POLICY EVALUATION IN CONTROLLED ENVIRONMENT

US 20130145421A1
Filed: 12/27/2012
Published: 06/06/2013
Est. Priority Date: 08/17/2006
Status: Active Grant

First Claim

Patent Images

1-31. -31. (canceled)

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device.

Citations

51 Claims

1-31. -31. (canceled)

32. A method comprising:
- receiving, by a first device and from a second device, first information relating to whether the second device complies with one or more policies,the first device being different than the second device, andthe one or more policies relating to accessing a network;
  
  identifying, by the first device and based on the first information, second information that identifies the one or more policies;
  
  causing, by the first device, a determination, using the first information and the second information, to be made as to whether the second device complies with the one or more policies;
  
  determining, by the first device, whether a result of the determination corresponds to an authorized operation relating to the first device;
  
  sending, by the first device and to the second device, a message indicating that the second device is denied access to the network when the result does not correspond to the authorized operation; and
  
  sending, by the first device and to a third device, instructions relating to the second device accessing the network when the result corresponds to the authorized operation,the third device to determine whether to grant access to the network, to the second device, based on the instructions.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. The method of claim 32, where causing the determination to be made as to whether the second device complies with the one or more policies includes:
    - determining, by at least one device of the first device and using the first information and the second information, whether the second device complies with the one or more policies.
  - 34. The method of claim 33, further comprising:
    - determining that the result does not correspond to the authorized operation; and
      
      terminating operation of the at least one device.
  - 35. The method of claim 32, where causing the determination to be made as to whether the second device complies with the one or more policies includes:
    - causing one or more devices to determine, using the first information and the second information, whether the second device complies with the one or more policies,the one or more devices being located remotely from the first device.
  - 36. The method of claim 32, where the result includes an attempt to overwrite a configuration file of the first device, andwhere the method further comprises:
    - determining that the result does not correspond to the authorized operation based on the result including the attempt to overwrite the configuration file on the first device.
  - 37. The method of claim 32, where causing the determination to be made as to whether the second device complies with the one or more policies includes:
    - determining whether the second device is running software that meets particular criteria.
  - 38. The method of claim 37, determining whether the second device is running the software that meets the particular criteria includes:
    - determining whether the software is authorized to access one or more network resources.
  - 39. The method of claim 32, where sending the instructions relating to the second device accessing the network includes:
    - sending, to the third device, information identifying one or more resources that the second device is authorized to access,the third device granting the second device access to the one or more resources based on the information identifying the one or more resources.

40. A non-transitory computer-readable memory device storing instructions, the instructions comprising:
- one or more instructions, which when executed by a first device, cause the first device to receive, from a second device, first information relating to whether the second device complies with one or more policies,the first device being different than the second device, andthe one or more policies relating to accessing a network;
  
  one or more instructions, which when executed by the first device, cause the first device to identify, based on the first information, second information that identifies the one or more policies;
  
  one or more instructions, which when executed by the first device, cause the first device to cause a determination, using the first information and the second information, to be made as to whether the second device complies with the one or more policies;
  
  one or more instructions, which when executed by the first device, cause the first device to determine whether a result of the determination corresponds to an authorized operation relating to the first device;
  
  one or more instructions, which when executed by the first device, cause the first device to send, to the second device, a message indicating that the second device is denied access to the network when the result does not correspond to the authorized operation; and
  
  one or more instructions, which when executed by the first device, cause the first device to send, to a third device, third information relating to the second device accessing the network when the result corresponds to the authorized operation,the third device to determine whether to grant, to the second device, access to the network based on the third information.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47)
- - 41. The non-transitory computer-readable memory device of claim 40, where the result corresponds to an attempt to perform an unauthorized write operation, andwhere the instructions further comprise:
    - one or more instructions to determine that the result does not correspond to the authorized operation based on the result corresponding to the attempt to perform the unauthorized write operation.
  - 42. The non-transitory computer-readable memory device of claim 40, where the one or more policies include a plurality of policies, andwhere the one or more instructions to cause the determination to be made as to whether the second device complies with the one or more policies include:
    - one or more instructions to send the first information and the second information to a plurality of devices; and
      
      one or more instructions to cause the plurality of devices to determine, using the first information and the second information, whether the second device complies with the plurality of policies,each device, of the plurality of devices, determining whether the second device complies with a respective policy of the plurality of policies.
  - 43. The non-transitory computer-readable memory device of claim 42, where the plurality of devices are located remotely from the first device.
  - 44. The non-transitory computer-readable memory device of claim 42, the instructions further comprising:
    - one or more instructions to determine that the result does not correspond to the authorized operation; and
      
      one or more instructions to terminate operation of the plurality of devices.
  - 45. The non-transitory computer-readable memory device of claim 40, where the second information includes information indicating that the second device is to be evaluated with respect to an antivirus policy, andwhere the one or more instructions to cause the determination to be made as to whether the second device complies with the one or more policies include:
    - one or more instructions to cause an evaluation of the second device with respect to the antivirus policy to determine whether the second device complies with the antivirus policy.
  - 46. The non-transitory computer-readable memory device of claim 45, where the one or more instructions to cause the determination to be made as to whether the second device complies with the one or more policies include:
    - one or more instructions to determine whether the second device is running software that meets particular criteria with respect to the antivirus policy.
  - 47. The non-transitory computer-readable memory device of claim 45, where the one or more instructions to determine whether the second device is running the software that meets the particular criteria include:
    - one or more instructions to determine;
      
      whether a revision level of the software corresponds to a particular revision level, orwhether a configuration of the software corresponds to a particular configuration.

48. A device comprising:
- a memory to store instructions; and
  
  a processor to execute one or more of the instructions to;
  
  obtain information that identifies one or more policies relating to accessing a network;
  
  send the information to one or more first devices to determine whether a second device complies with the one or more policies,the one or more first devices being different from the device and the second device;
  
  determine whether one or more results, of the one or more first devices determining whether the second device complies with the one or more policies, correspond to one or more authorized operations relating to the device;
  
  send, to the second device, a message indicating that the second device is denied access to the network when the one or more results do not correspond to the one or more authorized operations; and
  
  identify one or more resources, associated with the network, that the second device is allowed to access when the one or more results correspond to the one or more authorized operations.
- View Dependent Claims (49, 50, 51)
- - 49. The device of claim 48, where the processor is further to execute one or more of the instructions to:
    - determine, when the one or more results do not correspond to the one or more authorized operations, that the second device does not comply with the one or more policies; and
      
      send, to the second device, information to bring the second device in compliance with the one or more policies after determining that the second device does not comply with the one or more policies.
  - 50. The device of claim 48, where the processor is further to execute one or more of the instructions to:
    - send, to a third device, information relating to the second device accessing the one or more resources when the one or more results correspond to the one or more authorized operations,the third device being different than the one or more first devices, andthe third device to determine whether to grant access to the one or more resources to the third device based on the information relating to the second device accessing the one or more resources.
  - 51. The device of claim 48, where each first device, of the one or more first devices, determines whether the second device complies with a respective policy, of the plurality of policies, to produce a respective result of the one or more results,where the processor is further to execute one or more of the instructions to:
    - determine that a particular result, of the one or more results, does not correspond to a particular authorization operation of the one or more authorized operations; and
      
      terminate operation of a particular first device, of the one or more first devices, that produced the particular result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Chickering, Roger, Kirner, Paul James, KOUGIOURIS, Panagiotis, Hanna, Stephen R.

Granted Patent

US 8,661,505 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/10 for controlling access to d...

H04L 63/20 for managing network securi...

POLICY EVALUATION IN CONTROLLED ENVIRONMENT

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY EVALUATION IN CONTROLLED ENVIRONMENT

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links