MANIPULATION OF DHCP PACKETS TO ENFORCE NETWORK HEALTH POLICIES
First Claim
1. A computer-readable medium whose contents are capable of causing a device connected to a network that is not configured to act as a DHCP server to perform a method for enforcing network health policies against hosts connected to the network, the method comprising:
- intercepting network packets sent to a DHCP server from any host connected to the network; and
for each of at least a portion of the intercepted network packets sent to a DHCP server that contain a statement of health;
applying a health policy to the contained statement of health to identify any network access controls required by the health policy in view of the contained statement of health; and
causing the identified network access controls to be imposed on the host from which the intercepted network packet was received.
0 Assignments
0 Petitions
Accused Products
Abstract
A facility for causing a device connected to a network that is configured to act as a DHCP server to enforce network health policies against hosts connected to the network is described. The device intercepts network packets sent to a DHCP server from any host connected to the network. For each of at least a portion of these intercepted network packets that contain a statement of health, the facility (1) applies a health policy to the contained statement of health to identify any network access controls required by the health policy in view of the contained statement of health, and (2) causes the identified network access controls to be composed on the host from which the intercepted network packet was received.
-
Citations
27 Claims
-
1. A computer-readable medium whose contents are capable of causing a device connected to a network that is not configured to act as a DHCP server to perform a method for enforcing network health policies against hosts connected to the network, the method comprising:
-
intercepting network packets sent to a DHCP server from any host connected to the network; and for each of at least a portion of the intercepted network packets sent to a DHCP server that contain a statement of health; applying a health policy to the contained statement of health to identify any network access controls required by the health policy in view of the contained statement of health; and causing the identified network access controls to be imposed on the host from which the intercepted network packet was received. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A networking device comprising:
-
an interface for connecting to a plurality of devices; a first interception subsystem that intercepts datagrams of a first type sent from devices connected to the interface that contain statements of health, each intercepted datagram of the first type specifying a destination device; a removal subsystem that removes each statement of health contained by a datagram intercepted by the first interception subsystem; and a first forwarding subsystem that forwards each datagram of the first type intercepted by the first interception subsystem to the destination device specified by the datagram, wherein the forwarded datagram is the datagram after removal of its statement of health by the removal subsystem. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method in a computing system, comprising:
-
intercepting a packet sent by a device and addressed to a network server; extracting from the intercepted packet information about the health of the sending device; and forwarding a version of the intercepted packet from which the extracted information has been removed to the network server. - View Dependent Claims (20, 21)
-
-
22. A method in a computing system, comprising:
-
intercepting a DHCP packet containing DHCP options sent by a device and addressed to a DHCP server; parsing all of the DHCP options contained by the packet; for each of one or more selected DHCP options among the parsed DHCP options, modifying the DHCP option, to obtain a modified DHCP packet; forwarding the modified DHCP packet to the DHCP server to which the intercepted DHCP packet was addressed. - View Dependent Claims (23, 24, 25)
-
-
26. A networking hardware device conveying a DHCP request data structure relating to an original DHCP request data structure generated by a sender network node, the original DHCP request data structure comprising:
-
information identifying the sender network node; information requesting assignment of a dynamic network address to the sender network node; and information conveying health attribute values of the sender network node, the DHCP request data structure comprising; the information identifying a sender network node; and the information requesting assignment of a dynamic network address to the sender network node, the DHCP request data structure omitting the information conveying health attribute values of the sender network node, such that a receiver of the DHCP request data structure can respond to a request for some of a dynamic network address without receiving the information conveying health attribute values of the sender network node.
-
-
27. One or more computer memories collectively storing a DHCP response data structure relating to an original DHCP response data structure generated by a DHCP server, the original DHCP response data structure comprising:
-
information identifying a network node; and information specifying a dynamic network address assigned to the identified network node, the original DHCP response data structure omitting any information specifying network health remediation instructions to be carried out by the identified network node, the DHCP response data structure comprising; information identifying a network node; information specifying a dynamic network address assigned to the identified network node; and information specifying network health remediation instructions to be carried out by the identified network node, such that, when the DHCP response data structure is received by the identified network node, the identified network node can carry out the network health remediation instructions despite the fact that they were not included in the original DHCP response data structure generated by the DHCP server.
-
Specification