing instructions by the processor generates the DHCPOFFER packet responsive to the alteration made in the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the first address range if the endpoint information has met the requirements of the security assessment, the DHCPOFFER packet including an IP address associated with the second address range if the endpoint information has not met the requirements of the security assessment; receiving second endpoint information from the agent as a result of the agent detecting changes at the endpoint; and using the second endpoint information in a subsequent security assessment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of controlling access to a protected network, the method comprising:
-
receiving endpoint information from an agent running on an endpoint, the endpoint information including a MAC address of the endpoint and information characterizing the endpoint; receiving a DHCPDISCOVER packet with the MAC address of the endpoint at an input of a DHCP server via a router, the router including an access control list characterizing a restricted subnet of the protected network, the restricted subnet accessible to endpoints with an IP address in a first address range but not accessible to endpoints with an IP address in a second address range; altering the DHCPDISCOVER packet received at the input by including a DHCP option with a value, the value being responsive to the endpoint information having met requirements of a security assessment; passing the altered DHCPDISCOVER packet to a processor configured to execute computing instructions for generating a DHCPOFFER packet; executing the computing instructions, wherein execution of the computing instructions by the processor generates the DHCPOFFER packet responsive to the alteration made in the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the first address range if the endpoint information has met the requirements of the security assessment, the DHCPOFFER packet including an IP address associated with the second address range if the endpoint information has not met the requirements of the security assessment. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification