HOST STATE MONITORING

US 20110055907A1
Filed: 10/06/2009
Published: 03/03/2011
Est. Priority Date: 09/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a network, the method performed by a data processing apparatus, the method comprising:

defining a state machine in a memory of the data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device;

monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network;

transitioning, for each host device, a state of the host based on the monitoring and a current state of the host;

storing in the memory of the data processing apparatus, for each monitored host device attempting to access the network or that has access to the network;

host attributes of the host device that identify the host; and

the state of the host; and

controlling network access of the host device according to the one or more network access zones associated with the state of the host device.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for a host state machine. In one aspect, the method includes defining a state machine in a memory of a data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device; monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network; and transitioning, for each host device, a state of the host based on the monitoring and a current state of the host.

Citations

20 Claims

1. A method for controlling access to a network, the method performed by a data processing apparatus, the method comprising:
- defining a state machine in a memory of the data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device;
  
  monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network;
  
  transitioning, for each host device, a state of the host based on the monitoring and a current state of the host;
  
  storing in the memory of the data processing apparatus, for each monitored host device attempting to access the network or that has access to the network;
  
  host attributes of the host device that identify the host; and
  
  the state of the host; and
  
  controlling network access of the host device according to the one or more network access zones associated with the state of the host device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the states comprise:
    - an initial preadmission state during which the data processing apparatus sends host information collection queries to the host device to receive host attributes from the host device in response;
      
      a host detection preadmission state during which the data processing apparatus determines a host status based on the host attributes of the host;
      
      a user detection preadmission state during which a user identifier associated with the host device is mapped to a user role associated with a corresponding network access zone; and
      
      a post admission state during which the host device is granted access to the network according to a one of a plurality of network access zones; and
      
      transitioning the state of the host device based on the monitoring and the state of the host comprises;
      
      transitioning the state of the host device to the initial preadmission state when the host attributes stored in the memory are a new entry in the memory for the host device;
      
      transitioning the state of the host device to the user detection preadmission state from the initial preadmission state or the host detection preadmission state when an identity-based access control process is enabled for the host device and a user identifier for the host device has been determined;
      
      transitioning the state of the host device to the host detection preadmission state from the initial preadmission state when the identity-based access control process is enabled for the host device and host attributes of the host are not received in response to host information collection queries or a media access control address is received in a data link layer detection mode;
      
      transitioning the state of the host device from the host detection preadmission state to the post admission state when the host is determined to be a managed host or the host is determined to be an unmanaged host with a pre-determined health level that is acceptable for transition to the post admission state; and
      
      transitioning the state of the host device from the user detection preadmission state to the post admission state when the user identifier is mapped to a user role associated with a corresponding network access zone and further network accesses control for this role is disabled.
  - 3. The method of claim 2, wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises transitioning the state of the host device from the user detection preadmission state to the host detection preadmission state when the user identifier is mapped to a user role and further network accesses control for the user role is enabled.
  - 4. The method of claim 2, wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises transitioning the state of the host device from the post admission state to the user detection preadmission state when a user logout of the host device is detected.
  - 5. The method of claim 2, wherein:
    - the states further comprise a secure guest preadmission state during which HTTP traffic from the host device is directed to a guest access portal managed by the data processing apparatus and which causes the host device to generate a user login and password prompt and receive a user identifier and password in response; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the initial preadmission state to the secure guest preadmission state when the identity based access-control process for the host device is enabled and the host attributes received for the host device indicate that the host device is not a member of a predefined directory or a user identifier for the host is not determined from the received host attributes; and
      
      transitioning from the secure guest preadmission state to the user detection preadmission state when the user identifier is determined.
  - 6. The method of claim 2, wherein:
    - the states further comprise a remediate preadmission state during which HTTP traffic from the host device is directed to a remediate portal managed by the data processing apparatus and which caused an agent to be downloaded to the host device, the agent being configured to provide health data indicating a health level of the host device; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the initial preadmission state to the remediate preadmission state when the host is determined to be an unmanaged host with an unknown health level; and
      
      transitioning from the remediate preadmission state to the post admission state when the host device is determined, from the health data provided by the agent, to have health level that is acceptable for transition to the post admission state.
  - 7. The method of claim 6, wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises transitioning from the user detection preadmission state to the remediate preadmission state the user identifier is mapped to a user role associated with a corresponding network access zone and further network accesses control for this role is enabled.
  - 8. The method of claim 2, wherein:
    - the states further comprise a post boot admission state during which the host attributes of all hosts stored in a persistent memory prior to a reboot of the data processing apparatus and after reboot of the data processing apparatus determines a host status based on the host attributes of the host; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the post boot admission state to the post admission state when the host attributes of the host device received after the reboot match the host attributes of the host device stored in the persistent memory.
  - 9. The method of claim 2, wherein:
    - the states further comprise a quarantine post admission state during which network access for the host is limited to a quarantine zone; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the quarantine post admission state in response to determining that the health level of the host device is acceptable for transition to the post admission state.
  - 10. The method of claim 1, wherein the network access capabilities of each network zone are configurable by an administrator.

11. A data processing apparatus, comprising:
- a memory subsystem, an input/output subsystem that transmits and receives data over a network, and a processor in data communication with the memory subsystem and the input/output subsystem, the processor programmed to perform operations comprising;
  
  defining a state machine in the memory, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device;
  
  monitoring host devices attempting to access the network and host devices that have access to the network;
  
  transitioning a state of the host based on the monitoring and a current state of the host;
  
  storing in the memory, for each monitored host device attempting to access the network or that has access to the network;
  
  host attributes of the host device that identify the host; and
  
  the state of the host; and
  
  controlling network access of the host device according to the one or more network access zones associated with the state of the host device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The data processing apparatus of claim 11, wherein the states comprise:
    - an initial preadmission state during which the processor sends host information collection queries to the host device and receives host attributes from the host device in response;
      
      a host detection preadmission state during which the processor determines a host status based on the host attributes of the host;
      
      a user detection preadmission state during which a user identifier associated with the host device is mapped to a user role associated with a corresponding network access zone; and
      
      a post admission state during which the processor grants the host device access to the network according to a one of a plurality of network access zones; and
      
      transitioning the state of the host device based on the monitoring and the state of the host comprises;
      
      transitioning the state of the host device to the initial preadmission state when the host attributes stored in the memory are a new entry in the memory for the host device;
      
      transitioning the state of the host device to the user detection preadmission state from the initial preadmission state or the host detection preadmission state when an identity-based access control process is enabled for the host device and a user identifier for the host device has been determined;
      
      transitioning the state of the host device to the host detection preadmission state from the initial preadmission state when the identity-based access control process is enabled for the host device and host attributes of the host are not received in response to host information collection queries or a media access control address is received in a data link layer detection mode;
      
      transitioning the state of the host device from the host detection preadmission state to the post admission state when the host is determined to be a managed host or the host is determined to be an unmanaged host with a pre-determined health level that is acceptable for transition to the post admission state; and
      
      transitioning the state of the host device from the user detection preadmission state to the post admission state when the user identifier is mapped to a user role associated with a corresponding network access zone and further network accesses control for this role is disabled.
  - 13. The data processing apparatus of claim 11, wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises transitioning the state of the host device from the user detection preadmission state to the host detection preadmission state when the user identifier is mapped to a user role and further network accesses control for the user role is enabled.
  - 14. The data processing apparatus of claim 11, wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises transitioning the state of the host device from the post admission state to the user detection preadmission state when a user logout of the host device is detected.
  - 15. The data processing apparatus of claim 11, wherein:
    - the states further comprise a secure guest preadmission state during which HTTP traffic from the host device is directed to a guest access portal managed by the data processing apparatus and which causes the host device to generate a user login and password prompt and receive a user identifier and password in response; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the initial preadmission state to the secure guest preadmission state when the identity based access-control process for the host device is enabled and the host attributes received for the host device indicate that the host device is not a member of a predefined directory or a user identifier for the host is not determined from the received host attributes; and
      
      transitioning from the secure guest preadmission state to the user detection preadmission state when the user identifier is determined.
  - 16. The data processing apparatus of claim 11, wherein:
    - the states further comprise a remediate preadmission state during which HTTP traffic from the host device is directed to a remediate portal managed by the data processing apparatus and which caused an agent to be downloaded to the host device, the agent being configured to provide health data indicating a health level of the host device; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the initial preadmission state to the remediate preadmission state when the host is determined to be an unmanaged host with an unknown health level; and
      
      transitioning from the remediate preadmission state to the post admission state when the host device is determined, from the health data provided by the agent, to have health level that is acceptable for transition to the post admission state.
  - 17. The data processing apparatus of claim 16, wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises transitioning from the user detection preadmission state to the remediate preadmission state the user identifier is mapped to a user role associated with a corresponding network access zone and further network accesses control for this role is enabled.
  - 18. The data processing apparatus of claim 11, wherein:
    - the states further comprise a post boot admission state during which the host attributes of all hosts stored in a persistent memory prior to a reboot of the data processing apparatus and after reboot of the data processing apparatus determines a host status based on the host attributes of the host; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the post boot admission state to the post admission state when the host attributes of the host device received after the reboot match the host attributes of the host device stored in the persistent memory.
  - 19. The data processing apparatus of claim 11, wherein:
    - the states further comprise a quarantine post admission state during which network access for the host is limited to a quarantine zone; and
      
      wherein transitioning the state of the host device based on the monitoring and the state of the host device further comprises;
      
      transitioning from the quarantine post admission state in response to determining that the health level of the host device is acceptable for transition to the post admission state.

20. A data processing apparatus, comprising:
- a memory subsystem, an input/output subsystem that transmits and receives data over a network, and a processor in data communication with the memory subsystem and the input/output subsystem, the processor programmed to perform operations comprising;
  
  defining a state machine in the memory, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device, wherein the states comprise;
  
  an initial preadmission state during which the processor sends host information collection queries to the host device and receives host attributes from the host device in response;
  
  a host detection preadmission state during which the processor determines a host status based on the host attributes of the host;
  
  a user detection preadmission state during which a user identifier associated with the host device is mapped to a user role associated with a corresponding network access zone; and
  
  a post admission state during which the processor grants the host device access to the network according to a one of a plurality of network access zones;
  
  monitoring host devices attempting to access the network and host devices that have access to the network;
  
  transitioning a state of the host device to the initial preadmission state when the host attributes indicate a new host device attempting to access the network;
  
  transitioning the state of the host device to the user detection preadmission state from the initial preadmission state or the host detection preadmission state when an identity-based access control process is enabled for the host device and a user identifier for the host device has been determined;
  
  transitioning the state of the host device to the host detection preadmission state from the initial preadmission state when the identity-based access control process is enabled for the host device and host attributes of the host are not received in response to host information collection queries;
  
  transitioning the state of the host device from the host detection preadmission state to the post admission state when the host is determined to be a managed host or the host is determined to be an unmanaged host with a pre-determined health level that is acceptable for transition to the post admission state; and
  
  transitioning the state of the host device from the user detection preadmission state to the post admission state when the user identifier is mapped to a user role associated with a corresponding network access zone and further network accesses control for this role is disabled.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sreenath, Sheshadri, Narasimhan, Srinivasan, Hejmadi, Parthiv

Granted Patent

US 8,881,234 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 43/0811   by checking connectivity

HOST STATE MONITORING

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HOST STATE MONITORING

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links