MULTIPLE SECURITY LAYERS FOR TIME-BASED NETWORK ADMISSION CONTROL

US 20100043066A1
Filed: 05/20/2009
Published: 02/18/2010
Est. Priority Date: 05/21/2008
Status: Abandoned Application

First Claim

Patent Images

1. A security apparatus for a computer-based network, the apparatus comprising:

an alerting system determining a current state of the computer-based network including any of an introduction, re-introduction, removal, or off-line condition of a network asset of the computer-based network;

a blocking system, in communication with the alerting system, preventing the network asset from gaining access to the computer-based network; and

a time engine providing time information to at least one of the alerting and blocking systems.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention include a computer method of controlling access to a computer-based network comprising: (i) receiving an indication of an attempt to gain access to a computer-based network; (ii) applying a respective network access control policy to determine whether to allow the attempt to gain access to the computer-based network at each of multiple security layers; and (iii) allowing or blocking the attempt to gain access through the security layer to the computer-based network based on the application of the respective network access control policy at each security layer. Other embodiments include a computer method of controlling access to a computer-based network comprising: (a) scanning a host computer for viruses; (b) temporarily disabling a firewall of the host computer during an audit; and (c) shutting down high risk services running on the host computer.

83 Citations

View as Search Results

22 Claims

1. A security apparatus for a computer-based network, the apparatus comprising:
- an alerting system determining a current state of the computer-based network including any of an introduction, re-introduction, removal, or off-line condition of a network asset of the computer-based network;
  
  a blocking system, in communication with the alerting system, preventing the network asset from gaining access to the computer-based network; and
  
  a time engine providing time information to at least one of the alerting and blocking systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The security apparatus as claimed in claim 1 wherein the alerting system determines the current state of the computer-based network by checking network assets at multiple layers, the layers including, but not limited to, at least one of:
    - health checks, such as common vulnerabilities and exposures (CVEs), anti-virus status, anti-malware status, patches installed;
      
      identity and policy enforcement agents;
      
      universal serial bus tokens;
      
      fingerprint scanners; and
      
      core signatures, the core signatures including, but not limited to;
      
      operating systems;
      
      network ports;
      
      applications;
      
      services;
      
      memory;
      
      internet protocol addresses;
      
      media access controller addresses;
      
      open or closed data ports such as infrared, wireless, keyboard, mouse, USB, and Bluetooth ports; and
      
      time.
  - 3. The security apparatus as claimed in claim 1 wherein the alerting system comprises:
    - an alerting engine applying network access control policies to network assets, checking health of network assets, and maintaining trusted user lists and access control systems.
  - 4. The security apparatus as claimed in claim 1 wherein the alerting system creates time schedules based on information from the time engine.
  - 5. The security apparatus as claimed in claim 4 wherein the blocking system uses time schedules of each network asset to determine when to block a network asset from the computer-based network.
  - 6. The security apparatus as claimed in claim 1 wherein the blocking engine prevents network assets from gaining access to the computer-based network at plural layers, the layers including, but not limited to, at least one of:
    - a denial-of-service stream;
      
      a smart switch;
      
      a physical Ethernet port;
      
      network ports and a firewall.
  - 7. The security apparatus as claimed in claim 1 wherein the blocking engine dynamically reconfigures access to the computer-based network to block malware, hackers, rogue devices, and malicious insiders by terminating all or part of their network access.
  - 8. The security apparatus as claimed in claim 1 wherein the blocking system includes:
    - a network manager blocking engine that controls access to network assets based on network access control policies.
  - 9. The security apparatus as claimed in claim 8 wherein the blocking system includes:
    - a host manager blocking engine blocking access to local assets by communicating securely with agent or client software based on network access control policies;
      
      a countermeasures communications engine dynamically reconfiguring countermeasures to enforce network access control policies; and
      
      a policy and compliance subsystem maintaining tables for changing group policy information of the network access control policies.
  - 10. The security apparatus as claimed in claim 1 wherein the time engine is used to create, enable, and track schedules of network access control.
  - 11. The security apparatus as claimed in claim 10 wherein the schedules are set so that the security apparatus only grants access to network assets based on at least one of:
    - specified time intervals;
      
      current time;
      
      device identification; and
      
      user identification.
  - 12. The security apparatus as claimed in claim 1 further including:
    - a correction system in communication with at least one of the alerting system, the blocking system, and the time engine, the correction system providing correction of the network problem.
  - 13. The security apparatus as claimed in claim 12 wherein the correction system records time stamps associated with when the network problem was discovered and when the network problem was corrected.
  - 14. The security apparatus as claimed in claim 12 wherein the correction system includes at least one of:
    - a network manager correction engine correcting information related to network assets based on network access control policies;
      
      a host manager correction engine correcting local issues by communicating securely with agent or client software based on network access control policies;
      
      a correction communications engine dynamically resolving network problems to create a healthier network environment and to enforce network access control policies; and
      
      a vulnerabilities subsystem maintaining information relating to vulnerabilities of network assets.
  - 15. The security apparatus as claimed in claim 1 further comprising:
    - an interface enabling a user to apply policy templates and policies relating to network access control decisions including alerting determinations and blocking access to selected network assets.
  - 16. The security apparatus as claimed in claim 15 wherein enabling a user to apply templates and policies includes allowing the user to set thresholds and measures around a state of health of a network asset.
  - 17. The security apparatus as claimed in claim 15 wherein the policy templates include compliance templates, pre-defined templates, and user-defined templates.
  - 18. The security apparatus as claimed in claim 1 further including:
    - a network sniffer scanning connection interfaces of network assets to the computer-based network.
  - 19. The security apparatus as claimed in claim 1 further including:
    - an energy conservation interface placing a network asset in a power down, standby, or hibernate mode to reduce emissions.

20. A computer method of controlling access to a computer-based network, the method comprising:
- receiving an indication of an attempt to gain access to a computer-based network;
  
  at each of multiple security layers, applying a respective network access control policy to determine whether to allow the attempt to gain access to the computer-based network; and
  
  based on the application of the respective network access control policy at each security layer, allowing or blocking the attempt to gain access through the security layer to the computer-based network.
- View Dependent Claims (21, 22)
- - 21. The computer method as claimed in claim 20 wherein applying the respective network access control policy includes at least one of:
    - determining whether the attempt to gain access is occurring during an allowed access time;
      
      determining whether the attempt to gain access is occurring from an allowed physical location or on an allowed network asset;
      
      authenticating a token associated with a particular user or a particular network asset; and
      
      determining whether the attempt to gain access is directed towards a selected network asset.
  - 22. The computer method as claimed in claim 20 further including:
    - recording when the attempt to gain access to the computer-based network occurs; and
      
      logging the attempt to gain access to the computer-based network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetClarity, Inc. (Jacobs Solutions, Inc.)
Original Assignee
NetClarity, Inc. (Jacobs Solutions, Inc.)
Inventors
Miliefsky, Gary S.

Application Number

US12/469,173
Publication Number

US 20100043066A1
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/1441 Countermeasures against mal...

MULTIPLE SECURITY LAYERS FOR TIME-BASED NETWORK ADMISSION CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

MULTIPLE SECURITY LAYERS FOR TIME-BASED NETWORK ADMISSION CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others