HOST STATE MONITORING
First Claim
1. A method for controlling access to a network, the method performed by a data processing apparatus, the method comprising:
- defining a state machine in a memory of the data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device;
monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network;
transitioning, for each host device, a state of the host based on the monitoring and a current state of the host;
storing in the memory of the data processing apparatus, for each monitored host device attempting to access the network or that has access to the network;
host attributes of the host device that identify the host; and
the state of the host; and
controlling network access of the host device according to the one or more network access zones associated with the state of the host device.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for a host state machine. In one aspect, the method includes defining a state machine in a memory of a data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device; monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network; and transitioning, for each host device, a state of the host based on the monitoring and a current state of the host.
-
Citations
20 Claims
-
1. A method for controlling access to a network, the method performed by a data processing apparatus, the method comprising:
-
defining a state machine in a memory of the data processing apparatus, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device; monitoring, by the data processing apparatus, host devices attempting to access the network and host devices that have access to the network; transitioning, for each host device, a state of the host based on the monitoring and a current state of the host; storing in the memory of the data processing apparatus, for each monitored host device attempting to access the network or that has access to the network; host attributes of the host device that identify the host; and the state of the host; and controlling network access of the host device according to the one or more network access zones associated with the state of the host device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A data processing apparatus, comprising:
-
a memory subsystem, an input/output subsystem that transmits and receives data over a network, and a processor in data communication with the memory subsystem and the input/output subsystem, the processor programmed to perform operations comprising; defining a state machine in the memory, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device; monitoring host devices attempting to access the network and host devices that have access to the network; transitioning a state of the host based on the monitoring and a current state of the host; storing in the memory, for each monitored host device attempting to access the network or that has access to the network; host attributes of the host device that identify the host; and the state of the host; and controlling network access of the host device according to the one or more network access zones associated with the state of the host device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A data processing apparatus, comprising:
-
a memory subsystem, an input/output subsystem that transmits and receives data over a network, and a processor in data communication with the memory subsystem and the input/output subsystem, the processor programmed to perform operations comprising; defining a state machine in the memory, the state machine comprising a plurality of states, and wherein network access for a host device is controlled in each state according to one or more network access zones associated with the state, each network access zone defining network access capabilities for the host device, wherein the states comprise; an initial preadmission state during which the processor sends host information collection queries to the host device and receives host attributes from the host device in response; a host detection preadmission state during which the processor determines a host status based on the host attributes of the host; a user detection preadmission state during which a user identifier associated with the host device is mapped to a user role associated with a corresponding network access zone; and a post admission state during which the processor grants the host device access to the network according to a one of a plurality of network access zones; monitoring host devices attempting to access the network and host devices that have access to the network; transitioning a state of the host device to the initial preadmission state when the host attributes indicate a new host device attempting to access the network; transitioning the state of the host device to the user detection preadmission state from the initial preadmission state or the host detection preadmission state when an identity-based access control process is enabled for the host device and a user identifier for the host device has been determined; transitioning the state of the host device to the host detection preadmission state from the initial preadmission state when the identity-based access control process is enabled for the host device and host attributes of the host are not received in response to host information collection queries; transitioning the state of the host device from the host detection preadmission state to the post admission state when the host is determined to be a managed host or the host is determined to be an unmanaged host with a pre-determined health level that is acceptable for transition to the post admission state; and transitioning the state of the host device from the user detection preadmission state to the post admission state when the user identifier is mapped to a user role associated with a corresponding network access zone and further network accesses control for this role is disabled.
-
Specification