MANIPULATION OF DHCP PACKETS TO ENFORCE NETWORK HEALTH POLICIES

US 20100281159A1
Filed: 03/31/2010
Published: 11/04/2010
Est. Priority Date: 03/31/2009
Status: Abandoned Application

First Claim

Patent Images

1. A computer-readable medium whose contents are capable of causing a device connected to a network that is not configured to act as a DHCP server to perform a method for enforcing network health policies against hosts connected to the network, the method comprising:

intercepting network packets sent to a DHCP server from any host connected to the network; and

for each of at least a portion of the intercepted network packets sent to a DHCP server that contain a statement of health;

applying a health policy to the contained statement of health to identify any network access controls required by the health policy in view of the contained statement of health; and

causing the identified network access controls to be imposed on the host from which the intercepted network packet was received.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for causing a device connected to a network that is configured to act as a DHCP server to enforce network health policies against hosts connected to the network is described. The device intercepts network packets sent to a DHCP server from any host connected to the network. For each of at least a portion of these intercepted network packets that contain a statement of health, the facility (1) applies a health policy to the contained statement of health to identify any network access controls required by the health policy in view of the contained statement of health, and (2) causes the identified network access controls to be composed on the host from which the intercepted network packet was received.

Citations

27 Claims

1. A computer-readable medium whose contents are capable of causing a device connected to a network that is not configured to act as a DHCP server to perform a method for enforcing network health policies against hosts connected to the network, the method comprising:
- intercepting network packets sent to a DHCP server from any host connected to the network; and
  
  for each of at least a portion of the intercepted network packets sent to a DHCP server that contain a statement of health;
  
  applying a health policy to the contained statement of health to identify any network access controls required by the health policy in view of the contained statement of health; and
  
  causing the identified network access controls to be imposed on the host from which the intercepted network packet was received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-readable medium of claim 1 wherein the identified network access controls each specify handling for one or more types of traffic, and wherein the device causes the identified network access controls to be imposed on each host for which network access controls have been identified by:
    - intercepting traffic from the host of any of the types specified by network access controls identified for the host; and
      
      handling the intercepted traffic in accordance with the network access controls identified for the host.
  - 3. The computer-readable medium of claim 2 wherein the handling comprises modifying the intercepted traffic before forwarding it to its destination.
  - 4. The computer-readable medium of claim 2 wherein the handling comprises omitting to forward the intercepted traffic to its destination.
  - 5. The computer-readable medium of claim 2 wherein the handling comprises forwarding the intercepted traffic to its destination unchanged if contents of the intercepted traffic satisfy a condition associated with the network access controls identified for the host.
  - 6. The computer-readable medium of claim 2 wherein the handling comprises forwarding a modified copy of the intercepted traffic to its destination if contents of the intercepted traffic satisfy a condition associated with the network access controls identified for the host.
  - 7. The computer-readable medium of claim 2 wherein the handling comprises omitting to forward the intercepted traffic to its destination if contents of the intercepted traffic satisfy a condition associated with the network access controls identified for the host.
  - 8. The computer-readable medium of claim 1 wherein the device causes the identified network access controls to be imposed on each host for which network access controls have been identified by forwarding to a policy enforcement device attached to the network that is distinct from the device performing the method, for each host for which network access controls have been identified, (a) information identifying the host, and (b) an indication of the network access controls identified for the host.
  - 9. The computer readable medium of claim 1, further comprising, for each of the intercepted network packets sent to a DHCP server that contain a statement of health, forwarding a copy of the intercepted network packet from which the statement of health has been removed to the DHCP server to which the intercepted network packet was addressed.
  - 10. The computer-readable medium of claim 1, the method further comprising:
    - for each of at least a portion of the intercepted network packets sent to a DHCP server that contain a statement of health, generating a statement of health response for the host from which the intercepted network packet was received;
      
      intercepting network packets sent from a DHCP server to any host connected to the network; and
      
      for each intercepted network packet sent from a DHCP server to a host for which a statement of health response has been received, forwarding to the host a copy of the intercepted network packet to which the generated statement of health response has been added.
  - 11. The computer-readable medium of claim 1, the method further comprising:
    - intercepting network packets sent from a DHCP server to any host connected to the network; and
      
      for each of at least a portion of the intercepted network packets sent to a DHCP server that do not contain a statement of health, when a network packet sent from a DHCP server to any host connected to the host is intercepted, forwarding to the host a copy of the intercepted network packet to which has been added an indication that the DHCP server from which the network packet was sent can process statements of health.
  - 12. The computer-readable medium of claim 1 wherein the method is only performed in response to determining that no NAP server is operating in the network.

13. A networking device comprising:
- an interface for connecting to a plurality of devices;
  
  a first interception subsystem that intercepts datagrams of a first type sent from devices connected to the interface that contain statements of health, each intercepted datagram of the first type specifying a destination device;
  
  a removal subsystem that removes each statement of health contained by a datagram intercepted by the first interception subsystem; and
  
  a first forwarding subsystem that forwards each datagram of the first type intercepted by the first interception subsystem to the destination device specified by the datagram, wherein the forwarded datagram is the datagram after removal of its statement of health by the removal subsystem.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The networking device of claim 13, further comprising a storage subsystem that stores each removed statement of health together with information identifying the device that sent the datagram from which the statement of health was removed.
  - 15. The networking device of claim 13, further comprising a distribution subsystem that forwards to a connected device each removed statement of health together with information identifying the device that sent the datagram from which the statement of health was removed.
  - 16. The networking device of claim 13, further comprising a health policy management subsystem that, for each statement of health removed by the removal subsystem, applies a set of health policies to the statement of health to produce a health policy decision for the device from which the datagram from which the statement of health was removed was sent.
  - 17. The networking device of claim 13, further comprising a health policy enforcement subsystem that, for each health policy decision produced by applying a set of health policies to the statement of health for the device from which the datagram from which the statement of health was removed was sent, enforcing the health policy decision against the device.
  - 18. The networking device of claim 13, further comprising:
    - a second interception subsystem that intercepts datagrams of a second type sent to devices connected to the interface, each intercepted datagram of the second type specifying a destination device;
      
      an addition subsystem that adds to each of at least a portion of the datagrams of the second type intercepted by the second interception subsystem a statement of health response reflecting a health policy decision produced for the destination device specified by the datagram of the second type; and
      
      a second forwarding subsystem that forwards each datagram of the second type intercepted by the second interception subsystem to the destination device specified by the datagram, wherein the forwarded datagram is the datagram after addition of any statement of health response by the addition subsystem.

19. A method in a computing system, comprising:
- intercepting a packet sent by a device and addressed to a network server;
  
  extracting from the intercepted packet information about the health of the sending device; and
  
  forwarding a version of the intercepted packet from which the extracted information has been removed to the network server.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, further comprising, on the basis of the extracted health information, determining that the sending device should be denied access to at least one network resource.
  - 21. The method of claim 19, further comprising, on the basis of the determination, denying the sending device access to at least one network resource.

22. A method in a computing system, comprising:
- intercepting a DHCP packet containing DHCP options sent by a device and addressed to a DHCP server;
  
  parsing all of the DHCP options contained by the packet;
  
  for each of one or more selected DHCP options among the parsed DHCP options, modifying the DHCP option, to obtain a modified DHCP packet;
  
  forwarding the modified DHCP packet to the DHCP server to which the intercepted DHCP packet was addressed.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22 wherein, for at least one of the selected DHCP options, modifying the DHCP option comprises deleting the DHCP option.
  - 24. The method of claim 22 wherein, for each of at least one of the selected DHCP options, the DHCP option has contents, andwherein, for each of at least one of the selected DHCP options having contents, modifying the DHCP option comprises modifying the contents of the DHCP option.
  - 25. The method of claim 22, further comprising, as part of obtaining the modified DHCP packet, adding to the DHCP packet a DHCP option that contained by the DHCP packet at the time of its interception.

26. A networking hardware device conveying a DHCP request data structure relating to an original DHCP request data structure generated by a sender network node, the original DHCP request data structure comprising:
- information identifying the sender network node;
  
  information requesting assignment of a dynamic network address to the sendernetwork node; and
  
  information conveying health attribute values of the sender network node,the DHCP request data structure comprising;
  
  the information identifying a sender network node; and
  
  the information requesting assignment of a dynamic network address to the sender network node,the DHCP request data structure omitting the information conveying health attribute values of the sender network node,such that a receiver of the DHCP request data structure can respond to a request for some of a dynamic network address without receiving the information conveying health attribute values of the sender network node.

27. One or more computer memories collectively storing a DHCP response data structure relating to an original DHCP response data structure generated by a DHCP server, the original DHCP response data structure comprising:
- information identifying a network node; and
  
  information specifying a dynamic network address assigned to the identified network node,the original DHCP response data structure omitting any information specifying network health remediation instructions to be carried out by the identified network node,the DHCP response data structure comprising;
  
  information identifying a network node;
  
  information specifying a dynamic network address assigned to the identified network node; and
  
  information specifying network health remediation instructions to be carried out by the identified network node,such that, when the DHCP response data structure is received by the identified network node, the identified network node can carry out the network health remediation instructions despite the fact that they were not included in the original DHCP response data structure generated by the DHCP server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Christopher Boscolo, Paul Forgey
Original Assignee
Christopher Boscolo, Paul Forgey
Inventors
Boscolo, Christopher, Forgey, Paul

Application Number

US12/752,045
Publication Number

US 20100281159A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/20 for managing network securi...

MANIPULATION OF DHCP PACKETS TO ENFORCE NETWORK HEALTH POLICIES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

MANIPULATION OF DHCP PACKETS TO ENFORCE NETWORK HEALTH POLICIES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links