MAC Authentication Bypass Endpoint Database Access Control

US 20200137054A1
Filed: 02/21/2019
Published: 04/30/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. An information security system, comprising:

a switch comprising a plurality of ports configured to provide network connectivity for one or more endpoint devices to a network; and

a device operably coupled to the switch, comprising;

a memory operable to store;

a device information table comprising MAC addresses of previously authenticated endpoint devices; and

an identity group information table comprising;

a set of device type categories, wherein each device type category is linked with a set of flags that provide device information; and

an access control engine implemented by a processor, configured to;

receive device information for an endpoint device connected to a port of the switch, comprising;

a MAC address for the endpoint device; and

a device type for the endpoint device;

compare the MAC address for the endpoint device to MAC addresses in the device information table;

determine the MAC address for the endpoint device is not present in the device information table based on the comparison;

identify a device type category from the set of device type categories that correspond with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table;

identify one or more flags linked with the identified device type category; and

set a port status for the port where the endpoint device is connected based on the identified one or more flags.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information security system that includes a switch operably coupled to a device. The switch includes a plurality of ports configured to provide network connectivity for one or more endpoint devices to a network. The device is configured to receive a MAC address and a device type for an endpoint device. The device is further configured to determine that the MAC address for the endpoint device is not present in a device information table that comprises MAC addresses of previously authenticated endpoint devices and to identify a device type category from a set of device type categories that correspond with the device type for the endpoint device. The device is further configured to identify one or more flags linked with the identified device type category and to set a port status for the port where the endpoint device is connected based on the identified one or more flags.

1 Citation

20 Claims

1. An information security system, comprising:
- a switch comprising a plurality of ports configured to provide network connectivity for one or more endpoint devices to a network; and
  
  a device operably coupled to the switch, comprising;
  
  a memory operable to store;
  
  a device information table comprising MAC addresses of previously authenticated endpoint devices; and
  
  an identity group information table comprising;
  
  a set of device type categories, wherein each device type category is linked with a set of flags that provide device information; and
  
  an access control engine implemented by a processor, configured to;
  
  receive device information for an endpoint device connected to a port of the switch, comprising;
  
  a MAC address for the endpoint device; and
  
  a device type for the endpoint device;
  
  compare the MAC address for the endpoint device to MAC addresses in the device information table;
  
  determine the MAC address for the endpoint device is not present in the device information table based on the comparison;
  
  identify a device type category from the set of device type categories that correspond with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table;
  
  identify one or more flags linked with the identified device type category; and
  
  set a port status for the port where the endpoint device is connected based on the identified one or more flags.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - identifying the one or more flags comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with an approved device; and
      
      setting the port status for the port comprises setting the port to a pending state that blocks the endpoint device from accessing the network.
  - 3. The system of claim 2, wherein the access control engine is further configured to generate an entry in the device information table, wherein the entry comprises:
    - the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is pending approval.
  - 4. The system of claim 1, wherein:
    - identifying the one or more flags comprises identifying a blacklisted flag that indicates the device type of the endpoint device corresponds with a blacklisted device;
      
      setting the port status for the port comprises setting the port to a block state that blocks the endpoint device from accessing the network; and
      
      the access control engine is further configured to generate an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is a blacklisted device.
  - 5. The system of claim 1, wherein:
    - identifying the one or more flags comprises identifying an infrastructure flag that indicates the device type of the endpoint device corresponds with an infrastructure device; and
      
      setting the port status for the port comprises setting the port to a block state that blocks the endpoint device from accessing the network.
  - 6. The system of claim 5, wherein:
    - identifying the one or more flags further comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with an approved device; and
      
      the access control engine is further configured to generate an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is pending approval.
  - 7. The system of claim 1, wherein:
    - identifying the one or more flags comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with a pending approval device; and
      
      setting the port status for the port comprises setting the port to a pending state that blocks the endpoint device from accessing the network.

8. An access control method, comprising:
- receiving, by an access control engine implemented by a processor, device information for an endpoint device connected to a port of the switch, comprising;
  
  a MAC address for the endpoint device; and
  
  a device type for the endpoint device;
  
  comparing, by the access control engine, the MAC address for the endpoint device to MAC addresses in a device information table, wherein the device information table comprises MAC addresses of previously authenticated endpoint devices;
  
  determining, by the access control engine, the MAC address for the endpoint device is not present in the device information table based on the comparison;
  
  identifying, by the access control engine, a device type category from a set of device type categories identified in an identity group information table that corresponds with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table, wherein the identity group information table comprises the set of device type categories that are each linked with a set of flags that provide device information;
  
  identifying, by the access control engine, one or more flags linked with the identified device type category; and
  
  setting, by the access control engine, a port status for a port on a switch where the endpoint device is connected based on the identified one or more flags.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein:
    - identifying the one or more flags comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with an approved device; and
      
      setting the port status for the port comprises setting the port to a pending state that blocks the endpoint device from accessing the network.
  - 10. The method of claim 9, further comprising generating, by the access control engine, an entry in the device information table, wherein the entry comprises:
    - the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is pending approval.
  - 11. The method of claim 8, wherein:
    - identifying the one or more flags comprises identifying a blacklisted flag that indicates the device type of the endpoint device corresponds with a blacklisted device;
      
      setting the port status for the port comprises setting the port to a block state that blocks the endpoint device from accessing the network; and
      
      further comprising generating, by the access control engine, an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is a blacklisted device.
  - 12. The method of claim 8, wherein:
    - identifying the one or more flags comprises identifying an infrastructure flag that indicates the device type of the endpoint device corresponds with an infrastructure device; and
      
      setting the port status for the port comprises setting the port to a block state that blocks the endpoint device from accessing the network.
  - 13. The method of claim 12, wherein:
    - identifying the one or more flags further comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with an approved device; and
      
      further comprising generating, by the access control engine, an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is pending approval.
  - 14. The method of claim 8, wherein:
    - identifying the one or more flags comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with a pending approval device; and
      
      setting the port status for the port comprises setting the port to a pending state that blocks the endpoint device from accessing the network.

15. An information security device, comprising:
- a memory operable to store;
  
  a device information table comprising MAC addresses of previously authenticated endpoint devices; and
  
  an identity group information table comprising;
  
  a set of device type categories, wherein each device type category is linked with a set of flags that provide device information; and
  
  an access control engine implemented by a processor, configured to;
  
  receive device information for an endpoint device connected to a port of the switch, comprising;
  
  a MAC address for the endpoint device; and
  
  a device type for the endpoint device;
  
  compare the MAC address for the endpoint device to MAC addresses in the device information table;
  
  determine the MAC address for the endpoint device is not present in the device information table based on the comparison;
  
  identify a device type category from the set of device type categories corresponding with the device type for the endpoint device in response to the determination that the MAC address for the endpoint device is not present in the device information table;
  
  identify one or more flags linked with the identified device type; and
  
  set a port status for a port on a switch where the endpoint device is connected based on the identified one or more flags.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The device of claim 15, wherein:
    - identifying the one or more flags comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with an approved device;
      
      setting the port status for the port comprises setting the port to a pending state that blocks the endpoint device from accessing the network; and
      
      the access control engine is further configured to generate an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is pending approval.
  - 17. The device of claim 15, wherein:
    - identifying the one or more flags comprises identifying a blacklisted flag that indicates the device type of the endpoint device corresponds with a blacklisted device;
      
      setting the port status for the port comprises setting the port to a block state that blocks the endpoint device from accessing the network; and
      
      the access control engine is further configured to generate an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is a blacklisted device.
  - 18. The device of claim 15, wherein:
    - identifying the one or more flags comprises identifying an infrastructure flag that indicates the device type of the endpoint device corresponds with an infrastructure device; and
      
      setting the port status for the port comprises setting the port to a block state that blocks the endpoint device from accessing the network.
  - 19. The device of claim 18, wherein:
    - identifying the one or more flags further comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with an approved device; and
      
      the access control engine is further configured to generate an entry in the device information table, wherein the entry comprises;
      
      the MAC address for the endpoint device;
      
      the device type for the endpoint device; and
      
      an approval status that indicates the endpoint device is pending approval.
  - 20. The device of claim 15, wherein:
    - identifying the one or more flags comprises identifying an approval flag that indicates the device type of the endpoint device corresponds with a pending approval device; and
      
      setting the port status for the port comprises setting the port to a pending state that blocks the endpoint device from accessing the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Isola, Rahul, Manjunath, Abhishek P., Nannariello, Richard, Larragueta, Brian L.

Granted Patent

US 11,044,253 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

MAC Authentication Bypass Endpoint Database Access Control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1 Citation

20 Claims

Specification

Use Cases

Quick Links

Others

MAC Authentication Bypass Endpoint Database Access Control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1 Citation

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others