COMBINING NETWORK ENDPOINT POLICY RESULTS

US 20130133027A1
Filed: 01/14/2013
Published: 05/23/2013
Est. Priority Date: 09/08/2006
Status: Active Grant

First Claim

Patent Images

1-27. -27. (canceled)

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result.

13 Citations

47 Claims

1-27. -27. (canceled)

28. A method comprising:
- identifying, by a processor, a plurality of policy results relating to a security state of a network device,the plurality of policy results including a first policy result and a second policy result,each policy result, of the plurality of policy results, being associated with a respective plurality of states, anda first plurality of states, associated with the first policy result, including;
  
  a pass state,a fail state, andanother state that differs from the pass state and the fail state;
  
  determining, by the processor, information associated with a criterion,the information identifying;
  
  a first state of the first plurality of states, anda second state of a second plurality of states associated with the second policy result;
  
  evaluating, by the processor and based on the criterion, the network device to generate an evaluation result; and
  
  outputting, by the processor, the evaluation result to the network device.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The method of claim 28, where the other state, included in the first plurality of states, corresponds to at least one of:
    - a state associated with the isolating the network device within a network, ora state related to denying a request from the network device.
  - 30. The method of claim 28, where the evaluation result relates to confirming at least one of:
    - an integrity status of the network device,an identity of a user of the network device,an identity of the network device,a presence of security-related hardware associated with the network device, ora presence security-related software associated with the network device.
  - 31. The method of claim 30, where:
    - the evaluation result relates to confirming the presence of the security-related hardware associated with the network device and the presence of the security-related software associated with the network device,the security-related hardware includes a firewall, andthe security-related software includes at least one of an antivirus software associated with the firewall or an anti-spyware software associated with the firewall.
  - 32. The method of claim 28, further including:
    - controlling access, by the network device, to network resources based on the evaluation result.
  - 33. The method of claim 28, where the information associated with the criterion further includes a Boolean operator identifying a relationship between the first state and the second state, andwhere the Boolean operator includes at least one of:
    - an AND operator,an OR operator, ora NOT operator.
  - 34. The method of claim 28, further comprising:
    - receiving a user input; and
      
      determining the criterion based on the user input.

35. A device comprising:
- a memory; and
  
  one or more processors to;
  
  store, in the memory, data identifying;
  
  a plurality of policy tests, anda respective plurality of possible states associated with each policy test of the plurality of policy tests,the plurality of policy tests including a first policy test and a second policy test, anda first plurality of states, associated with the first policy test, including;
  
  a pass state,a fail state, andanother state that differs from the pass state and the fail state;
  
  receive an expression that identifies;
  
  a first state of the first plurality of states, anda second state of a second plurality of states associated with the second policy test,receive a request from a network device,obtain, based on receiving the request, status information for the network device,the status information identifying;
  
  a first particular state, of the first plurality of states, associated with the network device for the first policy test, anda second particular state, of the second plurality of states, associated with the network device for the second policy test,evaluate status information, based on a comparison of the first particular state and the second particular state to the expression, to form an evaluation result, andforward, to the network device, a response to the request based on the evaluation result.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. The device of claim 35, where the one or more processors are further to:
    - provide a user interface,receive, via the user interface, an input, andform the expression based on the input.
  - 37. The device of claim 35, where the request relates to access, by the network device, to one or more network resources, andwhere the one or more processors are further to:
    - regulate the access, by the network device, to the one or more network resources, based on the evaluation result.
  - 38. The device of claim 37, where the one or more processors, when forwarding the response, are further to:
    - include, in the response, data that enables the access, by the network device, to the one or more network resources.
  - 39. The device of claim 35, where the expression further identifies a Boolean operator identifying a relationship between the first state and the second state,where the Boolean operator include at least one of an AND operator,an OR operator, ora NOT operator.
  - 40. The device of claim 35, where the other state includes at least one of:
    - a state associated with isolating the network device from another component of a network, ora state associated with denying the request regardless of the second state.
  - 41. The device of claim 35, where the one or more processors, when obtaining the status information for the network device, are further to:
    - establish a connection to the network device,exchange, via the connection, data with the network device,determine the status information based on the exchanged data.

42. A non-transitory computer-readable medium to store instructions, the instructions comprising:
- one or more instructions that, when executed by a processor, cause the processor to receive an expression that identifies;
  
  a first state of a first plurality of states associated with a first policy,the first plurality of states including;
  
  a pass state,a fail state, andanother state that differs from the pass state and the fail state;
  
  a second state of a second plurality of states associated with a second policy that is different from the first policy;
  
  one or more instructions that, when executed by the processor, cause the processor to obtain status information for a network device,the status information identifying;
  
  a first particular state, of the first plurality of states, associated with the network device, anda second particular state, of the second plurality of states, associated with the network device;
  
  one or more instructions that, when executed by the processor, cause the processor to evaluate the first particular state and the second particular state, based on the expression, to form an evaluation result; and
  
  one or more instructions that, when executed by the processor, cause the processor to regulate access, by the network device, to a network resource based on the evaluation result.
- View Dependent Claims (43, 44, 45, 46, 47)
- - 43. The non-transitory computer-readable medium of claim 42, where the one or more instructions to receive the expression further include:
    - one or more instructions to provide a user interfaceone or more instructions to receive, via the user interface, an input, andone or more instructions to form the expression based on the input.
  - 44. The non-transitory computer-readable medium of claim 42, where the other state relates to at least one of:
    - isolating the network device, orrecommending against enabling the access, by the network device, to the network resource.
  - 45. The non-transitory computer-readable medium of claim 42, where the one or more instructions to obtain the status information for the network device further include:
    - one or more instructions to receive first information from the network device;
      
      one or more instructions to process the first information to determine the first particular state; and
      
      one or more instructions to receive, from another device that differs from the network device, second information identifying the second particular state.
  - 46. The non-transitory computer-readable medium of claim 42, where the expression further includes a logical Boolean operator identifying a relationship between the first state and the second state.
  - 47. The non-transitory computer-readable medium of claim 46, where:
    - the expression is a first expression,the logical Boolean operator is a first logical Boolean operator,the evaluation result is a first evaluation result, andthe one or more instructions to regulate the access, by the network device, to the network resource, further include;
      
      one or more instructions to receive a second expression that differs from the first expression,the second expression identifying;
      
      another first state of the first plurality of states,another second state of the second plurality of states, anda second logical Boolean operator;
      
      one or more instructions to evaluate the first particular state and the second particular state, based on the second expression, to form a second evaluation result associated with the network device; and
      
      one or more instructions to regulate the access, by the network device, to the network resource based on the first evaluation result and the second evaluation result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Chickering, Roger Allen, Funk, Paul, Kougiouris, Panagiotis, Hanna, Stephen, Kirner, Paul James

Granted Patent

US 8,644,167 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

COMBINING NETWORK ENDPOINT POLICY RESULTS

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

COMBINING NETWORK ENDPOINT POLICY RESULTS

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links