Techniques for Authenticated Posture Reporting and Associated Enforcement of Network Access

US 20100071032A1
Filed: 07/23/2009
Published: 03/18/2010
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving posture information, at a remote device via a network interface, for an endpoint;

determining network access policies for the endpoint based on the posture information; and

enforcing the network access policies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

39 Citations

View as Search Results

30 Claims

1. A method comprising:
- receiving posture information, at a remote device via a network interface, for an endpoint;
  
  determining network access policies for the endpoint based on the posture information; and
  
  enforcing the network access policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein enforcing the network access policies comprises applying network access limitations from the remote device by components of the endpoint.
  - 3. The method of claim 1, wherein enforcing the network access policies comprises applying a default access control limitation if no access control limitations have been sent to the endpoint from the remote device.
  - 4. The method of claim 3, wherein if a network access control list provided by the endpoint satisfies constraints specified by the remote device, the method further comprising selectively applying the network access control list provided by the endpoint.
  - 5. The method of claim 1, wherein the remote device comprises a network access policy decision point (PDP).
  - 6. The method of claim 1, wherein the network access policies comprise one or more access control lists (ACLs) received from the remote device.
  - 7. The method of claim 6, wherein at least one of the one or more access control lists from the remote device include usage constraints related to one or more of:
    - location of the endpoint, type of connection, time of day, firmware agent mode, endpoint electronic device mode.
  - 8. The method of claim 7, wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the endpoint and/or a firmware agent resident on the endpoint.
  - 9. The method of claim 1, wherein a secure connection is established between the remote device and a trusted firmware agent resident on the endpoint via the network interface, wherein the endpoint includes an untrustworthy component.
  - 10. The method of claim 9, wherein the untrustworthy component comprises a hardware platform running an untrusted operating system.
  - 11. The method of claim 9, wherein the secured connection established between the remote device and the trusted firmware agent comprises cryptographically binding the remote device and the firmware agent.
  - 12. The method of claim 9, further comprising cryptographically binding the firmware agent with a trusted platform module resident on the endpoint through, at least in part, generation, storage and certification of cryptographic keys used in cryptographic binding of the firmware agent to the remote device.

13. An article comprising a computer-readable medium having stored thereon instructions that, when executed, cause one or more processors to:
- receive posture information, at a remote device via a network interface, for an endpoint;
  
  determine network access policies for the endpoint based on the posture information; and
  
  enforce the network access policies.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The article of claim 13, wherein to enforce the network access policies comprises to apply network access limitations from the remote device by components of the endpoint.
  - 15. The method of claim 13, wherein to enforce the network access policies comprises to apply a default access control limitation if no access control limitations have been sent to the endpoint from the remote device.
  - 16. The method of claim 15, wherein if a network access control list provided by the endpoint satisfies constraints specified by the remote device, the article further comprising instructions to selectively apply the network access control list provided by the endpoint.
  - 17. The article of claim 13, wherein the remote device comprises a network access policy decision point (PDP).
  - 18. The article of claim 13, wherein the network access policies comprise one or more access control lists (ACLs) received from the remote device.
  - 19. The article of claim 18, wherein at least one of the one or more access control lists from the remote device includes usage constraints related to one or more of location of the endpoint, type of connection, time of day, firmware agent mode, endpoint electronic device mode.
  - 20. The article of claim 19, wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the endpoint and/or a firmware agent resident on the endpoint.
  - 21. The article of claim 13, wherein a secure connection is established between the remote device and a trusted firmware agent resident on the endpoint via the network interface, wherein the endpoint includes an untrustworthy component.
  - 22. The article of claim 21, wherein the untrustworthy component comprises a hardware platform running an untrusted operating system.
  - 23. The article of claim 21, wherein the secured connection established between the remote device and the trusted firmware agent comprises cryptographically binding the remote device and the firmware agent.
  - 24. The article of claim 21, further comprising instructions to cryptographically bind the firmware agent with a trusted platform module resident on the endpoint through, at least in part, generation, storage and certification of cryptographic keys used in cryptographic binding of the firmware agent to the remote device.

25. An apparatus comprising:
- an endpoint coupled to a network interface to support one or more software agents;
  
  a firmware agent coupled to the endpoint and the network interface to gather posture information from one or more security agents, to transmit a report including the posture information to a remote device via the network interface, and to configure the network interface according to network access control information received from the remote device via the network interface.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The apparatus of claim 25 wherein at least one of the security agents comprises a hardware agent coupled with the endpoint.
  - 27. The apparatus of claim 25 wherein the remote device comprises a network access policy decision point (PDP).
  - 28. The apparatus of claim 25 wherein the network access control information comprises one or more access control lists (ACLs) received from the remote device.
  - 29. The apparatus of claim 28 wherein at least one of the one or more accesw control lists from the remote device include usage constraints related to one or more of:
    - location of the endpoint, type of connection, time of day, firmware agent mode, endpoint device mode.
  - 30. The apparatus of claim 29 wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the firmware agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David Durham, Kapil Sood, Karanvir Grewal, Ned Smith, Ravi Sahita
Original Assignee
David Durham, Kapil Sood, Karanvir Grewal, Ned Smith, Ravi Sahita
Inventors
Grewal, Karanvir, Sood, Kapil, Sahita, Ravi, Durham, David, Smith, Ned

Granted Patent

US 8,671,439 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Techniques for Authenticated Posture Reporting and Associated Enforcement of Network Access

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Techniques for Authenticated Posture Reporting and Associated Enforcement of Network Access

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others