Hierarchical Trust Based Posture Reporting and Policy Enforcement

US 20100162356A1
Filed: 03/01/2010
Published: 06/24/2010
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point;

establishing a secure communication channel over an other communication link, the other communication link between at least the policy enforcement point and a manageability engine; and

forwarding the posture information to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point, the policy decision point to indicate what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

Citations

17 Claims

1. A method comprising:
- establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point;
  
  establishing a secure communication channel over an other communication link, the other communication link between at least the policy enforcement point and a manageability engine; and
  
  forwarding the posture information to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point, the policy decision point to indicate what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, the manageability engine to forward posture information associated with the access requester and the manageability engine, the posture information to be forwarded via the secure communication channel between the manageability engine and the policy enforcement point.
  - 3. The method according to claim 1, further comprising:
    - configuring a data traffic filter on a communication link that couples the platform to the network, the data traffic filter configured by the manageability engine based on a default network administrative policy, configuring the data traffic filter to occur prior to forwarding the posture information to the policy decision point, wherein configuring the data traffic filter establishes a first hierarchical trust layer to access the network.
  - 4. The method according to claim 3, wherein the default network administrative policy includes configuring the data traffic filter to allow only control data traffic to establish a secure communication channel on the communication link.
  - 5. The method according to claim 3 further comprising:
    - reconfiguring the data traffic filter based at least in part on what access was indicated by the policy decision point, wherein reconfiguring the data traffic filter establishes a second hierarchical trust layer to access the network.
  - 6. The method according to claim 3 further comprising:
    - receiving the indication of what access the access requester can obtain to the network; and
      
      implementing a remediation action based on the indication not granting the level of network access the access requester is seeking, wherein implementing the remediation action establishes a second hierarchical trust layer to access the network.
  - 7. The method according to claim 6, wherein the remediation action is to include at least one remediation action selected from the following group of:
    - updating anti-virus software, downloading a patch from a server, installing given software and implementing an access control policy by configuring the data traffic filter on the communication link that couples the platform to the network.
  - 8. The method according to claim 1, wherein the access requester comprises a capability operation system and the policy enforcement point is part of a service operation system, the capability operation system and the service operation system to operate on different partitions on the platform, each partition to use platform resources independently.
  - 9. The method according to claim 1, wherein the posture information associated with the access requester is based on integrity measurements of the access requester, the integrity measurements to include at least one integrity measurement selected from the following group of:
    - an anti-virus parameter, a firewall status, a software version, a hardware status, a log file and an existence of given software in a memory on the platform.
  - 10. The method according to claim 1, wherein the one or more network administrative policies include at least one policy selected from the following group of:
    - an access control list policy, an outbreak containment policy, an intrusion detection policy and a monitoring policy.
  - 11. The method according to claim 1, wherein establishing the secure communication channel between the policy decision point and the policy enforcement point includes establishing the secure communication channel using IEEE 802.1X communication protocols.
  - 12. The method according to claim 1, wherein establishing the secure communication channel between the policy enforcement point and the manageability engine includes establishing the secure communication channel using extensible markup language (XML) signatures.

13. A manageability engine comprising:
- a memory;
  
  a plurality of input/output (I/O) interfaces;
  
  security logic coupled with the memory, the security logic having at least a posture feature and a cryptographic feature;
  
  control logic coupled with the security logic, the memory, and the plurality of I/O interfaces, the control logic to establish a secure communication channel via a communication link through a first I/O interface with a policy enforcement agent, to obtain posture information associated with the manageability engine from the posture feature and an access requester;
  
  the cryptographic feature to cryptographically sign the posture information with a secret key maintained in the memory; and
  
  the control logic to forward the cryptographically signed posture information to the policy enforcement agent via the secure communication channel, the cryptographically signed posture information to be forwarded to a policy decision point for the network via another secure communication channel established between the policy enforcement agent and the policy decision point, wherein the policy decision point is to indicate what access the access requester can obtain to the network based on a comparison of the posture information to a network administrative policy.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The manageability engine according to claim 13, the control logic to further to configure a data traffic filter on a communication link that couples the platform to the network, the data traffic filter configured by the control logic based on a default network administrative policy that allows only control data traffic to pass through the data traffic filter, the control data traffic to include authentication information, wherein to establish a first hierarchical trust layer to access the network, the control logic is to configure the data traffic filter prior to forwarding the cryptographically signed posture information to the policy decision point.
  - 15. The apparatus according to claim 13, the cryptographic feature to cryptographically sign the posture information comprises the security logic to include a nonce with the posture information, the nonce to include a time-sensitive, randomly generated number, the logic to cryptographically sign both the posture information and the nonce, wherein the indication of what access the access requester can obtain to the network is cryptographically signed by the policy decision point, the cryptographically signed indication to also include the nonce, the cryptographically signed indication to be decoded by the manageability engine, the security logic to authenticate that the indication is associated with the cryptographically signed posture information based on the nonce included with the indication matching the nonce included with the posture information.
  - 16. The apparatus according to claim 13, wherein the posture information associated with the access requester and the manageability engine is based on integrity measurements of the access requester and the manageability engine, the integrity measurements to include at least one integrity measurement selected from the following group of:
    - an anti-virus parameter, a firewall status, a software version, a hardware status, a log file and an existence of given software in a memory on the platform.
  - 17. The apparatus according to claim 13, wherein the secure communication channel established with the policy enforcement point is established using extensible markup language (XML) signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David Durham, Hormuzd Khosravi, Karanvir Grewal
Original Assignee
David Durham, Hormuzd Khosravi, Karanvir Grewal
Inventors
Khosravi, Hormuzd, Durham, David, Grewal, Karanvir

Granted Patent

US 8,555,348 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Hierarchical Trust Based Posture Reporting and Policy Enforcement

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Hierarchical Trust Based Posture Reporting and Policy Enforcement

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links