SYSTEMS AND METHODS FOR NETWORK ACCESS CONTROL

US 20140325588A1
Filed: 04/24/2014
Published: 10/30/2014
Est. Priority Date: 04/25/2013
Status: Active Grant

First Claim

Patent Images

1. A method for network access control, comprising:

receiving at a network device a SYN packet from a client device over a network, the SYN packet comprising identifying information for the client device;

determining if the client device is a trusted source for the network using the SYN packet;

if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device; and

establishing a connection with the network for the client device,otherwise dropping the SYN packet to deny network access to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network access control systems and methods are provided herein. A method includes receiving at a network device a SYN packet from a client device over a network, determining if the client device is a trusted source for the network using the SYN packet, if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device, and establishing a connection with the network for the client device.

Citations

22 Claims

1. A method for network access control, comprising:
- receiving at a network device a SYN packet from a client device over a network, the SYN packet comprising identifying information for the client device;
  
  determining if the client device is a trusted source for the network using the SYN packet;
  
  if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device; and
  
  establishing a connection with the network for the client device,otherwise dropping the SYN packet to deny network access to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 17, 18, 19, 20, 21)
- - 2. The method according to claim 1, wherein determining if the client device is a trusted source for the network using the SYN packet comprises determining if the client device is on a white or black list of client devices.
  - 3. The method according to claim 1, wherein the identifying information for the client device comprises any of a sequence number, an IP address, a media access control (MAC) address, an international mobile station equipment identity (IMEI) number, a service set identifier (SSID), a source port, or any other identifying characteristic that can be used to identify a device on a network.
  - 4. The method according to claim 1, wherein the identifying information for the network device comprises any of a sequence number, an IP address, a media access control (MAC) address, an international mobile station equipment identity (IMEI) number, a service set identifier (SSID), a source port, or any other identifying characteristic that can be used to identify a device on a network.
  - 5. The method according to claim 1, wherein determining if the client device is a trusted source for the network using the SYN packet comprises:
    - determining that the client device is neither on a white or black list of client devices; and
      
      transmitting to the client device a SYN/ACK packet, the SYN/ACK packet comprising a SYN cookie.
  - 6. The method according to claim 5, wherein the SYN cookie may be an initial sequence number comprising an incremental timestamp, a maximum segment size value, a cryptographic hash function computed over the network device'"'"'s IP address and port number, the client device'"'"'s IP address and port number, and the incremental timestamp, or combinations thereof.
  - 7. The method according to claim 5, further comprising:
    - receiving a number of ACK packets from the client device that include an incorrect SYN cookie, wherein the incorrect SYN cookie comprises identifying information for the client device or the network device that is incorrect;
      
      applying a SYN cookie tolerance level, wherein the SYN cookie tolerance level specifies an number of times the client device can supply an incorrect SYN cookie;
      
      adding the identifying information for the client device to a black list if the client device exceeds the SYN cookie tolerance level; and
      
      dropping subsequent SYN or ACK packets received from the client device.
  - 8. The method according to claim 1, further comprising:
    - setting an allowable connection rate policy for the client device, wherein the allowable connection rate policy specifies a number of times the client device may attempt to connect to the network in a given time period;
      
      adding the identifying information for the client device to a black list if the client device violates the allowable connection rate policy; and
      
      dropping subsequent SYN or ACK packets received from the client device.
  - 9. The method according to claim 8, wherein a client device is added to a black list even if the client device is currently included in a white list, based upon the client device violating the allowable connection rate policy.
  - 10. The method according to claim 1, further comprising:
    - setting an allowable rate limit of SYN cookies, wherein the rate allowable rate limit of SYN cookies specifies a number of times the client device may provide their SYN cookie to the network device;
      
      adding the identifying information for the client device to a black list if the client device exceeds the allowable rate limit of SYN cookies; and
      
      dropping subsequent SYN or ACK packets received from the client device.
  - 11. The method according to claim 1, further comprising:
    - determining if a network packet flow for the client device has been previously observed;
      
      if the network packet flow has been previously observed, the connection with the network can be established; and
      
      if the network packet flow has not been previously observed, the connection with the network can be established by;
      
      performing a SYN cookie check; and
      
      establishing the network connection if the client device passes the SYN cookie check.
  - 12. The method according to claim 11, wherein the SYN cookie check comprises comparing SYN cookie information received in the ACK packet with SYN cookie information provided by device network resource in the SYN/ACK packet.
  - 13. The method according to claim 11, further comprising:
    - setting an SYN cookie threshold, wherein the SYN cookie threshold identifies a total number of times the client device may provide a SYN cookie to the network device;
      
      for each time the client device provides a SYN cookie to the network device, reducing the SYN cookie threshold by one until the SYN cookie threshold is zero;
      
      when the SYN cookie threshold is zero, adding the identifying information for the client device to a black list; and
      
      dropping subsequent SYN or ACK packets received from the client device.
  - 17. The network arrangement according to claim 13, wherein the identifying information for the network device comprises any of a sequence number, an IP address, a media access control (MAC) address, an international mobile station equipment identity (IMEI) number, a service set identifier (SSID), a source port, or any other identifying characteristic that can be used to identify a device on a network.
  - 18. The network arrangement according to claim 13, wherein the network device determines if the client device is a trusted source for the network using the SYN packet by:
    - determining that the client device is neither on a white or black list of client devices; and
      
      transmitting to the client device the SYN/ACK packet, the SYN/ACK packet comprising a SYN cookie.
  - 19. The network arrangement according to claim 18, wherein the network device is configured to:
    - receive a number of ACK packets from the client device that include an incorrect SYN cookie, wherein the incorrect SYN cookie comprises identifying information for the client device or the network device that is incorrect;
      
      apply a SYN cookie tolerance level, wherein the SYN cookie tolerance level specifies an number of times the client device can supply an incorrect SYN cookie;
      
      set an allowable connection rate policy for the client device, wherein the allowable connection rate policy specifies a number of times the client device may attempt to connect to the network in a given time period;
      
      add the identifying information for the client device to a black list if the client device exceeds the SYN cookie tolerance level or if the client device violates the allowable connection rate policy.
  - 20. The network arrangement according to claim 19, wherein the network device is configured to add a client device is added to a black list even if the client device is currently included in a white list, based upon the client device violating the allowable connection rate policy or exceeding the SYN cookie tolerance level.
  - 21. The network arrangement according to claim 20, wherein the network device is configured todetermine if a network packet flow for the client device has been previously observed;
    - if the network packet flow has been previously observed, the connection with the network can be established; and
      
      if the network packet flow has not been previously observed, the connection with the network can be established by performing a SYN cookie check and establishing the network connection if the client device passes the SYN cookie check.

14. A network arrangement, comprising:
- a network service; and
  
  a network device that is configured to;
  
  receive a SYN packet from a client device over a network, the SYN packet comprising identifying information for the client device;
  
  determine if the client device is a trusted source for the network using the SYN packet;
  
  if the client device is a trusted resource, receive an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device; and
  
  establish a connection with the network for the client device in such a way that the client device can use the network service,otherwise drop the SYN packet to deny network access to the client device.
- View Dependent Claims (15, 16)
- - 15. The network arrangement according to claim 14, wherein the network device determines if the client device is a trusted source for the network using the SYN packet by determining if the client device is on a white or black list of client devices.
  - 16. The network arrangement according to claim 15, wherein the identifying information for the client device comprises any of a sequence number, an IP address, a media access control (MAC) address, an international mobile station equipment identity (IMEI) number, a service set identifier (SSID), a source port, or any other identifying characteristic that can be used to identify a device on a network.

22. A method for network access control, comprising:
- determining if a client device is a trusted source for the network using a SYN packet, the SYN packet comprising identifying information for the client device;
  
  transmitting a SYN/ACK packet to the client device, the SYN/ACK packet comprising;
  
  (a) identifying information for the client device plus an additional value;
  
  (b) a SYN cookie, and (c) identifying information for the network device;
  
  receiving an ACK packet from the client device to confirm the establishment of a network connection between a network device and the client device;
  
  establishing a connection with the network for the client device; and
  
  placing the client device on a black list if the client device is subsequently determined to be an untrusted resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Jalan, Rajkumar, Szeto, Ronald Wai Lun, Wu, Steven

Granted Patent

US 9,838,425 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

SYSTEMS AND METHODS FOR NETWORK ACCESS CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR NETWORK ACCESS CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links